HITECH Law

By: Courtney Samford, contributing author Blake Sims, Wyatt Summer Associate

Employers commonly supply computer and work devices to employees and state that the electronics may only be used for business related purposes, and employers have always had the ability to discipline employees who violate computer use policies through improper ...

By Lindsay K. Scott

Following expansion by the Department of Human Health Services’ Office for Civil Rights (“OCR”) and the Centers for Medicare and Medicaid Services (“CMS”) of federal telehealth services and relaxation of certain requirements, Kentucky Medicaid is following suit.

On March 17, 2020, the Centers for Medicare and ...

On March 17, 2020, the Office for Civil Rights ("OCR"), the agency within the Department of the United States Health & Human Services ("HHS") responsible for enforcement of HIPAA, issued the following guidance: "Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health ...

By Margaret Young Levi and Kathie McDonald-McClure

Among the many mandates of the Affordable Care Act (ACA) (a/k/a “Obama Care”) still in force today is Section 1557. Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. The U.S ...

By Kathie McDonald-McClure

We recently posted an article about Tennessee's amendment to its data breach notification law.  This amendment has drawn much attention among cyber security professionals and corporate general counsel across the country.  As Jennifer Williams-Alvarez reported in her article for Corporate Counsel magazine

By Kathie McDonald-McClure and Matt San Roman

On March 24, 2016, Tennessee Governor Bill Haslam signed into law SB2005 as amended by SA0618, revising the Tennessee Identity Theft Deterrence Act of 1999, currently codified at T. C. A. § 47-18-2101, et seq.  Under the revised law, organizations subject to the law that experience a data breach will ...

On Friday, February 26, 2016, the Office of the National Coordinator (ONC) for Health Information Technology (HIT) announced via a blog post, that ONC will be updating the Model Privacy Notice (MPN) that, in 2011, ONC developed in concert with the Federal Trade Commission (FTC) for "personal health records" (PHRs), which was the emerging ...

Wyatt will be sponsoring the Kentucky Chamber of Commerce's Cyber Security and Data Protection Seminar on December 17, 2015 in Lexington, Kentucky.  Kathie McDonald-McClure, Dayo Seton, Lisa Underwood and Martha Ziskind will be presenting on the following topics:

• Kathie McDonald-McClure - "Is Your Cybersecurity Policy Up to Snuff? Do ...

The Centers for Medicare & Medicaid Services (“CMS”) proposed Meaningful Use criteria to implement Stage 3 and allow eligible professionals, eligible hospitals and critical access hospitals (“CAHs”) to qualify for incentive payments (or avoid downward payment adjustments) under the Medicare and Medicaid Electronic Health ...

The Centers for Medicare & Medicaid Services (CMS) reminds hospitals that 2015 is the last year for eligible hospitals to begin participating in the Medicare Electronic Health Record (EHR) Incentive Program and earn incentive payments.

In order to earn a 2015 incentive payment, be eligible for a 2016 incentive payment, and avoid a 2016 payment ...

On January 29, 2015, Centers for Medicare & Medicaid Services (CMS) announced its intent to make changes to the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs beginning in 2015, which aim to “help to reduce the reporting burden on providers.”

Providers have expressed concerns about the EHR Incentive Programs ...

On January 22, 2015, the Centers for Medicare and Medicaid Services (CMS) updated previously posted FAQ No. 11666 to help guide providers who are striving to meet Stage 2 Meaningful Use criteria under the Medicare and Medicaid EHR Incentive Programs implemented by the Health Information Technology for Economic and Clinical Health (HITECH) Act ...

Under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), eligible hospitals and critical access hospitals and eligible professionals must make a “meaningful use” of “certified electronic health technology” or face reductions in Medicare reimbursement. Conducting or reviewing a security ...

On November 24, 2014, CMS announced a one-month extension of the deadline for eligible hospitals and Critical Access Hospitals (CAHs) to attest to meaningful use for the Medicare Electronic Health Record (EHR) Incentive Program 2014 reporting year. Medicare eligible hospitals must attest to meeting meaningful use requirements each year ...

