Margaret Young Levi is a seasoned attorney who advises health care organizations on data privacy, cybersecurity, and regulatory compliance issues critical to patient care and day to day operations.
Margaret Young Levi is a member ...
By: Margaret Young Levi
On September 15, 2021, the Federal Trade Commission (FTC) issued a Policy Statement cautioning that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule and notify consumers when their health data is breached.
The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements ...
On July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ). The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act. ...
Earlier this week, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced two, multimillion dollar settlements relating to “potential” privacy and security violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Both settlements stem from the entity’s reports to OCR ...
UPDATE: Senate Bill 23 did not become law during 2016 Kentucky Legislative Session. The bill was passed unanimously by the Senate. It was then sent to the House, where it was read twice, amended, but never read for the third and final time.
Overview
The Commonwealth of Kentucky’s General Assembly is considering a bill which would permit parents ...
As of February 5, 2016, a change in the law allows certain health care providers to report the identity of an individual who is prohibited from possessing a firearm for mental health reasons to the National Instant Criminal Background Check System (“NICS”). The Department of Health & Human Services (“HHS”) amended the Health Insurance ...
The U.S. Department for Health & Human Services’ Office of Inspector General (OIG) has conducted two recent studies calling for tighter enforcement of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA).
OCR Should Strengthen Its Oversight of Covered Entities'
Compliance With the HIPAA ...
The Centers for Medicare & Medicaid Services (“CMS”) proposed Meaningful Use criteria to implement Stage 3 and allow eligible professionals, eligible hospitals and critical access hospitals (“CAHs”) to qualify for incentive payments (or avoid downward payment adjustments) under the Medicare and Medicaid Electronic Health ...
The Centers for Medicare & Medicaid Services (CMS) reminds hospitals that 2015 is the last year for eligible hospitals to begin participating in the Medicare Electronic Health Record (EHR) Incentive Program and earn incentive payments.
In order to earn a 2015 incentive payment, be eligible for a 2016 incentive payment, and avoid a 2016 payment ...
On January 27, 2015, the Federal Trade Commission (FTC) released a staff report entitled “Internet of Things: Privacy & Security in a Connected World.” This report suggests steps businesses can take to protect consumers’ privacy and security as they use objects that connect and send data to the Internet.
The FTC Staff Report defines the ...
On January 29, 2015, Centers for Medicare & Medicaid Services (CMS) announced its intent to make changes to the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs beginning in 2015, which aim to “help to reduce the reporting burden on providers.”
Providers have expressed concerns about the EHR Incentive Programs ...
Under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), eligible hospitals and critical access hospitals and eligible professionals must make a “meaningful use” of “certified electronic health technology” or face reductions in Medicare reimbursement. Conducting or reviewing a security ...
On November 24, 2014, CMS announced a one-month extension of the deadline for eligible hospitals and Critical Access Hospitals (CAHs) to attest to meaningful use for the Medicare Electronic Health Record (EHR) Incentive Program 2014 reporting year. Medicare eligible hospitals must attest to meeting meaningful use requirements each year ...
The U.S. Food & Drug Administration (FDA) has issued guidance setting forth its current thinking on issues related to cybersecurity of medical devices.
Because medical devices increasingly store or transmit sensitive patient health information, there are increased security risks of unauthorized access, modification, misuse or denial of ...
The final HIPAA Omnibus Rule (Omnibus Rule), published in the Federal Register on January 25, 2013, substantially increased the privacy and security responsibilities of a "business associate" of a "covered entity", as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(see discussion later ...
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:
--“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 ...
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:
• “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and ...
In its most recent legislative session, the Kentucky General Assembly enacted two new data breach laws, HB 5 and HB 232, which go into effect July 15, 2014. Kentucky governmental agencies, those doing business with governmental agencies, and persons simply doing business in Kentucky should be aware of these added data security and breach ...
Update: On April 1, 2014, President Obama signed into law the "Doc Fix" bill, Public Law 113-93, which extends the deadline for ICD-10 for an additional year. Section 212 of this law prohibits the Secretary of Health and Human Services from adopting ICD-10 code sets prior to October 1, 2015.
Everyone is a-twitter (pun intended) about the ...
UPDATE: 2/10/2014. On Friday 2/7/2014, CMS announced an extension until March 31, 2014 for Eligible Professionals to submit their 2013 EHR Meaningful Use (MU) attestation. In addition, Eligible Hospitals that had trouble submitting their 2013 MU attestation may be able to retroactively submit their MU attestation to avoid the 2015 ...
By Margaret Levi and Kathie McDonald-McClure
As we previously reported in a blog post on September 24, 2013, an eligible professional, eligible hospital, or critical access hospital receiving an incentive payment for the meaningful use (MU) of electronic health records (EHRs) will likely be subject to a stringent audit from either Medicare ...
Even as health care providers have moved to convert from paper to electronic health records, it remains just as important to continue to protect paper health information records. While the majority of data breaches involve mobile devices such as laptops and flash drives, a significant number of large data breaches (those affecting 500 or ...
by Margaret Young Levi and Kathie McDonald-McClure
The U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) has a new acronym, “LoProCo,” relating to assessing data breaches under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus ...
Saturday, November 30, 2013, is the last day for hospitals and critical access hospitals (CAHs) to register and attest to receive an incentive payment for FY2013 under the Medicare Electronic Health Record (EHR) Incentive Program. In the flurry of Thanksgiving activities, holiday travel and Black Friday shopping, don't forget to take advantage ...
