A “Double-Double” Set of Proposed Rules from CMS & OCR Affecting Data Sharing & HIPAA

A “Double-Double” Set of Proposed Rules from CMS & OCR Affecting Data Sharing & HIPAA

Late last week, two new proposed rules were released which will affect the exchange of health information and HIPAA, among other things.  The CMS and OCR proposed rules come in at over 347 and 357 pages respectively – so that’s a lot of meat to digest!  At a high level, the CMS Proposed Rule aims to “improve the electronic exchange of health care data among payers, providers, and patients,” and “streamline processes related to prior authorization to reduce burden on providers and patients.” The OCR proposed changes to HIPAA take a bite out of patient access, minimum necessary, the HIPAA NPP and more . . .

read more
Per ONC, Lab Results Generally Cannot be Delayed to “Prevent Harm” (unless threat to life & physical safety)

Per ONC, Lab Results Generally Cannot be Delayed to “Prevent Harm” (unless threat to life & physical safety)

As the November 2nd deadline for compliance with ONC’s Information Blocking Rule nears, many health care providers – which are “Actors” subject to the Rule – are scrambling to reexamine their default settings for sharing various types of data, including lab results. In ONC’s Final Rule preamble, several commenters indicated that providers’ current organizational policies call for practices that delay the release of laboratory results so that the patient’s clinician has an opportunity to review the results before potentially needing to respond to patient questions, or has an opportunity to communicate the results to the patient in a way that builds the clinician-patient relationship.

read more
Info Blocking Rules have you STRESSED?!!  Join Helen O. for Two Not-to-Miss Workshops for Help!

Info Blocking Rules have you STRESSED?!! Join Helen O. for Two Not-to-Miss Workshops for Help!

Join me for a pair of 1.5hr Information Blocking Workshops designed to work thorough the nitty-gritty details of the Information Blocking Rule.  The first Workshop will take place WEDNESDAY (9/30) so don’t delay! Workshops will include use cases and scenarios aimed at real challenges faced by health care providers looking to comply with these new regulatory standards for access and sharing of electronic health information. Registrants will receive 2 sample P&Ps, and much more!

read more
OCR Delivers a Quintuplet of HIPAA Resolutions – Sets the Tone for Providers Blocking Patients’ Access to PHI

OCR Delivers a Quintuplet of HIPAA Resolutions – Sets the Tone for Providers Blocking Patients’ Access to PHI

Yesterday, all at once, OCR announced that it has entered into five new Resolution Agreements — each of them stemming from one or more violations of HIPAA’s right of  access afforded to individuals. There are several interesting observations about these new cases that are worth taking note of.

read more
OCR Puts the Summer HIPAA Heat on Two Organizations with New Resolution Agreements

OCR Puts the Summer HIPAA Heat on Two Organizations with New Resolution Agreements

After over almost four months of no new HIPAA Resolution Agreements or Civil Money Penalties, OCR quietly posted two new HIPAA settlement agreements at the end of July.  At first glance, both appear to be “run-of-the-mill” cases with nothing much new to learn with the first one resulting in OCR finding that the covered entity failed to even complete a basic Security Risk Analysis and training of workforce, and the other involving – yes, yet again – a stolen unencrypted laptop.  However, the second case in particular deserves closer examination where it has embedded in it more complex corporate structure and liability issues where it actually involved two legally separate covered entities that elected to designated themselves as a single covered entity for purposes of HIPAA.  Let’s look at each case separately.

read more
Mind your Breach Insurance and Vendor Contracts

Mind your Breach Insurance and Vendor Contracts

A preliminary class action data breach settlement involving UnityPoint Health should prompt health care organizations to take a second look at their breach insurance coverage as well as their contracts with vendors who process data on their behalf. Adequate cyber and breach insurance coverage is paramount and should be commensurate with the health care organization’s size, operations. Additionally, health care organizations should pay close attention to their vendor contracts, particularly limitation of liability clauses, hold harmless provisions and indemnification provisions in health IT and other contracts.

read more
You Should Know Your Affirmative Defenses if OCR Investigates You for HIPAA Violations

You Should Know Your Affirmative Defenses if OCR Investigates You for HIPAA Violations

The HIPAA Enforcement Rule prevents the Secretary/OCR from assessing civil monetary penalties (CMP) against a covered entity or business associate if an Affirmative Defense can be established. A HIPAA violation that is corrected within 30 days of discovery can potentially insulate an organization from CMPs, provided certain requirements are met. But an organization has to make sure that it fits squarely within the requirements of these regulatory defenses to be fully insulated.

read more
5 Reasons Why Your Training is Not Preventing HIPAA Violations by Employees

5 Reasons Why Your Training is Not Preventing HIPAA Violations by Employees

A State Court of Appeals recently reinstated a patient’s claim that an Indiana hospital is vicariously liable for the actions of its employee who shared the patient’s confidential information with an unauthorized third party.  Although the lower court originally dismissed the case, the appellate court found that there is a “genuine issue of fact” and remanded the case for further proceedings.  Now a potential monetary settlement teeters on the edge as the hospital’s potential liability for this employee’s HIPAA non-compliance rests in the hands of further proceedings in the lower court – so, you might want to ask why did this happen in the first place?

* HIPAA Training that is too basic and not focused on specific risk areas and organizational policies is not only non-compliant, but also largely ineffective. 

* HIPAA covered entities should have clear policies and training that address specific employee behaviors that are “high risk” for HIPAA violations. 

* Organizations must make sure they are training EVERYONE, and implementing effective Security Reminders.

read more
Don’t Make the Mistake of Over-Reporting Data Breaches Under HIPAA

Don’t Make the Mistake of Over-Reporting Data Breaches Under HIPAA

Evaluating incidents that affect protected health information (PHI) to determine whether they must be reported under HIPAA’s Breach Notification Rule is a delicate balancing act.  On the one hand, a HIPAA covered entity will want to avoid reporting an incident to the Secretary of HHS if it is not required to do so under the standards set forth in HIPAA’s Breach Notification Rule. On the other hand, a HIPAA covered entity that fails to report a HIPAA Breach risks being exposed to penalties from OCR for each day such Breach was not reported when it should have been. A recent Becker’s Health IT article brought attention to a Notice posted by Ann & Robert H. Lurie Children’s Hospital of Chicago

read more
Do I Need a HIPAA Business Associate Agreement?

Do I Need a HIPAA Business Associate Agreement?

A HIPAA “Business Associate” is a person, other than a member of the workforce, who creates, receives, maintains or transmits PHI in the performance of services or functions for or on behalf of a Covered Entity. Treatment and Payment disclosures do NOT create a HIPAA BA relationship. Conduits are not HIPAA BAs, but the exception is very narrow. Covered Entities should review each HIPAA BA Agreement is needed, or not.

read more

Archives