The U.S. Food & Drug Administration (FDA) has issued guidance setting forth its current thinking on issues related to cybersecurity of medical devices.

Because medical devices increasingly store or transmit sensitive patient health information, there are increased security risks of unauthorized access, modification, misuse or denial of ...

The final HIPAA Omnibus Rule (Omnibus Rule), published in the Federal Register on January 25, 2013, substantially increased the privacy and security responsibilities of a "business associate" of a "covered entity", as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(see discussion later ...

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

--“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 ...

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

• “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and ...

In its most recent legislative session, the Kentucky General Assembly enacted two new data breach laws, HB 5 and HB 232, which go into effect July 15, 2014. Kentucky governmental agencies, those doing business with governmental agencies, and persons simply doing business in Kentucky should be aware of these added data security and breach ...

Updated May 1, 2014 at 5:30 pm

The old weather proverb about March, in like a lion and out like a lamb, hit April in the reverse in the world of cyber security.  While the first six days of April seemed relatively calm in the cyber world, on Monday, April 7, 2014, the Heartbleed flaw in encryption security was announced (see our previous post here).  ...

Under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), eligible hospitals and critical access hospitals must make a "meaningful use" of "certified electronic health technology" or face reductions in Medicare reimbursement during Medicare's 2015 fiscal year (which begins October 1, 2014).  One of ...

Saturday, March 1, 2014, is the deadline for entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to report to the U.S. Department of Health & Human Services Office for Civil Rights (OCR) all "small breaches" of unsecured protected health information that occurred during 2013.  Entities subject to this ...

Update:  On April 1, 2014, President Obama signed into law the "Doc Fix" bill, Public Law 113-93, which extends the deadline for ICD-10 for an additional year.  Section 212 of this law prohibits the Secretary of Health and Human Services from adopting ICD-10 code sets prior to October 1, 2015.

Everyone is a-twitter (pun intended) about the ...

The Puerto Rico Health Insurance Administration has fined Triple-S Salud Inc. (TSS) $6.8 million for failure to safeguard Medicare beneficiary numbers. This far exceeds any fine imposed by or settlement reached by the United States Office of Civil Rights to date for HIPAA data breaches. How did the fine reach such a staggering amount? What ...

by Ann F. Triebsch

As observers of data security enforcement are aware, the Federal Trade Commission (FTC) determined on January 16, 2014, that even entities that are already subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) are also subject to FTC jurisdiction and ...

On Friday, February 7, 2014, the Centers for Medicare and Medicaid Services (CMS) announced an extension until 11:59 pm on March 31, 2014 for Eligible Professionals to submit their 2013 EHR Meaningful Use (MU) attestation.  In addition, Eligible Hospitals that had trouble submitting their 2013 MU attestation may be able to retroactively ...

By Ann Triebsch and Kathie McDonald-McClure

Following our blog post on December 11, 2013 about Part One of a report from the Office of the Inspector General for the United States Department of Health and Human Services (OIG) about fraud safeguards in electronic health records (EHRs), the OIG recently issued Part Two of its report.  Dated January ...

On Friday, February 7, 2014, the Centers for Medicare and Medicaid Services (CMS) announced an extension until 11:59 pm on March 31, 2014 for Eligible Professionals to submit their 2013 EHR Meaningful Use (MU) attestation.  In addition, Eligible Hospitals that had trouble submitting their 2013 MU attestation may be able to retroactively ...

by Kathie McDonald-McClure and Elizabeth O'Keeffe

As we have previously reported on the Wyatt HITECH Law blog on September 14, 2013 and September 23, 2011, the Department of Health and Human Services (HHS) has had in the works, for over two years now, revisions to the Clinical Laboratory Improvement Act of 1988 (CLIA) regulations concerning whether ...

by Margaret Young Levi and Roz Cordini

Amidst concerns that physicians and other providers are slow to adopt electronic health record (EHR) systems and be "meaningful users" of health information technology, just before the New Year, the federal government extended two programs that permit hospitals and other health care providers as well ...

by Dan Soldato

Data breaches, particularly of consumer information and other private information, are becoming an increasing public concern and a headline in the daily news.  We regularly hear about incidents in which electronically stored customer information is lost by or stolen from businesses, including health care companies ...