NOTE: On February 18, 2010, we posted an article about what to do with paper medical records when converting to an electronic health record (EHR). To date, this has been the most popular article on the HITECH Law Blog. We decided to re-review the topic, update it, and repost it. Actually, not much has changed in the way of the law applicable to this ...
More and more, health care providers are employing laptops, tablets, smartphones and other portable electronic devices in their work. And more and more, laptops and other portable electronic devices are involved in breaches of patient data. According to the Office of Civil Rights (OCR) website, 265 (or 39%) of the 674 total data breaches ...
Late last week the Office for Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) announced a delay in its enforcement of the requirement that certain laboratories revise their notices of privacy practices (NPPs).
As we have previously posted on the HITECH Law Blog, HHS has in the works revisions to the Clinical ...
by Margaret Young Levi
Reminder: the clock is ticking for covered entities and business associates to come into compliance with new requirements under HITECH-HIPAA Omnibus Rule. Monday, September 23, 2013 is the deadline for covered entities and business associates to put into place new Business Associate Agreements (“BAAs”). As we ...
It has been widely reported that WellPoint Inc. recently agreed to pay a $1.7 million fine to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. The U.S. Department for Health & Human Services’ (“HHS”) press release asserts that WellPoint failed to ...
Last week, the Department of Health and Human Service’s (HHS) Office of the National Coordinator for Health Information Technology (ONC) announced its new Certified HIT Mark, similar to the Good Housekeeping Seal of Approval. The Certified HIT Mark provides a way for consumers to feel confident at a glance that “the HIT meets all ...
A new bill entitled the "Electronic Health Records Improvement Act" has been introduced in the U.S. House of Representatives. Its stated purpose is to “amend certain requirements and penalties implemented under the Medicare and Medicaid programs by the HITECH Act of 2009, which would otherwise impede eligible professionals from adopting ...
The final HIPAA-HITECH Omnibus Rule (Omnibus Rule), released in January, substantially increases the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. These new requirements will need to be reflected in business associate agreements (BAAs) between the ...
by Ann F. Triebsch
Friday, March 1, is the deadline for HIPAA covered entities to report to HHS small breaches of unsecured protected health information that occurred in 2012. A small breach includes less than 500 individuals. Affected individuals must be notified within 60 days of the breach’s discovery, but the breach also must be reported ...
The deadline is fast approaching for eligible professionals (“EPs”) to file attestations to receive electronic health record (“EHR") incentives available under Medicare’s Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”).
To receive an EHR incentive payment, EPs, such as physicians ...
“Rumor has it” that the long-awaited HIPAA-HITECH Omnibus Rule under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) will be released the week of January 21st or 28th. While similar rumors have abounded for many months, this one may have some merit.
It is reasonable to expect the Office of Management ...
Earlier today we predicted the long-awaited HIPAA-HITECH Omnibus Rule under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) would soon be released--and we were correct!
Today the U.S. Department for Health & Human Services (HHS) issued a press release announcing the Rule would be as published on ...
On December 7, 2012, the Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) published an interim final rule with comment period to make revisions to the 2014 Edition Electronic Health Record (EHR) and revisions to the EHR Incentive Program. Specifically, this rule will:
Stage 2 of Meaningful Use under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) requires providers who want the HITECH Act's EHR incentive payments to ensure that at least some patients are engaged and are actually using their electronic health records (EHRs). The Final Rule for the Stage 2 ...
The promised audits have begun for providers receiving electronic health records (EHR) incentives available under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
In order to receive Medicare EHR incentive payments, providers must attest to CMS that they meet Meaningful Use (MU) criteria using certified ...
In our November 2011 blog post, we told you about the launch of HIPAA privacy and security audits mandated by Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). KMPG, Inc. was awarded the contract to develop the audit protocol and conduct these audits last fall and, on March 1, 2012, completed its ...
The Office of the National Coordinator for Health Information Technology (ONCHIT) recently released a 47-page Guide to Privacy and Security of Health Information. The Guide provides direction to providers on protecting patient privacy and securing their health information in an electronic health record (EHR) for purposes of complying with ...
The deadline is quickly approaching for mandatory data breach reporting to the United States Department of Health & Human Services (HHS) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Covered entities must report data breaches involving less than 500 individuals to HHS within 60 days following ...
On November 30, 2011, U.S. Department of Health and Human Services (HHS) Secretary Kathleen Sebelius issued a press release announcing proposed steps to encourage physicians and hospitals to adopt electronic health records (EHRs) this year and receive incentive payments made available under the Health Information Technology for Economic ...
Section 13411 of the the Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires United States Department of Health & Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification ...
The Centers for Medicare and Medicaid Services (CMS) announced today, October 20, 2011, that the use of certified electronic health records (EHRs) will be the highest-weighted quality measure for an Accountable Care Organization (ACO) under the new Medicare Shared Savings Program.
ACOs are designed to encourage primary care doctors ...
After the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, the interest in storing and accessing health information online increased, prompting increased concerns about the privacy and security of such information. In September 2011, the Office of the National Coordinator for Health ...
SUMMARY: In June 2011, the United States Department of Health & Human Services (HHS) Office of Civil Rights (OCR)contracted for new periodic audits of covered entities and business associates to ensure compliance with the Privacy and Security Standards found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as ...