By Margaret Young Levi and Kathie McDonald-McClure
Among the many mandates of the Affordable Care Act (ACA) (a/k/a “Obama Care”) still in force today is Section 1557. Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. The U.S ...
The Federal Trade Commission (FTC) Bureau of Consumer Protection released a study this month (March 2017) indicating that business entities could be doing more to stop malicious emails from hitting the inboxes of employees. The goal behind many malicious emails is to trick individuals into turning over either their own confidential ...
Wyatt Tarrant & Combs, LLP is sponsoring the Kentucky Chamber’s Cyber Security and Data Privacy seminar on Tuesday, February 28, 2017, at the Griffin Gate Marriott Resort in Lexington, Kentucky. We’ve put together a terrific panel of presenters, including, among others, representatives of Homeland Security and Crowdstrike, the firm ...
The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements ...
On July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ). The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act. ...
Kathie McDonald-McClure and Matt San Roman, members of Wyatt’s Data Privacy & Security Service Team, were recently interviewed for Corporate Counsel magazine. The article, “Tennessee Enacted the Toughest Data Breach Law Yet,” addresses the new amendment to the Tennessee Identity Theft Deterrence Act of 1999. The amendment, among ...
We recently posted an article about Tennessee's amendment to its data breach notification law. This amendment has drawn much attention among cyber security professionals and corporate general counsel across the country. As Jennifer Williams-Alvarez reported in her article for Corporate Counsel magazine
Earlier this week, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced two, multimillion dollar settlements relating to “potential” privacy and security violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Both settlements stem from the entity’s reports to OCR ...
As the April 15th tax filing deadline draws near, cybercrime related to filing fraudulent tax returns to obtain tax refunds has picked up. On March 1, 2016, the United States Internal Revenue Service (IRS) issued an Alert for Payroll & HR Professionals on scam emails that attempt to trick company personnel into turning over employee W-2s ...
UPDATE: Senate Bill 23 did not become law during 2016 Kentucky Legislative Session. The bill was passed unanimously by the Senate. It was then sent to the House, where it was read twice, amended, but never read for the third and final time.
Overview
The Commonwealth of Kentucky’s General Assembly is considering a bill which would permit parents ...
As of February 5, 2016, a change in the law allows certain health care providers to report the identity of an individual who is prohibited from possessing a firearm for mental health reasons to the National Instant Criminal Background Check System (“NICS”). The Department of Health & Human Services (“HHS”) amended the Health Insurance ...
On January 27, 2015, the Federal Trade Commission (FTC) released a staff report entitled “Internet of Things: Privacy & Security in a Connected World.” This report suggests steps businesses can take to protect consumers’ privacy and security as they use objects that connect and send data to the Internet.
The FTC Staff Report defines the ...
The U.S. Food & Drug Administration (FDA) has issued guidance setting forth its current thinking on issues related to cybersecurity of medical devices.
Because medical devices increasingly store or transmit sensitive patient health information, there are increased security risks of unauthorized access, modification, misuse or denial of ...
The final HIPAA Omnibus Rule (Omnibus Rule), published in the Federal Register on January 25, 2013, substantially increased the privacy and security responsibilities of a "business associate" of a "covered entity", as those terms are defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)(see discussion later ...
In its most recent legislative session, the Kentucky General Assembly enacted two new data breach laws, HB 5 and HB 232, which go into effect July 15, 2014. Kentucky governmental agencies, those doing business with governmental agencies, and persons simply doing business in Kentucky should be aware of these added data security and breach ...
by Ann F. Triebsch
As observers of data security enforcement are aware, the Federal Trade Commission (FTC) determined on January 16, 2014, that even entities that are already subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) are also subject to FTC jurisdiction and ...
Those who dwell in the world of health care privacy and security know well that the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) is the federal agency that issues the regulations, provides guidance and ultimately enforces the complex requirements of the Health Insurance Portability and Accountability Act ...
Even as health care providers have moved to convert from paper to electronic health records, it remains just as important to continue to protect paper health information records. While the majority of data breaches involve mobile devices such as laptops and flash drives, a significant number of large data breaches (those affecting 500 or ...
by Margaret Young Levi and Kathie McDonald-McClure
The U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) has a new acronym, “LoProCo,” relating to assessing data breaches under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus ...
NOTE: On February 18, 2010, we posted an article about what to do with paper medical records when converting to an electronic health record (EHR). To date, this has been the most popular article on the HITECH Law Blog. We decided to re-review the topic, update it, and repost it. Actually, not much has changed in the way of the law applicable to this ...
Late last week the Office for Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) announced a delay in its enforcement of the requirement that certain laboratories revise their notices of privacy practices (NPPs).
