Big Changes to Big Breaches of Data and Notification Requirements Coming Soon!
Yesterday, the period for public comment on the FTC’s Health Breach Notification Rule closed. The FTC’s Health Breach Notification Rule requires vendors of PHRs and PHR-related entities to notify the FTC if they experience a breach of security involving unsecured health information. Another area of change to Breach Notification is arising out of the CARES Act which was was enacted into law on March 27, 2020 and is making significant changes 42 C.F.R. Part 2. Among other changes that the CARES Act is introducing, it creates an entirely new obligation on Part 2 providers to notify SAMHSA of uses and disclosures of Part 2 data in any manner not authorized under Part 2! To date, 42 CFR Part 2 did NOT include an independent obligation to report or notify any agency (i.e., SAMHSA or HHS) of any use or disclosure of Part 2 information which was in violation of 42 CFR Part 2.
ONC Just Announced a New HIE Funding Opportunity for HIE Services Benefiting Public Health & COVID-19
The award will allocate $2.5M to fund up to 5 awards (in the amount of up to $500K EACH) with a period of performance of up to 2 years in the form of cooperative agreements with funding contingent upon availability of funds, satisfactory completion of milestones, and a determination that continued funding is in the best interest of the federal government and the public. SHORT TURN AROUND! Deadline is September 1, 2020 to get Applications in.
Reminder: Hospital Hardship Applications Due September 1 for Medicare Promoting Interoperability Program
The extended deadline for hospitals to submit their hardship applications for the Medicare Promoting Interoperability Program is approaching. Hospitals have until September 1 to file for a hardship for the 2019 reporting period and avoid negative payment adjustments in 2021.
Moving Forward after Privacy Shield’s Invalidation
On July 16, the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield, one of the primary mechanisms used by companies to lawfully transfer personal data outside of the European Union under the GDPR. Despite a prior adequacy determination in 2016, the CJEU found that shortcomings in the Privacy Shield, particularly U.S. security and surveillance laws and an ineffective Ombudsperson program, resulted in a failure to provide essentially equivalent protections to those afforded to individuals within the European Union.
Looks Like the FTC Is Ramping up for Enforcement of Health Apps
This past Tuesday the FTC hosted its 5th annual PrivacyCon. It was a GREAT event! The full-day event covered a wide-range of cutting edge and titillating issues concerning the privacy of data in this day and age of rapidly accelerating technology. However, it was the morning session which covered Health Apps that interested me the most. In his opening remarks, the Director of FTC’s Bureau of Consumer Protection, Andrew Smith, came out-of-the-gate pointing out that earlier this year HHS issued rules that will make it easier for consumers to access their medical records through the app of their choice, and while this expanded access to health information can be an enormous benefit to consumers – wherever data flow opportunities increase, the opportunities for data compromise increase as well. Director Smith concluded his opening remarks by stating “We at the FTC will not hesitate to take action when companies misrepresent what they are doing with consumers’ health information or otherwise put health data at undue risk . . .” Here is what I learned from the four-person panel of experts who discussed the ins-and-outs of Health Apps and potential direction of the FTC will take with enforcement.
Mind your Breach Insurance and Vendor Contracts
A preliminary class action data breach settlement involving UnityPoint Health should prompt health care organizations to take a second look at their breach insurance coverage as well as their contracts with vendors who process data on their behalf. Adequate cyber and breach insurance coverage is paramount and should be commensurate with the health care organization’s size, operations. Additionally, health care organizations should pay close attention to their vendor contracts, particularly limitation of liability clauses, hold harmless provisions and indemnification provisions in health IT and other contracts.
Don’t Wait to Understand How “FHIR” Will Transform Health Information Exchange, or You’ll Feel the Heat When it Ignites!
CMS & ONC have promulgated their Final Rules to implement the 21st Century Cures Act. A main goal is to accelerate the access, exchange and use of electronic health information (EHI). One way this is being accomplished is to require certain entities and actors to provide Application Programming Interfaces (APIs) that use a new standard for data access and exchange called Fast Healthcare Interoperability Resources (aka “FHIR”). These new standards for adopting FHIR for information exchange is expected to exponentially accelerate individuals ability to access and share EHI through mobile apps, as well as allow any third-party adopting such FHIR standards to obtain access to such EHI. Especially for HIPAA Privacy Officers, Security Officers, Compliance Officers and attorneys who have for years focused on ensuring that their organizations do not make the mistake of releasing protected health information to a third-party in violation of federal or state privacy and security laws, I feel your pain on FHIR!
You Should Know Your Affirmative Defenses if OCR Investigates You for HIPAA Violations
The HIPAA Enforcement Rule prevents the Secretary/OCR from assessing civil monetary penalties (CMP) against a covered entity or business associate if an Affirmative Defense can be established. A HIPAA violation that is corrected within 30 days of discovery can potentially insulate an organization from CMPs, provided certain requirements are met. But an organization has to make sure that it fits squarely within the requirements of these regulatory defenses to be fully insulated.
Don’t Miss CMS’s Engagement Calls for Ongoing COVID-19 Developments
Need access to current information about COVID-19 and Medicare? CMS is holding stakeholder engagement calls to provide an opportunity for hospitals, health systems, and providers. The Webcast sessions are intended to provide updates, share best practices among peers, and offer attendees an opportunity to ask questions of CMS and other subject matter experts.
