State AG Brings First HIPAA Lawsuit Against Business Associate Last month, I posted how treatment of business associates during HIPAA investigations remains unclear as well as assignment of liability for breaches of PHI. A final “omnibus rule” is expected to clarify the HITECH business...
HIPAA Audits Begin November 2011, How Can Covered Entities and Business Associates Prepare? The United States Department of Health and Human Services (HHS) has announced that it will begin HIPAA audits of covered entities and business associates this November 2011, and its contracted...
HIPAA Auditor Responsible for Breach in 2010 In June of 2010, a large healthcare system was informed by its business associate that a breach had occurred, affecting thousands of patients at its hospital. The breach had occurred the previous month when an employee of the business...
HITPC Releases Tiger Team EHR Amendment/Correction Recommendations The ONC Health Information Technology Policy Committee (HITPC) released the Privacy & Security Tiger Team (Tiger Team) recommendations concerning amendments and corrections to electronic medical records (EMRs) in a...
U.S. Supreme Court Strikes Down Vermont’s Prescription Drug Data Mining Ban Law Last Friday, the United States Supreme Court struck down the Vermont Prescription Confidentiality Law allowing prescriber-identifying information to be sold and disclosed by pharmacies and pharmaceutical...
HHS Releases Proposed Rule for Accounting of Disclosures A Notice of Proposed Rulemaking (NPRM) concerning the accounting of disclosures (AOD)requirement under the HIPAA Privacy Rule was posted last Friday, May 31, 2011. The U.S. Department of Health and Human Services’ (HHS) Office...
OCR Will Address Almost Everything in HITECH Omnibus Rule HealthDataManagementhas quoted Susan McAndrew, deputy director of health information privacy in the Department of Health and Human Services, OCR, as saying that the final rules implementing the HITECH Act are to be released...
One, Two HIPAA Penalty Punch from HHS and OCR Just as gasps from the 4.3 million dollar penalty OCR assessed against Cignet Health of Maryland started to subside, OCR delivers a whopping 1 million dollar penalty to another hospital — this time to the The General Hospital Corporation and...
Kansas Aligns State Privacy Laws with HIPAA as HIE Standard Today, the State of Kansas’ Senate committee approved (by a vote of 39-0) Senate Bill 133 to align the state’s privacy laws with HIPAA. The Kansas Health Information Exchange, Inc. (the state’s RHIO) testified before the Senate...
Accounting of Disclosures Proposed Rule up for Review: The Beginning of a Collective Sigh of Relief or Covered Entities’ Newest Nightmare? Prepared by Krystyna H. Nowik, Esq. The Office of Management and Budget (OMB) has finally received the long-awaited proposed rule addressing...
U.S. Supreme Court to Consider Whether Prescription Data Mining is Protected under First Amendment In November 2010, legalhie.com mentioned that the Court of Appeals for the Second Circuit had issued its ruling that Vermont’s drug-marketing restrictions were unconstitutional. Vermont’s...
Drug Database Firms Have Much to be Thankful for this Past Thanksgiving as Second Circuit says “Good-Bye” to Vermont’s Drug Marketing Restrictions On November 23, 2010, the Court of Appeals for the Second Circuit issued its ruling that Vermont’s drug-marketing restrictions were...
“Psychotherapy Notes” may Come Out From the Drawer Currently, “psychotherapy notes” remains a very, very narrowly defined term under the Privacy Rule, and does not include general mental health information, including progress notes. The exact definition is: Psychotherapy notes means...
HHS Thinks Rite Aid Disposal Policies Are “In the Dumps” Prepared by Krystyna Nowik. In a recent settlement agreement, Rite Aid Corporation and its affiliated entities have agreed to shell out $1 million in order to settle potential HIPAA violations. The Office of Civil Rights (OCR)...
Oh where, Oh where has the Security Breach Rule gone? Today, I was going to draft a follow up article to my previous post to address whether notification was required under the Security Breach Notification Rule. However, when I sat down to begin typing, I discovered that the Breach Rule...