As we have previously posted on the HITECH Law Blog, HHS has in the works revisions to the Clinical ...
by Ann F. Triebsch
We’ve all heard about HIPAA privacy breaches until we think there couldn’t be anything else to worry about. Think again—the Federal Trade Commission (FTC) is prosecuting privacy breaches in the health care industry as a violation of Section 5 of the FTC Act. The Department of Health and Human Services (HHS) Office of ...
by Margaret Young Levi
Reminder: the clock is ticking for covered entities and business associates to come into compliance with new requirements under HITECH-HIPAA Omnibus Rule. Monday, September 23, 2013 is the deadline for covered entities and business associates to put into place new Business Associate Agreements (“BAAs”). As we ...
It has been widely reported that WellPoint Inc. recently agreed to pay a $1.7 million fine to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. The U.S. Department for Health & Human Services’ (“HHS”) press release asserts that WellPoint failed to ...
The U.S. Department for Health & Human Services (HHS) announced it is releasing technical corrections to the HIPAA Omnibus Rule tomorrow. These technical corrections are "to address public comment received on the interim final Breach Notification Rule, and to make certain other modifications to the HIPAA Rules to improve their workability ...
The final HIPAA-HITECH Omnibus Rule (Omnibus Rule), released in January, substantially increases the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. These new requirements will need to be reflected in business associate agreements (BAAs) between the ...
by Ann F. Triebsch
Friday, March 1, is the deadline for HIPAA covered entities to report to HHS small breaches of unsecured protected health information that occurred in 2012. A small breach includes less than 500 individuals. Affected individuals must be notified within 60 days of the breach’s discovery, but the breach also must be reported ...
by Ann F. Triebsch
(Updated January 27, 2013)
On January 17, 2013, the Department of Health & Human Services (HHS), Office for Civil Rights (OCR), released the final HIPAA Omnibus Rule (Omnibus Rule) implementing the HITECH Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Omnibus Rule greatly enhances a ...
“Rumor has it” that the long-awaited HIPAA-HITECH Omnibus Rule under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) will be released the week of January 21st or 28th. While similar rumors have abounded for many months, this one may have some merit.
It is reasonable to expect the Office of Management ...
The promised audits have begun for providers receiving electronic health records (EHR) incentives available under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
In order to receive Medicare EHR incentive payments, providers must attest to CMS that they meet Meaningful Use (MU) criteria using certified ...
On June 22, 2012, the Office of Management and Budget (OMB) announced that it was delaying release of the HIPAA Omnibus Final Rule (HIPAA Rule) under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) from a projected early July date, to a future unspecified date.
The much-anticipated HIPAA Rule contains ...
In our November 2011 blog post, we told you about the launch of HIPAA privacy and security audits mandated by Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). KMPG, Inc. was awarded the contract to develop the audit protocol and conduct these audits last fall and, on March 1, 2012, completed its ...
The Office of the National Coordinator for Health Information Technology (ONCHIT) recently released a 47-page Guide to Privacy and Security of Health Information. The Guide provides direction to providers on protecting patient privacy and securing their health information in an electronic health record (EHR) for purposes of complying with ...
The deadline is quickly approaching for mandatory data breach reporting to the United States Department of Health & Human Services (HHS) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Covered entities must report data breaches involving less than 500 individuals to HHS within 60 days following ...
Section 13411 of the the Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires United States Department of Health & Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification ...
After the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, the interest in storing and accessing health information online increased, prompting increased concerns about the privacy and security of such information. In September 2011, the Office of the National Coordinator for Health ...
On September 12, 2011, the Office of National Coordinator (ONC) for the United States Department of Health & Human Services (HHS) announced a Proposed Rule that will enable direct access to laboratory test results by patients. Under the Clinical Laboratory Improvement Amendments of 1988 (CLIA), laboratories must hold a CLIA certificate ...
SUMMARY: In June 2011, the United States Department of Health & Human Services (HHS) Office of Civil Rights (OCR)contracted for new periodic audits of covered entities and business associates to ensure compliance with the Privacy and Security Standards found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as ...
Update: In a voice vote today, December 7, 2010, the House passed the Red Flag Program Clarification Act of 2010. The Act now goes to President Obama for signing.
On November 30, 2010, the U.S. Senate passed legislation that could exempt health care providers from the FTC's Red Flag Rule. The Red Flag Program Clarification Act of 2010 amends the ...
The Kentucky Chamber is sponsoring a webinar on eletronic data usage, privacy and security on November 18, 2010, from 3:00 to 4:00 pm (EST). Erin McMahon, Esq., a partner with Wyatt, Tarrant & Combs, LLP, and a member of its Health Care Service Team, will talk about employer's maintainance of privacy and security of electronic data and using ...
