OCR Delivers a Quintuplet of HIPAA Resolutions – Sets the Tone for Providers Blocking Patients’ Access to PHI
Yesterday, all at once, OCR announced that it has entered into five new Resolution Agreements — each of them stemming from one or more violations of HIPAA’s right of access afforded to individuals. There are several interesting observations about these new cases that are worth taking note of.
CMS Extends Publication Deadline for Stark Law Changes
At the last hour, CMS extended the deadline for publishing much anticipated changes to the Stark Law. Originally expected for publication this past August, CMS extended the deadline to August 2021, noting that “… we are still working through the complexity of the issues raised by comments received on the proposed rule and therefore we are not able to meet the announced publication target date.” Together with the OIG’s counterpart rule, the proposed rules contain the potential for significant modernization of the Stark Law and Anti-kickback Statute as part of the “Regulatory Spring to Coordinated Care” as well as increased alignment and coordination between the two sets of laws.
Join Seton Hall Law & Helen Oscislawski & Other Esteemed Speakers on September 17th for Panel Discussions on Balancing Privacy and Public Health in a COVID-19 World
Seton Hall Law’s Institute for Privacy Protection and Gibbons Institute of Law, Science & Technology is hosting a Virtual Event on September 17th with legal academics, practitioners, and government officials who will evaluate the impact of the COVID-19 pandemic on privacy and intellectual property. Panel One speakers will discuss balancing privacy & public health; Panel Two will discuss Intellectual Property – incentives to access to vaccines & treatments.
OCR Puts the Summer HIPAA Heat on Two Organizations with New Resolution Agreements
After over almost four months of no new HIPAA Resolution Agreements or Civil Money Penalties, OCR quietly posted two new HIPAA settlement agreements at the end of July. At first glance, both appear to be “run-of-the-mill” cases with nothing much new to learn with the first one resulting in OCR finding that the covered entity failed to even complete a basic Security Risk Analysis and training of workforce, and the other involving – yes, yet again – a stolen unencrypted laptop. However, the second case in particular deserves closer examination where it has embedded in it more complex corporate structure and liability issues where it actually involved two legally separate covered entities that elected to designated themselves as a single covered entity for purposes of HIPAA. Let’s look at each case separately.
Big Changes to Big Breaches of Data and Notification Requirements Coming Soon!
Yesterday, the period for public comment on the FTC’s Health Breach Notification Rule closed. The FTC’s Health Breach Notification Rule requires vendors of PHRs and PHR-related entities to notify the FTC if they experience a breach of security involving unsecured health information. Another area of change to Breach Notification is arising out of the CARES Act which was was enacted into law on March 27, 2020 and is making significant changes 42 C.F.R. Part 2. Among other changes that the CARES Act is introducing, it creates an entirely new obligation on Part 2 providers to notify SAMHSA of uses and disclosures of Part 2 data in any manner not authorized under Part 2! To date, 42 CFR Part 2 did NOT include an independent obligation to report or notify any agency (i.e., SAMHSA or HHS) of any use or disclosure of Part 2 information which was in violation of 42 CFR Part 2.
ONC Just Announced a New HIE Funding Opportunity for HIE Services Benefiting Public Health & COVID-19
The award will allocate $2.5M to fund up to 5 awards (in the amount of up to $500K EACH) with a period of performance of up to 2 years in the form of cooperative agreements with funding contingent upon availability of funds, satisfactory completion of milestones, and a determination that continued funding is in the best interest of the federal government and the public. SHORT TURN AROUND! Deadline is September 1, 2020 to get Applications in.
Reminder: Hospital Hardship Applications Due September 1 for Medicare Promoting Interoperability Program
The extended deadline for hospitals to submit their hardship applications for the Medicare Promoting Interoperability Program is approaching. Hospitals have until September 1 to file for a hardship for the 2019 reporting period and avoid negative payment adjustments in 2021.
Moving Forward after Privacy Shield’s Invalidation
On July 16, the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield, one of the primary mechanisms used by companies to lawfully transfer personal data outside of the European Union under the GDPR. Despite a prior adequacy determination in 2016, the CJEU found that shortcomings in the Privacy Shield, particularly U.S. security and surveillance laws and an ineffective Ombudsperson program, resulted in a failure to provide essentially equivalent protections to those afforded to individuals within the European Union.
