Yesterday, all at once, OCR announced that it has entered into five new Resolution Agreements — each of them stemming from one or more violations of HIPAA’s right of access afforded to individuals. There are several interesting observations about these new cases that are worth taking note of.
At the last hour, CMS extended the deadline for publishing much anticipated changes to the Stark Law. Originally expected for publication this past August, CMS extended the deadline to August 2021, noting that “… we are still working through the complexity of the issues raised by comments received on the proposed rule and therefore we are not able to meet the announced publication target date.” Together with the OIG’s counterpart rule, the proposed rules contain the potential for significant modernization of the Stark Law and Anti-kickback Statute as part of the “Regulatory Spring to Coordinated Care” as well as increased alignment and coordination between the two sets of laws.
After over almost four months of no new HIPAA Resolution Agreements or Civil Money Penalties, OCR quietly posted two new HIPAA settlement agreements at the end of July. At first glance, both appear to be “run-of-the-mill” cases with nothing much new to learn with the first one resulting in OCR finding that the covered entity failed to even complete a basic Security Risk Analysis and training of workforce, and the other involving – yes, yet again – a stolen unencrypted laptop. However, the second case in particular deserves closer examination where it has embedded in it more complex corporate structure and liability issues where it actually involved two legally separate covered entities that elected to designated themselves as a single covered entity for purposes of HIPAA. Let’s look at each case separately.
On July 16, the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield, one of the primary mechanisms used by companies to lawfully transfer personal data outside of the European Union under the GDPR. Despite a prior adequacy determination in 2016, the CJEU found that shortcomings in the Privacy Shield, particularly U.S. security and surveillance laws and an ineffective Ombudsperson program, resulted in a failure to provide essentially equivalent protections to those afforded to individuals within the European Union.
This past Tuesday the FTC hosted its 5th annual PrivacyCon. It was a GREAT event! The full-day event covered a wide-range of cutting edge and titillating issues concerning the privacy of data in this day and age of rapidly accelerating technology. However, it was the morning session which covered Health Apps that interested me the most. In his opening remarks, the Director of FTC’s Bureau of Consumer Protection, Andrew Smith, came out-of-the-gate pointing out that earlier this year HHS issued rules that will make it easier for consumers to access their medical records through the app of their choice, and while this expanded access to health information can be an enormous benefit to consumers – wherever data flow opportunities increase, the opportunities for data compromise increase as well. Director Smith concluded his opening remarks by stating “We at the FTC will not hesitate to take action when companies misrepresent what they are doing with consumers’ health information or otherwise put health data at undue risk . . .” Here is what I learned from the four-person panel of experts who discussed the ins-and-outs of Health Apps and potential direction of the FTC will take with enforcement.
The HIPAA Enforcement Rule prevents the Secretary/OCR from assessing civil monetary penalties (CMP) against a covered entity or business associate if an Affirmative Defense can be established. A HIPAA violation that is corrected within 30 days of discovery can potentially insulate an organization from CMPs, provided certain requirements are met. But an organization has to make sure that it fits squarely within the requirements of these regulatory defenses to be fully insulated.
Evaluating incidents that affect protected health information (PHI) to determine whether they must be reported under HIPAA’s Breach Notification Rule is a delicate balancing act. On the one hand, a HIPAA covered entity will want to avoid reporting an incident to the Secretary of HHS if it is not required to do so under the standards set forth in HIPAA’s Breach Notification Rule. On the other hand, a HIPAA covered entity that fails to report a HIPAA Breach risks being exposed to penalties from OCR for each day such Breach was not reported when it should have been. A recent Becker’s Health IT article brought attention to a Notice posted by Ann & Robert H. Lurie Children’s Hospital of Chicago
The events unfolding with respect to COVID-19 are unprecedented. There is a lot going on, and for those out there on the front lines of health care – like my husband who is an ER doc – I know that your first priority is helping patients and ensuring everyone around you is safe and healthy. ...
WellPoint hit with .7 million for Security Weaknesses in Online Application The increasingly heavy-handed OCR announced news yesterday of yet another resolution agreement for HIPAA violations; this time hitting WellPoint Inc., a managed care company, with $1.7 million for an...
Lessons from the Idaho State University CAP Back in 2011, Idaho State University (Idaho State) experienced a breach of PHI affecting approximately 17,500 individuals after firewalls on its servers were disabled at one of its outpatient clinics. It appropriately notified HHS in August of...
Kaiser Permanente Faces Investigation Over Inappropriate Storage of Patient Records by Contractor Kaiser Permanente is facing investigation over the handling of approximately 300,000 patient records by a contract storage firm. According to an article in the LA Times, Kaiser contracted...
HHS Rings in 2013 with News of Settlement for Small Breach We hope all of our readers had a happy and relaxing holiday season, and we wish you all the best for this New Year! It seems fitting for the first post of the year to revolve around HHS’s announcement of its first breach settlement...
OIG Finds Fault with CMS Meaningful Use Oversight In a report released on November 29, the Office of Inspector General (OIG) chastised CMS for not doing a better job of pre and post-payment oversight for the Medicare and Medicaid EHR Incentive Programs (Meaningful Use). As of September...
Guess What? OIG DOES Care about EHRs and Meaningful Use Today marks the last day for hospitals to return an 18-page, 54 question survey inquiring about their EHR practices, security, coding and other potential EHR fraud and abuse vulnerabilities. Hospitals using certified EHR...
August Goes Out with a Bang: Stage 2 Final Rule & HIPAA Arrest August ended in a whirlwind of federal activity, with CMS and OCR publishing the long-awaited Meaningful Use Stage 2 Final Rule and its accompanying Standards & Certification Criteria. And, as if Stage 2 wasn’t...