OCR Sees Uptick in Ransomware Incidents
During the Fall 2024, the HHS OCR concluded 3 investigations resulting in settlement payments relating to ransomware incidents. In all three instances, OCR found that the entities that encountered the cybersecurity incidents had not conducted a compliant risk analysis and did not sufficiently monitor their health information systems’ activity. there has been a 264% uptick in large ransomware breaches since 2018.
Unmasking the Issues: The Final Resolution in the Epic v. Particle Health Dispute
In a decision that will have lasting implications for interoperability and health information exchange, earlier this month Carequality issued its Final Resolution in the dispute between Epic and Particle Health. This follows months of deliberation, multiple rounds of evidence submission, and deep scrutiny of the rules governing data sharing. This latest resolution delivers much-needed clarity on several key concerns—but it also introduces fresh questions around enforcement, reciprocity, and how trusted exchange will continue to evolve.
Texas Sues to Block new HIPAA Reproductive Health Care Rule
Texas Attorney General, Ken Paxton, has sued HHS alleging that the HIPAA Reproductive Health Care Privacy Rule amendments infringe on the state’s investigative authority and that the HIPAA statute does not grant sufficient authority to HHS to promulgate such a rule. Texas is seeking an injunction against enforcement of the final rule.
Lessons Learned from Real Time vs. PointClickCare: Mind your Information Blocking Ps and Qs
A federal district judge has granted preliminary injunctive relief to Real Time Medical Systems, Inc. (“Real Time”) barring the defendant, PointClickCare (“PCC”), from deploying unsolvable CAPTCHAs that interfered with Real Time’s ability to access the data of its skilled nursing facility customers that utilized PCC. As Judge Xinis wrote in the opinion, “No evidence supports that PCC had any legitimate good faith use for wholly inscrutable CAPTCHAs which, by definition, blocked Real Time from getting the very records it needs to exist….But even more damning is the timing of such deployments, which support that PCC used those CAPTCHAs as a device to hamstring or eliminate Real Time as a competitor.” Keep reading for additional details regarding Real Time’s complaints against PointClickCare.
Update: On August 19, 2024, PointClickCare filed a Motion to Expedite Appeal with the United States Court of Appeals for the Fourth Circuit.
HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!
June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! But there are still many questions about how some of the new requirements should be implemented. Among those giving covered entities and business associates the most angst is the new Attestation requirement.
Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches (UPDATED)
What should covered entity healthcare providers be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take in order to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.
FTC Expands Health Breach Notification Rule: What It Means for Health Apps, HIEs, and the Future of Health Data Privacy
The FTC has finalized significant changes to the Health Breach Notification Rule (HBNR), a regulation originally designed to ensure that personal health records (PHRs) and similar digital health platforms notify consumers in the event of a data breach. These updates clarify the rule’s applicability to technologies outside the scope of HIPAA and impose stricter notification and transparency requirements on companies handling sensitive health data. The amendments also carry broad implications for HIEs and HINs, which are at the forefront of data interoperability and patient information sharing.
Epic v. Particle Health: The Controversy that Launched a Thousand Comments
When it comes to health data access, there’s often a fine line between compliance and controversy. That line became the battleground in the dispute between Epic Systems and Particle Health, a clash that boiled down to a fundamental question: What is “treatment”?
The 2023 HITECH Report to Congress: Big Steps in Interoperability—No April Fools’ Gimmicks
The latest HITECH Report to Congress, released earlier this month, outlines the evolving landscape of health information technology and the continued push toward a more connected, interoperable health care system. With electronic health records (EHRs) now a staple in most clinical settings, the focus has shifted from adoption to enhancing how data is exchanged and used. The report highlights major achievements, persistent challenges, and future priorities in the journey toward seamless health information sharing.
OCR Sees Uptick in Ransomware Incidents
During the Fall 2024, the HHS OCR concluded 3 investigations resulting in settlement payments relating to ransomware incidents. In all three instances, OCR found that the entities that encountered the cybersecurity incidents had not conducted a compliant risk analysis and did not sufficiently monitor their health information systems’ activity. there has been a 264% uptick in large ransomware breaches since 2018.
Unmasking the Issues: The Final Resolution in the Epic v. Particle Health Dispute
In a decision that will have lasting implications for interoperability and health information exchange, earlier this month Carequality issued its Final Resolution in the dispute between Epic and Particle Health. This follows months of deliberation, multiple rounds of evidence submission, and deep scrutiny of the rules governing data sharing. This latest resolution delivers much-needed clarity on several key concerns—but it also introduces fresh questions around enforcement, reciprocity, and how trusted exchange will continue to evolve.