Welcome to our newest contributing author, Elizabeth O'Keeffe, who prepared the following post

E-health, e-patients, social media, telehealth, telemedicine, mobile health care – what does it all mean to you as a patient?  As an employee?  As a CEO?  “Telehealth” is booming and could substantially disrupt the old-fashioned health care ...

Those who dwell in the world of health care privacy and security know well that the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) is the federal agency that issues the regulations, provides guidance and ultimately enforces the complex requirements of the Health Insurance Portability and Accountability Act ...

UPDATE: 2/10/2014.  On Friday 2/7/2014, CMS announced an extension until March 31, 2014 for Eligible Professionals to submit their 2013 EHR Meaningful Use (MU) attestation.  In addition, Eligible Hospitals that had trouble submitting their 2013 MU attestation may be able to retroactively submit their MU attestation to avoid the 2015 ...

On December 10, 2013, the Office of Inspector General for the United States Department of Health & Human Services (OIG) issued a report finding that hospital implementation of fraud safeguards in electronic health records (EHRs) falls short of the recommended standards. The report carries out one of the OIG's 2013 Work Plan objectives ...

On Friday, November 6, 2013, the Centers for Medicare & Medicaid Services (CMS) and the Office of National Coordinator of Health Information Technology (ONC) announced its proposal to extend the timeline by which eligible healthcare providers must demonstrate a "meaningful use" (MU) of a certified electronic health record (EHR) in ...

By Margaret Levi and Kathie McDonald-McClure
 
As we previously reported in a blog post on September 24, 2013, an eligible professional, eligible hospital, or critical access hospital receiving an incentive payment for the meaningful use (MU) of electronic health records (EHRs) will likely be subject to a stringent audit from either Medicare ...

Even as health care providers have moved to convert from paper to electronic health records, it remains just as important to continue to protect paper health information records.  While the majority of data breaches involve mobile devices such as laptops and flash drives, a significant number of large data breaches (those affecting 500 or ...

by Margaret Young Levi and Kathie McDonald-McClure

The U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) has a new acronym, “LoProCo,” relating to assessing data breaches under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus ...

Saturday, November 30, 2013, is the last day for hospitals and critical access hospitals (CAHs) to register and attest to receive an incentive payment for FY2013 under the Medicare Electronic Health Record (EHR) Incentive Program.  In the flurry of Thanksgiving activities, holiday travel and Black Friday shopping, don't forget to take advantage ...

by Ann F. Triebsch

As we indicated in a posting last October and in a more recent August post , audits are now underway to verify that providers who received incentive monies from the Centers for Medicare and Medicaid Services (CMS) under the Health Information Technology for Economic and Clinical Health (HITECH) Act for implementation of a ...

More and more, health care providers are employing laptops, tablets, smartphones and other portable electronic devices in their work. And more and more, laptops and other portable electronic devices are involved in breaches of patient data. According to the Office of Civil Rights (OCR) website, 265 (or 39%) of the 674 total data breaches ...

Late last week the Office for Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) announced a delay in its enforcement of the requirement that certain laboratories revise their notices of privacy practices (NPPs). 

As we have previously posted on the HITECH Law Blog, HHS has in the works revisions to the Clinical ...

by Ann F. Triebsch

We’ve all heard about HIPAA privacy breaches until we think there couldn’t be anything else to worry about. Think again—the Federal Trade Commission (FTC) is prosecuting privacy breaches in the health care industry as a violation of Section 5 of the FTC Act. The Department of Health and Human Services (HHS) Office of ...

by Margaret Young Levi

Reminder: the clock is ticking for covered entities and business associates to come into compliance with new requirements under HITECH-HIPAA Omnibus Rule.  Monday, September 23, 2013 is the deadline for covered entities and business associates to put into place new Business Associate Agreements (“BAAs”).  As we ...

