After LabMD: FTC, What Do We Comply With?

by Ann F. Triebsch

clip_image002As observers of data security enforcement are aware, the Federal Trade Commission (FTC) determined on January 16, 2014, that even entities that are already subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) are also subject to FTC jurisdiction and enforcement powers for data security breaches.  In the LabMD decision, the FTC denied the motion to dismiss sought by LabMD in the administrative case against it, which was formally filed in August, 2013. This outcome, though anticipated, has stirred up plenty of discussion, including about how to know whether or not you’re storing data in a way that satisfies the FTC, and what happens if you’re not.  For entities that are subject to HIPAA and have been following the HIPAA Security Rule regulations, is this enough?  Should they be doing more to also demonstrate compliance to the FTC? Continue reading

The FTC: Watchdog for Privacy and Security of Sensitive Personal Data

Data transmissionThose who dwell in the world of health care privacy and security know well that the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) is the federal agency that issues the regulations, provides guidance and ultimately enforces the complex requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic & Clinical Health Act of 2009(HITECH).  But we also know, as citizens of the 21st Century, that privacy and security concerns extend far beyond insurance claims and health records in our doctors’ offices.  With every new smartphone we indulge in, every online purchase we make, every retail loyalty program for which we register, we share valuable chunks and tidbits of data about ourselves that now can be used to tell others far more about us than we ever would have dreamed possible, or probably desire.  The internet and astounding connectivity of so many technological devices, both consumer and commercial, allow extremely private and sensitive information to be accessed by parties we do not know and cannot imagine, for both our benefit and detriment.  Continue reading

EHR Meaningful Use Audits – Coming Soon to an Office Near You!

by Ann F. Triebsch

businessman looking over his glasses with clipboard on hand - frAs we indicated in a posting last October and in a more recent August post , audits are now underway to verify that providers who received incentive monies from the Centers for Medicare and Medicaid Services (CMS) under the Health Information Technology for Economic and Clinical Health (HITECH) Act for implementation of a certified electronic health record (EHR) have indeed met the “meaningful use” (MU) criteria. The Office of the National Coordinator for Health Information Technology (ONC) has contracted with Garden City, NY-based Fagliozzi and Company to conduct these audits.  The audits are designed to verify that providers receiving incentive payments are using certified EHR technology in a meaningful way. These audits can be a hassle, and there are risks if you cannot promptly provide what is requested—even if you are complying with the MU criteria.

Continue reading

Privacy Breaches – They’re FTC Territory, Too!

by Ann F. Triebsch

Lock and KeyWe’ve all heard about HIPAA privacy breaches until we think there couldn’t be anything else to worry about. Think again—the Federal Trade Commission (FTC) is prosecuting privacy breaches in the health care industry as a violation of Section 5 of the FTC Act. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is charged with enforcing HIPAA, but some of those same privacy breaches can be scrutinized by the FTC to determine if they are “unfair or deceptive acts or practices in or affecting commerce”, which the FTC Act prohibits. On August 29, 2013, the FTC filed suit in Federal District Court in Atlanta against LabMD, a medical testing laboratory, and its president, to compel it to comply with an investigative demand for information on whether it failed to properly protect private information of about 9,000 consumers (FTC v. LabMD, U.S.D.C. N.D. Ga., Case No. 1:12-CV-3005) .

Continue reading

Extension of EHR Safe Harbor? The Ball is Rolling …

clip_image002by Ann F. Triebsch

The anti-kickback “safe harbor” allowing hospitals to donate electronic health record (“EHR”) equipment to physicians who may refer patients to their facility is set to expire on December 31, 2013, but efforts have begun to have the safe harbor extended. The safe harbor, created in 2006, allows hospitals to donate EHR and electronic prescribing technology to practices for the purpose of setting up or improving EHR systems, provided that the practice covers 15% of the cost of the EHR technology, without risk of anti-kickback enforcement. The purpose was to incentivize the meaningful use of EHR systems, and Medicare incentive payments for EHR adoption will continue through 2016.

Rep. Jim McDermott (D-Wash.) sent a letter on March 28 to Greg Demske, chief counsel of the HHS Office of Inspector General, asking OIG to extend the safe harbor provision. He emphasized Washington’s goal of reducing healthcare costs and eliminating wasteful spending, and pointed out that an extension would further that goal. He called the safe harbor provision “a common-sense policy” that “encourages collaboration among providers, yet also contains rigorous requirements that providers must meet in order to protect the Medicare and Medicaid programs from the few unscrupulous providers who would donate electronic health record software in exchange for referrals.” Earlier this year, the Federation of American Hospitals also showed support for renewing the EHR safe harbor.

To read Rep. McDermott’s letter, click here.

To read the Federation of American Hospitals letter, click here.

Stay tuned for further action on an extension.