November 30th Meaningful Use Deadline for Hospitals

November 27, 2013March 12, 2014 Margaret Young Levi Electronic Health Records, Health Information Technology, HITECH Law, Hospital EHR Incentives, Meaningful Use Centers for Medicare and Medicaid Services, EHR, eligible hospitals, hospital incentives for EHRs, Incentive Program, linkedin, Meaningful Use, Medicare Electronic Health Record

Saturday, November 30, 2013, is the last day for hospitals and critical access hospitals (CAHs) to register and attest to receive an incentive payment for FY2013 under the Medicare Electronic Health Record (EHR) Incentive Program. In the flurry of Thanksgiving activities, holiday travel and Black Friday shopping, don’t forget to take advantage of this deal. The Centers for Medicare and Medicaid Services (CMS) has posted a reminder of these deadlines on its Medicare & Medicaid EHR Incentive Program Registration & Attestation System webpage.
Continue reading →

Retention of Paper Medical Records After Converting to Electronic Health Records

September 30, 2013June 28, 2023 Margaret Young Levi Electronic Health Records, Federal Law Resources, HITECH Law, Meaningful Use, Privacy & Security Converting from paper to EHR, EHR conversion, legacy EHR records, linkedin, paper medical records, record retention, Spoliation of evidence

NOTE: On February 18, 2010, we posted an article about what to do with paper medical records when converting to an electronic health record (EHR). To date, this has been the most popular article on the HITECH Law Blog. We decided to re-review the topic, update it, and repost it. Actually, not much has changed in the way of the law applicable to this topic. So, the article below reiterates most of the tips from our original article with a few refinements, including additional information about retention periods. This article also is relevant to deciding on the retention period for legacy EHR records when converting to another EHR.

Many hospitals have electronic health records (EHRs) that are hybrid digital records. While the hospital may be using electronic data entry in the emergency department, inpatient nursing care, pharmacy, lab, and pre-op anesthesia, oftentimes, these EHRs are not integrated and, thus, are not merged into a single EHR. The short-term solution may have been to scan printed records from some department, like lab or pharmacy, into the patient’s on-line digital record. As a result, the hospital’s “electronic health record” contains information that is not captured in a “coded format.” For one, this will not meet the “meaningful use” criteria under the HITECH Act.

But let’s assume that the hospital can overcome this hurdle by working with vendors to integrate these records in a way that will meet HITECH EHR certification standards. If the hospital has been maintaining certain portions of patient records in a paper format, what does it do with those paper records after converting to an EHR? If the hospital scans all the paper patient records into its EHR, how long should the hospital retain the paper record after it is scanned into their EHR?

Continue reading →

Mobile Device Management

September 24, 2013July 12, 2019 Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law data breach, laptop, other portable electronic device

More and more, health care providers are employing laptops, tablets, smartphones and other portable electronic devices in their work. And more and more, laptops and other portable electronic devices are involved in breaches of patient data. According to the Office of Civil Rights (OCR) website, 265 (or 39%) of the 674 total data breaches affecting 500 or more individuals reported to date involve either laptops or other portable electronic devices.

In order to better protect the patient information on these devices, the U.S. Department of Health and Human Services (HHS) conducted a Mobile Device Roundtable last year and solicited public comments to gather tips and information HHS considers “would be most useful to health care providers and professionals using mobile devices in their work.” These HHS tips, information and videos may help you protect and secure health information patients entrust to you when using mobile devices. Review these tips and make sure you fully analyze these devices and their movement as part of your risk analysis and risk management plans.

OCR Delays Revisions to Laboratories’ Notices of Privacy Practices

September 23, 2013March 12, 2014 Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Meaningful Use, Privacy & Security CLIA, delay, diagnostic test results on patient portal, linkedin, Patient Access to Health Information, stage 2 meaningful use measure 7

Late last week the Office for Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) announced a delay in its enforcement of the requirement that certain laboratories revise their notices of privacy practices (NPPs).

As we have previously posted on the HITECH Law Blog, HHS has in the works revisions to the Clinical Laboratory Improvement Act of 1988 (CLIA) regulations concerning whether a lab must release results directly to patients. Rather than forcing labs to revise their NPPs by September 23, 2013 (today) and then revise them again when the new CLIA regulations are final, HHS chose to delay enforcement until the new CLIA-specific rule is released.

This delay applies to HIPAA-covered, CLIA-certified or CLIA-exempt laboratories that are not required to provide an individual with access to his or her laboratory test reports under the HIPAA Privacy Rule because the information is subject to the exceptions to the right of access. The delay does not apply to laboratories that operate as part of a larger legal entity, such as a hospital, and by virtue of that relationship, do not have their own, laboratory-specific, NPPs.

To read more about the HHS Proposed Rule that will enable direct access to laboratory test results by patients, see our September 14, 2011 blog post. To read the Proposed Rule, click here.

HIPAA BAA Deadline is Monday, September 23, 2013

August 26, 2013March 12, 2014 Margaret Young Levi Federal Law Resources, Health Information Technology, Privacy & Security Business Associate Agreement, covered entity, subcontractor

by Margaret Young Levi

Reminder: the clock is ticking for covered entities and business associates to come into compliance with new requirements under HITECH-HIPAA Omnibus Rule. Monday, September 23, 2013 is the deadline for covered entities and business associates to put into place new Business Associate Agreements (“BAAs”). As we blogged on March 4th, any new BAAs signed after January 24, 2013 should comply with added requirements under the Omnibus Rule. These new agreements must be signed and in place by September 23, 2013.

Current BAAs (those signed on or before January 24, 2013) will be grandfathered and deemed HIPAA compliant through September 23, 2014, at which time the BAA will need to have been amended for compliance with the Omnibus Rule.

As a first step, covered entities should verify that they have identified all of their business associates, particularly in light of the revised definition of “business associate” in the Omnibus Rule. Covered entities should enter into compliant BAAs with any newly identified Business Associates or with existing business associates if the agreements are renewed after January 24^th (excluding those BAAs that automatically renewed).

Business associates will now be directly liable for their actions under HIPAA and should take steps to identify their downstream business associates, called “subcontractors” and enter into BAAs with those subcontractors.

See our March 4, 2013 post for additional details.

A legal blog about consumer privacy and data security in a high-tech world

Author: Margaret Young Levi