Texas Sues to Block new HIPAA Reproductive Health Care Rule
Texas Attorney General, Ken Paxton, has sued HHS alleging that the HIPAA Reproductive Health Care Privacy Rule amendments infringe on the state’s investigative authority and that the HIPAA statute does not grant sufficient authority to HHS to promulgate such a rule. Texas is seeking an injunction against enforcement of the final rule.
Lessons Learned from Real Time vs. PointClickCare: Mind your Information Blocking Ps and Qs
A federal district judge has granted preliminary injunctive relief to Real Time Medical Systems, Inc. (“Real Time”) barring the defendant, PointClickCare (“PCC”), from deploying unsolvable CAPTCHAs that interfered with Real Time’s ability to access the data of its skilled nursing facility customers that utilized PCC. As Judge Xinis wrote in the opinion, “No evidence supports that PCC had any legitimate good faith use for wholly inscrutable CAPTCHAs which, by definition, blocked Real Time from getting the very records it needs to exist….But even more damning is the timing of such deployments, which support that PCC used those CAPTCHAs as a device to hamstring or eliminate Real Time as a competitor.” Keep reading for additional details regarding Real Time’s complaints against PointClickCare.
Update: On August 19, 2024, PointClickCare filed a Motion to Expedite Appeal with the United States Court of Appeals for the Fourth Circuit.
HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!
June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! But there are still many questions about how some of the new requirements should be implemented. Among those giving covered entities and business associates the most angst is the new Attestation requirement.
Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches (UPDATED)
What should covered entity healthcare providers be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take in order to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.
FTC Expands Health Breach Notification Rule: What It Means for Health Apps, HIEs, and the Future of Health Data Privacy
The FTC has finalized significant changes to the Health Breach Notification Rule (HBNR), a regulation originally designed to ensure that personal health records (PHRs) and similar digital health platforms notify consumers in the event of a data breach. These updates clarify the rule’s applicability to technologies outside the scope of HIPAA and impose stricter notification and transparency requirements on companies handling sensitive health data. The amendments also carry broad implications for HIEs and HINs, which are at the forefront of data interoperability and patient information sharing.
Epic v. Particle Health: The Controversy that Launched a Thousand Comments
When it comes to health data access, there’s often a fine line between compliance and controversy. That line became the battleground in the dispute between Epic Systems and Particle Health, a clash that boiled down to a fundamental question: What is “treatment”?
The 2023 HITECH Report to Congress: Big Steps in Interoperability—No April Fools’ Gimmicks
The latest HITECH Report to Congress, released earlier this month, outlines the evolving landscape of health information technology and the continued push toward a more connected, interoperable health care system. With electronic health records (EHRs) now a staple in most clinical settings, the focus has shifted from adoption to enhancing how data is exchanged and used. The report highlights major achievements, persistent challenges, and future priorities in the journey toward seamless health information sharing.
42 C.F.R. Part 2 Final Rule Amending Privacy of Substance Use Disorder Records Released.
The Final Rule amending 42 CFR Part 2 finalizes changes that will align uses and disclosures of Part 2 information with HIPAA for treatment, payment & health care operations. Part 2 providers and others who must comply with Part 2 and this Final Rule have two (2) years to get into compliance. Read more about the changes and how we can help with compliance.
Meet New Jersey’s Brand New Data Privacy Act and Its Impact on Healthcare Organizations & Others
The New Jersey Data Privacy Act (NJDPA) was enacted on January 16, 2024. Although PHI collected by a HIPAA CE or BA is excluded from the NJDPA HIPAA CEs and BAs are NOT wholly excluded from compliance with the NJDPA. Also, HHS’ recent problematic interpretation that IP addresses collected by a healthcare provider’s website may be PHI adds even more complexity in interpreting the NJDPA.
When AI Denies Your Healthcare: The UnitedHealthcare Lawsuit and the Legal Dangers of AI in Medicine
icial intelligence (AI) is supposed to make healthcare smarter, more efficient, and—ideally—better for patients. But as UnitedHealthcare Group (UHG) recently learned, AI can also go horribly wrong, leading to denied care, regulatory scrutiny, and class-action lawsuits. Today’s posts breaks down what happened in the UHG case, what it reveals about some of AI’s legal minefields, and how healthcare organizations can avoid becoming the next target of an AI-related lawsuit.
Subscribe & Survive the onslaught of new healthcare regulations requiring updates to affected compliance programs.
Get access to exclusive subscription-only access to resources, tools, industry analysis and other valuable solutions.