Looks Like the FTC Is Ramping up for Enforcement of Health Apps

Looks Like the FTC Is Ramping up for Enforcement of Health Apps

by | Jul 24, 2020 | , ,

This past Tuesday the FTC hosted its 5th annual PrivacyCon. It was a GREAT event!  The full-day event covered a wide-range of cutting edge and titillating issues concerning the privacy of data in this day and age of rapidly accelerating technology.  However, it was the morning session which covered Health Apps that interested me the most. In his opening remarks, the Director of FTC’s Bureau of Consumer Protection, Andrew Smith, came out-of-the-gate pointing out that earlier this year HHS issued rules that will make it easier for consumers to access their medical records through the app of their choice, and while this expanded access to health information can be an enormous benefit to consumers – wherever data flow opportunities increase, the opportunities for data compromise increase as well. Director Smith concluded his opening remarks by stating “We at the FTC will not hesitate to take action when companies misrepresent what they are doing with consumers’ health information or otherwise put health data at undue risk . . .” Here is what I learned from the four-person panel of experts who discussed the ins-and-outs of Health Apps and potential direction of the FTC will take with enforcement.

read more
Don’t Wait to Understand How “FHIR” Will Transform Health Information Exchange, or You’ll Feel the Heat When it Ignites!

Don’t Wait to Understand How “FHIR” Will Transform Health Information Exchange, or You’ll Feel the Heat When it Ignites!

by | Jul 14, 2020 | , ,

CMS & ONC have promulgated their Final Rules to implement the 21st Century Cures Act. A main goal is to accelerate the access, exchange and use of electronic health information (EHI).  One way this is being accomplished is to require certain entities and actors to provide Application Programming Interfaces (APIs) that use a new standard for data access and exchange called Fast Healthcare Interoperability Resources (aka “FHIR”).  These new standards for adopting FHIR for information exchange is expected to exponentially accelerate individuals ability to access and share EHI through mobile apps, as well as allow any third-party adopting such FHIR standards to obtain access to such EHI. Especially for HIPAA Privacy Officers, Security Officers, Compliance Officers and attorneys who have for years focused on ensuring that their organizations do not make the mistake of releasing protected health information to a third-party in violation of federal or state privacy and security laws, I feel your pain on FHIR! 

read more
You Should Know Your Affirmative Defenses if OCR Investigates You for HIPAA Violations

You Should Know Your Affirmative Defenses if OCR Investigates You for HIPAA Violations

by | Jul 9, 2020 | ,

The HIPAA Enforcement Rule prevents the Secretary/OCR from assessing civil monetary penalties (CMP) against a covered entity or business associate if an Affirmative Defense can be established. A HIPAA violation that is corrected within 30 days of discovery can potentially insulate an organization from CMPs, provided certain requirements are met. But an organization has to make sure that it fits squarely within the requirements of these regulatory defenses to be fully insulated.

read more
Don’t Miss CMS’s Engagement Calls for Ongoing COVID-19 Developments

Don’t Miss CMS’s Engagement Calls for Ongoing COVID-19 Developments

by | Jul 6, 2020 | ,

Need access to current information about COVID-19 and Medicare? CMS is holding stakeholder engagement calls to provide an opportunity for hospitals, health systems, and providers. The Webcast sessions are intended to provide updates, share best practices among peers, and offer attendees an opportunity to ask questions of CMS and other subject matter experts.

read more
Why Privacy & Consent Will Remain a Central Hurdle to Health Info Exchange Despite the Info Blocking Rule

Why Privacy & Consent Will Remain a Central Hurdle to Health Info Exchange Despite the Info Blocking Rule

by | Jun 23, 2020 |

Under the Privacy Exception, an Actor is permitted to not fulfill a request received to access, exchange, or use EHI to protect an individual’s privacy. The sub-exception for a “precondition-not-satisfied” will continue to put state laws governing privacy and consent at the center of decisions about whether EHI will be shared with third parties. Healthcare providers and HIEs/HINs especially will need to ensure that they have identified and analyzed each legal precondition to the release of EHI that is applicable to the particular type of entity and type of information that is implicated.

read more
Is Your Organization Ready to Send Patient Information to Apps by November?