The following statement was recently posted on the U.S. Department of Health & Human Services' Office of Civil Rights website:
"The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in ...
Update: On December 29, 2010, HHS published in the Federal Register a "Correcting Amendment" to its Final Rule on Meaningful Use, which can be viewed here.
HHS Secretary Kathleen Sebelius wasted no time in putting the brand new CMS Director to work on July 13, 2010, in announcing the release of two rules under the Health Information Technology ...
On May 13, 2010, the United States District Court for the Southern District of New York rejected the privacy challenge to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) asserted by Beatrice M. Heghmann, a registered nurse, and Robert A. Heghmann, her husband and attorney, against Kathleen Sebelius ...
On March 24, 2010, the U.S. Department of Health & Human Services (HHS) posted a 30-day notice to solicit comments under the Paperwork Reduction Act of 1995 regarding its estimate of the burden to conduct a survey about public attitudes towards an electronic health information exchange and the associated privacy and security aspects. The Office ...
Editor's Note: Due to the continued popularity of this post, this article was reviewed and updated on September 30, 2013. For the later version, click here.
Update: On August 8, 2010, Medicare issued MLN Matters Article SE1022 on Medical Record Retention and Media Formats for Medical Records, which states that the Centers for Medicare ...
On January 19, 2010, the Greater Louisville Health Enterprises Network together with Healthcare Information and Management Systems Society, Bluegrass Chapter, will present a panel presentation with discussions surrounding the next steps under the Health Information Technology for Clinical and Economic Health Act (HITECH), part of the ...
The Office of National Coordinator for Health Information Technology (ONC) and its HIT Policy Committee worked hard throughout the summer to develop a framework for the "meaningful use" standards required to qualify for electronic health record (EHR) adoption stimulus funds available under the Health Information Technology for ...
The Department of Health and Human Services (HHS) published a Notice in the Federal Register, December 1, 2009, Volume 229, No. 74, that it has reorganized the HHS Office of National Coordinator for Health Information Technology (ONC). The stated purpose of the reorganization was "to more effectively meet the mission outlined by The Health ...
On Monday, November 23, 2009, Dr. David Blumenthal, the National Coordinator for Health Information Technology under the Department of Health & Human Services, announced the launch of the Health IT Buzz blog. The blog is envisioned as a way to reach out to the healthcare IT community and public at large in order to create an open dialogue about ...
I will be giving a presentation on "HITECH for Physicians" on Wednesday, October 14, 2009, from 7:30 am to 9:00 am. The presentation will take place at MedX12 offices, Ormsby III, 10200 Forest Green Blvd. (just off of North Hurstbourne Lane) in Louisville, Kentucky. The presentation will focus on those aspects of the HITECH Act that provide ...
On Friday, September 18, 2009, from 8:30 am to 3:00 pm, the HHS HIT Policy Committee discussed the standards under development for the 2013 and 2015 "meaningful use" criteria related to privacy and security. The Committee's webpage gave the following overview of the purpose of the meeting:
Protecting health data through comprehensive privacy ...
On Tuesday, September, 15, 2009, the HHS HIT Standards Committee gave an update on the quality measures that providers seeking to establish "meaningful use" of "certified EHR" must meet in order to qualify for stimulus funds available under ARRA's Health Information Technology for Economic and Clinical Health (HITECH) Act. The meeting ran ...
In a letter to State Survey Agency Directors dated August 14, 2009, the Centers for Medicare and Medicaid Services (CMS) gave state surveyors guidance regarding surveys of facilities that use electronic health records (EHRs). CMS first stated its support and commitment to the goal that, by 2014, most Americans "will have access to health ...
On June 16, 2009, on the same date the ONC HIT Policy Committee released the first draft of "meaningful use" of electronic health records (EHRs), the Centers for Medicare and Medicaid Services (CMS) launched the CMS Health Information Technology Website to address health information technology (Health IT or HIT) under the ARRA's Health ...
Article Summary: The Federal Trade Commission's Red Flags Rule for identity theft applies to most health care providers according to the FTC's current guidance. The FTC makes a clear attempt under the Rule to regulate medical identity theft, as opposed to credit identity theft. The result is that the FTC will have regulatory authority in an ...
Under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), the Office of National Coordinator for Health Information Technology (ONC) and the United States Department of Health and Human Services (HHS) are vested with authority to further define "meaningful use" as it relates to qualifying to receive ...
Welcome to my new "HITECH" blog. This blog will track key developments at the federal and state (Kentucky) levels under the American Recovery and Reinvestment Act of 2009 (ARRA) related to that part of ARRA titled, "Health Information Technology for Economic and Clinical Health Act" (HITECH). My primary interest in HITECH concerns the stimulus ...