Changes on the Horizon for Part 2 Confidentiality Regulations
As part of its comprehensive COVID-19 response, Congress quietly passed through changes to the federal drug and alcohol confidentiality framework known as “Part 2” under the CARES Act, enacted on March 27. One of the more underreported components of the CARES Act, the changes do not completely overhaul the Part 2 regulations, however, they relax several restrictions that health care providers have struggled with, particularly in the electronic exchange and electronic health records (“EHR”) context (the “CARES Act Changes”).
Will ONC’s Final Rule put HIEs between a “Block and a Hard Place”?
Under the ONC’s Final Rule on Information Blocking, Health Care Providers, HIEs and HINs will be legally prohibited from interfering with the access, exchange, or use of EHI unless an exception applies. However, HIEs/HINs that are HIPAA Business Associates are not allowed to use or further disclose PHI other than as permitted or required by their HIPAA BAAs with respective health care providers. So, what happens if a Health Care Provider and its HIPAA Business Associate HIE/HIN disagree on whether an exception allows EHI to be withheld from access, exchange or use under a certain set of specific facts?
Don’t Make the Mistake of Over-Reporting Data Breaches Under HIPAA
Evaluating incidents that affect protected health information (PHI) to determine whether they must be reported under HIPAA’s Breach Notification Rule is a delicate balancing act. On the one hand, a HIPAA covered entity will want to avoid reporting an incident to the Secretary of HHS if it is not required to do so under the standards set forth in HIPAA’s Breach Notification Rule. On the other hand, a HIPAA covered entity that fails to report a HIPAA Breach risks being exposed to penalties from OCR for each day such Breach was not reported when it should have been. A recent Becker’s Health IT article brought attention to a Notice posted by Ann & Robert H. Lurie Children’s Hospital of Chicago
CMS Continues COVID-19 Assistance for the Promoting Interoperability and Quality Payment Programs
As hospitals and providers continue to struggle in response to the COVID-19 pandemic, CMS has announced several efforts to provide assistance under the Promoting Interoperability Programs and Quality Payment Program.
For the Quality Payment Program, CMS had previously extended the deadline for MIPS eligible clinicians to submit data and reopened the application period for MIPS eligible clinicians to file for a hardship exception for the 2019 payment year. Additionally, CMS announced that any individual MIPS eligible clinician who did not submit data or which submitted data for only one performance category for the 2019 payment year by April 30 will automatically receive a neutral payment instead of a negative payment adjustment (this “extreme and uncontrollable circumstances” policy is not available to groups/virtual groups). If a MIPS eligible clinician is able to submit data, CMS noted that the data submission would override the automatic “extreme and uncontrollable circumstances” policy and the clinician could be eligible for negative, neutral or positive payment adjustments based on the data submission.
Are Lawsuits for Violations of HIPAA’s Deidentification Standards About to Take Off – and What Can You Do About It?
A recent opinion article published in STAT News explored whether potential litigation is looming surrounding the de-identified data exception in HIPAA. The authors of the article point out that “large volumes of data underpin the development of any AI effort,” which is why companies…
Legal HIE has Relaunched with a NEW Membership Subscription Option!
Welcome (or, to some, “welcome back”) to Legal...
OIG issues Proposed Rule for Civil Monetary Penalties for Information Blocking
On Friday, April 24th, the Office of Inspector General (OIG) of HHS published a Proposed Rule to amend the civil monetary penalties (CMP) rules to incorporate new authorities for investigating and assessing monetary penalties for Information Blocking violations.
ONC Delays Enforcement of the Information Blocking Certification Provisions of its CURES Act Final Rule for 3 months
Today, ONC announced that it will exercise its discretion in enforcing all new requirements under its Cures Act Final Rule which have compliance dates and time frames until 3 months after each such date identified in the Final Rule. The ONC Final Rule is scheduled to be published on May 1, 2020 in the Federal Register. The ONC has developed an “Enforcement Discretion Dates and Time frames” chart which indicates that the Part 170 Information Blocking provisions will have a compliance Enforcement Discretion Date of February 1, 2021.
Summary List of COVID19-related Federal Actions Relevant to Healthcare
As efforts at the federal and individual states level evolve every day at almost a breakneck pace to address challenges and needs related to the COVID-19 outbreak, here is a running list of some of the top actions taken at the federal level that we thought would be helpful to the healthcare industry (Caveat, this is not an exhaustive list): [updated: July, 28, 2021]
HHS Notification of Enforcement Discretion Regarding COVID-19 Community Based Testing sites
On April 9th, HHS announced a new Notification...
Do I Need a HIPAA Business Associate Agreement?
A HIPAA “Business Associate” is a person, other than a member of the workforce, who creates, receives, maintains or transmits PHI in the performance of services or functions for or on behalf of a Covered Entity. Treatment and Payment disclosures do NOT create a HIPAA BA relationship. Conduits are not HIPAA BAs, but the exception is very narrow. Covered Entities should review each HIPAA BA Agreement is needed, or not.
OCR Permits HIPAA BAs to Share COVID19-related PHI Directly for Public Health and Oversight
On April 2nd, HHS announced a new “Notification...
Subscribe & Survive the onslaught of new healthcare regulations requiring updates to affected compliance programs.
Get access to exclusive subscription-only access to resources, tools, industry analysis and other valuable solutions.