It has been widely reported that WellPoint Inc. recently agreed to pay a $1.7 million fine to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. The U.S. Department for Health & Human Services’ (“HHS”) press release asserts that WellPoint failed to ...

Last week, the Department of Health and Human Service’s (HHS) Office of the National Coordinator for Health Information Technology (ONC) announced its new Certified HIT Mark, similar to the Good Housekeeping Seal of Approval. The Certified HIT Mark provides a way for consumers to feel confident at a glance that “the HIT meets all ...

The U.S. Department for Health & Human Services (HHS) announced it is releasing technical corrections to the HIPAA Omnibus Rule tomorrow. These technical corrections are "to address public comment received on the interim final Breach Notification Rule, and to make certain other modifications to the HIPAA Rules to improve their workability ...

On Friday, May 3, 2013, the Centers for Medicare and Medicaid Services (CMS) and the Office of National Coordinator of Health Information Technology (ONC) jointly hosted a listen and learn webcast about the impact of EHRs on coding and billing. Look for HITECHMcClure on Twitter for comments from the panelists.  Materials used during the session ...

Kentucky Health Information Exchange (KHIE) sends out alert on Thursday, April 18, 2013, indicating that it will accept applications from 13 providers who are seeking financial assistance to qualify for the HITECH Act's Meaningful Use incentive payments.

Read more

Here's the content of the KHIE alert:

Application for CeRT Early Adopter License

by Ann F. Triebsch

The anti-kickback “safe harbor” allowing hospitals to donate electronic health record ("EHR") equipment to physicians who may refer patients to their facility is set to expire on December 31, 2013, but efforts have begun to have the safe harbor extended. The safe harbor, created in 2006, allows hospitals to donate EHR and ...

A new bill entitled the "Electronic Health Records Improvement Act" has been introduced in the U.S. House of Representatives. Its stated purpose is to “amend certain requirements and penalties implemented under the Medicare and Medicaid programs by the HITECH Act of 2009, which would otherwise impede eligible professionals from adopting ...

The final HIPAA-HITECH Omnibus Rule (Omnibus Rule), released in January, substantially increases the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors.  These new requirements will need to be reflected in business associate agreements (BAAs) between the ...

by Ann F. Triebsch

Friday, March 1, is the deadline for HIPAA covered entities to report to HHS small breaches of unsecured protected health information that occurred in 2012.  A small breach includes less than 500 individuals.  Affected individuals must be notified within 60 days of the breach’s discovery, but the breach also must be reported ...

The deadline is fast approaching for eligible professionals (“EPs”) to file attestations to receive electronic health record (“EHR") incentives available under Medicare’s Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). 

To receive an EHR incentive payment, EPs, such as physicians ...

by Ann F. Triebsch

(Updated January 27, 2013)

On January 17, 2013, the Department of Health & Human Services (HHS), Office for Civil Rights (OCR), released the final HIPAA Omnibus Rule (Omnibus Rule) implementing the HITECH Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Omnibus Rule greatly enhances a ...

“Rumor has it” that the long-awaited HIPAA-HITECH Omnibus Rule under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) will be released the week of January 21st or 28th. While similar rumors have abounded for many months, this one may have some merit.

It is reasonable to expect the Office of Management ...

Earlier today we predicted the long-awaited HIPAA-HITECH Omnibus Rule under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) would soon be released--and we were correct! 

Today the U.S. Department for Health & Human Services (HHS) issued a press release announcing the Rule would be as published on ...

by Ann F. Triebsch

 The HHS OIG released a report on November 28, 2012, assessing CMS’ first-year performance in overseeing the Medicare EHR Incentive Program.   The OIG did not give CMS high marks, but its primary recommended solution is being rejected, as it may have done more harm than good under the circumstances.   

 Self-Reporting ...