Is Your Organization Ready to Send Patient Information to Apps by November?

by | Jun 19, 2020 | , , ,

Becker’s Hospital Review reported that 70% of CIOs are “concerned” about meeting the upcoming November 2nd deadline for complying with the Final Rules prohibiting information blocking practices. This is according to a survey conducted by CHIME, which included responses from executives at academic medical centers, critical access hospitals, multi-hospital systems and specialty hospitals.  Although the survey did not appear to identify specifically what concerns CIOs about complying with information blocking rules by this fall, one possibility is fully understanding how ONC’s information blocking rules will apply to releasing patients’ EHI to third-party apps.

read more
WEBINAR: Learn Which HIPAA Policies to Revise for ONC’s New Information Blocking Rule, Plus More!

WEBINAR: Learn Which HIPAA Policies to Revise for ONC’s New Information Blocking Rule, Plus More!

by | Jun 9, 2020 | ,

Join the NJ Chapter of HIMSS and Helen Oscislawski for this Webinar to get a lean and focused overview of what you need to do to comply with ONC’s and CMS’s final rules implementing the 21st Century Cures Act. On April 24, 2020, the OIG also released its Proposed Rule on CMPs to be imposed against Actors who engage in prohibited “Information Blocking.” These new rules turn on their heads certain HIPAA policies and procedures.

read more
New HHS Guidance on Laboratory COVID-19 Data Reporting Recognizes Valuable Role of HIEs

New HHS Guidance on Laboratory COVID-19 Data Reporting Recognizes Valuable Role of HIEs

by | Jun 7, 2020 | ,

Late last week, HHS published new Guidance that specifies what additional data must be reported by laboratories along with COVID-19 test results.  Reporting of certain data elements by laboratories are legally required, while reporting of other identifiable demographic data is encouraged but not mandatory. The Guidance notes that state and local privacy standards apply to the collection of identifiable demographic data. Importantly, HHS expressly supports health information exchanges (HIEs) being leveraged to facilitate required data collection and reporting.

read more
5 Reasons Why Your Training is Not Preventing HIPAA Violations by Employees

5 Reasons Why Your Training is Not Preventing HIPAA Violations by Employees

by | Jun 2, 2020 | ,

A State Court of Appeals recently reinstated a patient’s claim that an Indiana hospital is vicariously liable for the actions of its employee who shared the patient’s confidential information with an unauthorized third party.  Although the lower court originally dismissed the case, the appellate court found that there is a “genuine issue of fact” and remanded the case for further proceedings.  Now a potential monetary settlement teeters on the edge as the hospital’s potential liability for this employee’s HIPAA non-compliance rests in the hands of further proceedings in the lower court – so, you might want to ask why did this happen in the first place?

* HIPAA Training that is too basic and not focused on specific risk areas and organizational policies is not only non-compliant, but also largely ineffective. 

* HIPAA covered entities should have clear policies and training that address specific employee behaviors that are “high risk” for HIPAA violations. 

* Organizations must make sure they are training EVERYONE, and implementing effective Security Reminders.

read more
Will ONC’s Final Rule put HIEs between a “Block and a Hard Place”?

Will ONC’s Final Rule put HIEs between a “Block and a Hard Place”?

by | May 18, 2020 | ,

Under the ONC’s Final Rule on Information Blocking, Health Care Providers, HIEs and HINs will be legally prohibited from interfering with the access, exchange, or use of EHI unless an exception applies. However, HIEs/HINs that are HIPAA Business Associates are not allowed to use or further disclose PHI other than as permitted or required by their HIPAA BAAs with respective health care providers. So, what happens if a Health Care Provider and its HIPAA Business Associate HIE/HIN disagree on whether an exception allows EHI to be withheld from access, exchange or use under a certain set of specific facts?

read more
Don’t Make the Mistake of Over-Reporting Data Breaches Under HIPAA

Don’t Make the Mistake of Over-Reporting Data Breaches Under HIPAA

by | May 11, 2020 | , ,

Evaluating incidents that affect protected health information (PHI) to determine whether they must be reported under HIPAA’s Breach Notification Rule is a delicate balancing act.  On the one hand, a HIPAA covered entity will want to avoid reporting an incident to the Secretary of HHS if it is not required to do so under the standards set forth in HIPAA’s Breach Notification Rule. On the other hand, a HIPAA covered entity that fails to report a HIPAA Breach risks being exposed to penalties from OCR for each day such Breach was not reported when it should have been. A recent Becker’s Health IT article brought attention to a Notice posted by Ann & Robert H. Lurie Children’s Hospital of Chicago

read more

Archives