Year: 2013

OCR Delays Revisions to Laboratories’ Notices of Privacy Practices

Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Meaningful Use, Privacy & Security , , , , ,

lab_specimensLate last week the Office for Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) announced a delay in its enforcement of the requirement that certain laboratories revise their notices of privacy practices (NPPs). 

As we have previously posted on the HITECH Law Blog, HHS has in the works revisions to the Clinical Laboratory Improvement Act of 1988 (CLIA) regulations concerning whether a lab must release results directly to patients.   Rather than forcing labs to revise their NPPs by September 23, 2013 (today) and then revise them again when the new CLIA regulations are final, HHS chose to delay enforcement until the new CLIA-specific rule is released.

This delay applies to HIPAA-covered,  CLIA-certified or CLIA-exempt laboratories that are not required to provide an individual with access to his or her laboratory test reports under the HIPAA Privacy Rule because the information is subject to the exceptions to the right of access.  The delay does not apply to laboratories that operate as part of a larger legal entity, such as a hospital, and by virtue of that relationship, do not have their own, laboratory-specific, NPPs.

To read more about the HHS Proposed Rule that will enable direct access to laboratory test results by patients, see our September 14, 2011 blog post.  To read the Proposed Rule, click here.

Privacy Breaches – They’re FTC Territory, Too!

Ann Feldkamp Triebsch Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security ,

by Ann F. Triebsch

Lock and KeyWe’ve all heard about HIPAA privacy breaches until we think there couldn’t be anything else to worry about. Think again—the Federal Trade Commission (FTC) is prosecuting privacy breaches in the health care industry as a violation of Section 5 of the FTC Act. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is charged with enforcing HIPAA, but some of those same privacy breaches can be scrutinized by the FTC to determine if they are “unfair or deceptive acts or practices in or affecting commerce”, which the FTC Act prohibits. On August 29, 2013, the FTC filed suit in Federal District Court in Atlanta against LabMD, a medical testing laboratory, and its president, to compel it to comply with an investigative demand for information on whether it failed to properly protect private information of about 9,000 consumers (FTC v. LabMD, U.S.D.C. N.D. Ga., Case No. 1:12-CV-3005) .

Continue reading

HIPAA BAA Deadline is Monday, September 23, 2013

Margaret Young Levi Federal Law Resources, Health Information Technology, Privacy & Security , ,
Calendar
Calendar

by Margaret Young Levi

Reminder: the clock is ticking for covered entities and business associates to come into compliance with new requirements under HITECH-HIPAA Omnibus Rule.  Monday, September 23, 2013 is the deadline for covered entities and business associates to put into place new Business Associate Agreements (“BAAs”).  As we blogged on March 4th, any new BAAs signed after January 24, 2013 should comply with added requirements under the Omnibus Rule.  These new agreements must be signed and in place by September 23, 2013.

Current BAAs (those signed on or before January 24, 2013) will be grandfathered and deemed HIPAA compliant through September 23, 2014, at which time the BAA will need to have been amended for compliance with the Omnibus Rule. 

As a first step, covered entities should verify that they have identified all of their business associates, particularly in light of the revised definition of “business associate” in the Omnibus Rule.  Covered entities should enter into compliant BAAs with any newly identified Business Associates or with existing business associates if the agreements are renewed after January 24th (excluding those BAAs that automatically renewed). 

Business associates will now be directly liable for their actions under HIPAA and should take steps to identify their downstream business associates, called “subcontractors” and enter into BAAs with those subcontractors. 

See our March 4, 2013 post for additional details.

HIPAA Breaches in the News Again!

Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security

It has been widely reported that WellPoint Inc. recently agreed to pay a $1.7 million fine to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. The U.S. Department for Health & Human Services’ (“HHS”) press release asserts that WellPoint failed to “implement appropriate administrative and technical safeguards” required by HIPAA when it left an online application database unsecured and exposed the electronic protected health information (“PHI”) of more than 600,000 individuals. WellPoint self reported this issue when it submitted a breach notification required under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. This breach highlights the importance of ensuring that PHI is secured when system updates are performed.

Continue reading

ONC Announces New Certified HIT Mark

Margaret Young Levi EHR Certification Standards, Health Information Technology, Meaningful Use

Last week, the Department of Health and Human Service’s (HHS) Office of the National Coordinator for Health Information Technology (ONC) announced its new Certified HIT Mark, similar to the Good Housekeeping Seal of Approval. The Certified HIT Mark provides a way for consumers to feel confident at a glance that “the HIT meets all applicable requirements under the ONC HIT Certification Program.”

The ONC Certification Program ensures that electronic health record technologies meet the standards and certification criteria adopted by HHS to help providers and hospitals achieve Meaningful Use objectives and measures under the Health Information Technology for Economic and Clinical Health (HITECH) Act.  Additional information from the ONC about the standards and certification criteria, certified health IT product list, and the health IT certification program may be found here.