ONC Says “Vetting” Mobile Apps is Information Blocking

ONC Says “Vetting” Mobile Apps is Information Blocking

ONC says actors that require third-party apps to be “vetted” by them for security reasons before allowing patients to use such apps to receive EHI via API technology certified to the Standardized API certification criterion is likely to be information blocking. However, my concern with relying solely on the security criteria required for API certification is that it is too low of a bar to adequately protect patients and other individuals from developers of apps that fail to keep promises to keep individuals’ information confidential.

read more
ONC Publishes New FAQs on Information Blocking focused on the Privacy Exception.

ONC Publishes New FAQs on Information Blocking focused on the Privacy Exception.

The Office of National Coordinator says it receives a lot of questions regarding how the Information Blocking Rule is supposed to work in tandem with the HIPAA Privacy Rule and other federal and state laws governing privacy and confidentiality. Their new FAQs aim to help clarify when actors can choose to not respond to a request for access, exchange, or use of electronic health information.

read more
ONC Vindicated. Patients Want Immediate Access to Test Results

ONC Vindicated. Patients Want Immediate Access to Test Results

JAMA published a study earlier this week finding more than 95% wanted immediate access to test results. However, when speaking to ONC, the study’s lead researcher specifically noted that although 95.3% of patients who received abnormal test results responded that they still would like to continue to receive immediately released results, this was associated with nearly twice the likelihood of worry compared to respondents who received normal results.

read more
FTC Orders BetterHelp Health App to Pay $7.8M for Sending User Data to Facebook & Snapchat

FTC Orders BetterHelp Health App to Pay $7.8M for Sending User Data to Facebook & Snapchat

The FTC issued a proposed order requiring BetterHelp to pay $7.8 million to consumers to settle charges that it shared consumers’ health data with Facebook, Pinterest, Snapchat, and Criteo after promising to keep such data private and claiming it is “certified” as “HIPAA compliant.” The real juice of this case is in the FTC compliant — and HIPAA-covered providers, facilities & organizations can learn a lot about what to watch out for with health data Apps as we continue to march towards the FHIR.

read more
Not So Sunny News in Arizona –  Major Health Care System Agrees to Pay $1.25 Million HIPAA Settlement for Cybersecurity Hacking Incident from 2016

Not So Sunny News in Arizona –  Major Health Care System Agrees to Pay $1.25 Million HIPAA Settlement for Cybersecurity Hacking Incident from 2016

The forecast for Arizona is thunderstorms, at least for at least one health care system. Last week, OCR announced a $1.25 settlement for HIPAA Security Rule violations brought to light by a cybersecurity hacking incident that took place over five years ago.

read more
Is Your Organization Ready for an OCR HIPAA Compliance Review re: Use of Online Tracking Technology?

Is Your Organization Ready for an OCR HIPAA Compliance Review re: Use of Online Tracking Technology?

On December 1, 2022, OCR released a “guidance” Bulletin re: “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” From it, we learned (among other things) that OCR believes that an individual’s IP addresses and geo location, collected by a regulated entity’s website, is protected by HIPAA. Now, we have come to learn that HIPAA compliance investigations by OCR are already underway concerning this topic. Are you ready?

read more
How to Use the Privacy Exception to Deny an Abuser Access to EHI

How to Use the Privacy Exception to Deny an Abuser Access to EHI

When an Actor wants to potentially deny access of EHI to a person who is suspected of some type of abuse of the individual (the “Abuser”) whose EHI is being sought, the natural inclination is want to look to the Information Blocking (IB) Rule’s Preventing Harm Exception to justify such denial.  However, the IB Rule’s Privacy Exception offers additional options and, in certain ways, more flexibility for the Actor to deny a suspected Abuser’s request for EHI.  

read more
Threading the HIPAA Needle through Information Blocking to Block Patient Access when Data is Corrupted

Threading the HIPAA Needle through Information Blocking to Block Patient Access when Data is Corrupted

The Information Blocking (IB) Rule is intended to work in sync with HIPAA, including the “right of access” the Privacy Rule grants to patients with regard to access to their own protected health information (PHI).  However, as I continue to analyze how to implement various standards that overlap between these two regulations, questions about how to thread the needle on seemingly conflicting standards continues to come up. Today, I take a closer look at the difference between HIPAA’s “right of access” as compared to the Preventing Harm Exception found in the IB Rule. Specifically, this post considers how a covered entity health care provider . . .

read more
How the Preventing Harm Exception Changes HIPAA

How the Preventing Harm Exception Changes HIPAA

the “Preventing Harm Exception” under the Information Blocking Rule is not only the most challenging exception to apply, but also the most difficult to interpret – particularly where some of the standards do not exactly track HIPAA, and still other imprecise language ONC used has made its interpretation uncertain. In this post, I will attempt to distill the Preventing Harm Exception down to its basic elements, as well as point out issues in its interpretation to be aware of.

read more
A Look Ahead to 2021

A Look Ahead to 2021

The new year has much in store for electronic health information exchange compliance!  Today’s post provides an overview of anticipated changes to the health information regulatory landscape in 2021, including increased interoperability efforts and telehealth expansion due to the coronavirus pandemic. It is not surprising that many of the topics discussed below are a direct result of the interoperability requirements created by the 21st Century Cures Act (“Cures Act”) enacted in December 2016.

read more
Our Stockings are Stuffed with Compliance Tools

Our Stockings are Stuffed with Compliance Tools

Seasons Greetings to all of our readers!  First, we want to wish you and yours a holiday season filled with health, happiness and hope!  We also want to thank you all for continuing to make Legal HIE such a popular and highly visited blog!  It puts a smile on our face seeing so many of you enjoying our posts and returning to our site often!  

As stockings are being hung by chimneys with care, we want to make sure you know that Legal HIE’s stockings are absolutely stuffed to the brim with tremendous tools, sample forms, polices and turn-key solutions that can help your organization stay on top of the most pressing compliance challenges, and ever-changing healthcare regulatory landscape. 2021 promises to be a year with many new and final regulations going into effect, and being released. The Legal HIE compliance library was created specifically for this purpose – to help busy and overwhelmed compliance officers and attorneys keep up with these changes by offering turn-key samples and solutions as a solid starting point.

read more
OCR Publishes New Guidance on Sharing PHI through HIEs for Public Health Purposes

OCR Publishes New Guidance on Sharing PHI through HIEs for Public Health Purposes

Last Friday, the Office for Civil Rights (OCR) issued new Guidance on how HIPAA permits covered entities and their business associates to use health information exchanges (HIEs) to disclose PHI for the public health activities of a Public Health Authority (PHA).  Specifically, it provides examples relevant to the COVID-19 public health emergency. OCR Director, Roger Severino, specifically notes that the Guidance was issued:

“to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency.”.

Although much of the Guidance document simply reiterates the controlling HIPAA Privacy Rule provisions and definitions which have always afforded a mechanism through which covered entities (CE) and their contracted business associates (BA) can share ePHI with a public health authority for public health purposes, there are a few notable new take-away nuggets.

read more

Archives