On December 7, 2012, the Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) published an interim final rule with comment period to make revisions to the 2014 Edition Electronic Health Record (EHR) and revisions to the EHR Incentive Program.  Specifically, this rule will:

by Ann Triebsch

The 2013 Work Plan released October 2, 2012, by the HHS Office of the Inspector General (OIG), demonstrates that even the health care industry’s brand-new electronic health records (EHR) initiative is already under scrutiny for potentially abusive and erroneous practices by some providers.  The Work Plan lists three ...

Stage 2 of Meaningful Use under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) requires providers who want the HITECH Act's EHR incentive payments to ensure that at least some patients are engaged and are actually using their electronic health records (EHRs).  The Final Rule for the Stage 2 ...

On Thursday, October 4, 2012, in a letter to Secretary Sebelius of the United States Department of Health & Human Services (HHS), the United States House GOP called on HHS to suspend incentive payments for the adoption and implementation of electronic health records (EHRs) otherwise authorized under the Health Information Technology for ...

The promised audits have begun for providers receiving electronic health records (EHR) incentives available under the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

In order to receive Medicare EHR incentive payments, providers must attest to CMS that they meet Meaningful Use (MU) criteria using certified ...

On June 22, 2012, the Office of Management and Budget (OMB) announced that it was delaying release of the HIPAA Omnibus Final Rule (HIPAA Rule) under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) from a projected early July date, to a future unspecified date.  

The much-anticipated HIPAA Rule contains ...

In our November 2011 blog post, we told you about the launch of HIPAA privacy and security audits mandated by Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). KMPG, Inc. was awarded the contract to develop the audit protocol and conduct these audits last fall and, on March 1, 2012, completed its ...

The Office of the National Coordinator for Health Information Technology (ONCHIT) recently released a 47-page Guide to Privacy and Security of Health Information.  The Guide provides direction to providers on protecting patient privacy and securing their health information in an electronic health record (EHR) for purposes of complying with ...

On Thursday, February 23, 2012, the Centers for Medicare and Medicaid Services (CMS), pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, released a 455-page Proposed Rule specifying the Stage 2 criteria that eligible professionals (EPs), eligible hospitals and critical access hospitals ...

The deadline is quickly approaching for mandatory data breach reporting to the United States Department of Health & Human Services (HHS) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  Covered entities must report data breaches involving less than 500 individuals to HHS within 60 days following ...

On November 30, 2011, U.S. Department of Health and Human Services (HHS) Secretary Kathleen Sebelius issued a press release announcing proposed steps to encourage physicians and hospitals to adopt electronic health records (EHRs) this year and receive incentive payments made available under the Health Information Technology for Economic ...

Section 13411 of the the Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires United States Department of Health & Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification ...

The Centers for Medicare and Medicaid Services (CMS) announced today, October 20, 2011, that the use of certified electronic health records (EHRs) will be the highest-weighted quality measure for an Accountable Care Organization (ACO) under the new Medicare Shared Savings Program.

ACOs are designed to encourage primary care doctors ...

In an article titled, "Use of electronic communications with patients," posted to this blog on December 18, 2009, I discussed the stated goal under the Health Information Technology for Economic and Clinical Health (HITECH) Act  to “[p]rovide patients and families with timely access to data, knowledge, and tools to make informed decisions and ...

After the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, the interest in storing and accessing health information online increased, prompting increased concerns about the privacy and security of such information.  In September 2011, the Office of the National Coordinator for Health ...

On September 12, 2011, the Office of National Coordinator (ONC) for the United States Department of Health & Human Services (HHS) announced a Proposed Rule that will enable direct access to laboratory test results by patients.  Under the Clinical Laboratory Improvement Amendments of 1988 (CLIA), laboratories must hold a CLIA certificate ...

On September 6 and 7, 2011, the Kentucky Governor's Office of Electronic Health Information hosted the 4th annual Kentucky eHealth Summit at the METS Center, 3861 Olympic Boulevard, Erlanger, KY 41018 in northern Kentucky.  

Farzad Mostashari, MD, ScM, the National Coordinator for Health Information Technology for the United States ...