Looks Like the FTC Is Ramping up for Enforcement of Health Apps
This past Tuesday the FTC hosted its 5th annual PrivacyCon. It was a GREAT event! The full-day event covered a wide-range of cutting edge and titillating issues concerning the privacy of data in this day and age of rapidly accelerating technology. However, it was the morning session which covered Health Apps that interested me the most. In his opening remarks, the Director of FTC’s Bureau of Consumer Protection, Andrew Smith, came out-of-the-gate pointing out that earlier this year HHS issued rules that will make it easier for consumers to access their medical records through the app of their choice, and while this expanded access to health information can be an enormous benefit to consumers – wherever data flow opportunities increase, the opportunities for data compromise increase as well. Director Smith concluded his opening remarks by stating “We at the FTC will not hesitate to take action when companies misrepresent what they are doing with consumers’ health information or otherwise put health data at undue risk . . .” Here is what I learned from the four-person panel of experts who discussed the ins-and-outs of Health Apps and potential direction of the FTC will take with enforcement.
When Does a Health Care Provider Wear an HIE/HIN Hat for Purposes of the Info Blocking Rule?
Under the Information Blocking Rule (IBR), a health information network (HIN) or health information exchange (HIE) type actor is one that “determines,” “controls,” or has the “discretion to administer” access, exchange or use of EHI between two or more unaffiliated entities. ONC has said that a separate entity is not necessary to trigger the IBR HIN/HIE definition of an Actor. Additionally, ONC has specifically pointed out that a health care system, for example, could wear two IBR actor hats: (1) as a health care provider, and (2) as a HIN/HIE.
What Information Must be Made Available on Patient Portals?
Well folks, the Information Blocking Rule (IBR) April 5th compliance deadline is behind us at this point. However, I know that many of you are continuing to work through your top IBR challenges and questions one at a time. At this point, I have worked through many thorny IBR issues with numerous health care providers and health information exchanges (HIE), so I thought it might be interesting for me to share what is the main topic that I see Actors are focused on. And the winner is …..
Information Blocking Compliance — So What Happens on April 5th?
The deadline for compliance with the Information Blocking Rule is just 12 days away! I am certain that all the Actors are working feverishly and diligently to come into compliance with these new requirements by this fast-approaching date. On the bright side, I suppose that we can all be relieved that ONC did not stick with its original deadline date of November 2, 2020. However, even with the extra time Actors may still be scrambling to get all of their ducks in a row by April 5, 2021. So, what are the actual consequences if everything is not “buttoned-up” in time?
NEW ONC FAQ: Prior Agreements or Contracts CAN Implicate Information Blocking as of April 5th!
On and after April 5, 2021, any actor’s agreements, arrangements, or contracts are subject to and may implicate the Information Blocking Rule. The Communications Condition of Certification (CCOC) requirements must be revised to remove or void the contractual provision that contravenes the CCOC requirements whenever the contract is next modified for any reason. A Business Associate Agreement should generally not prohibit or limit the access, exchange, or use of the EHI for treatment.
How to Use the Privacy Exception to Deny an Abuser Access to EHI
When an Actor wants to potentially deny access of EHI to a person who is suspected of some type of abuse of the individual (the “Abuser”) whose EHI is being sought, the natural inclination is want to look to the Information Blocking (IB) Rule’s Preventing Harm Exception to justify such denial. However, the IB Rule’s Privacy Exception offers additional options and, in certain ways, more flexibility for the Actor to deny a suspected Abuser’s request for EHI.
Checklist for Info Blocking Compliance
Over the last few weeks, I have come across a number of health care provider organizations that are under the incorrect assumption or belief that their EMR vendor is “taking care of” all that needs to be done in order for the provider to comply with Information Blocking. This is false. There are operational decisions and other process issues that must be addressed and can only be implemented by the Actor. Every health health care provider that meets the definition of an “Actor” should be taking active steps towards getting their organization positioned to comply with Information Blocking by April 5, 2021. Where should you start? I propose using a checklist as a simple starting point to begin “ticking off” your Information Blocking “to do” list . . .
Subscribe & Survive the onslaught of new healthcare regulations requiring updates to affected compliance programs.
Get access to exclusive subscription-only access to resources, tools, industry analysis and other valuable solutions.