Author: Margaret Young Levi

HIPAA Breaches in the News Again!

Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security

It has been widely reported that WellPoint Inc. recently agreed to pay a $1.7 million fine to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. The U.S. Department for Health & Human Services’ (“HHS”) press release asserts that WellPoint failed to “implement appropriate administrative and technical safeguards” required by HIPAA when it left an online application database unsecured and exposed the electronic protected health information (“PHI”) of more than 600,000 individuals. WellPoint self reported this issue when it submitted a breach notification required under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. This breach highlights the importance of ensuring that PHI is secured when system updates are performed.

Continue reading

ONC Announces New Certified HIT Mark

Margaret Young Levi EHR Certification Standards, Health Information Technology, Meaningful Use

Last week, the Department of Health and Human Service’s (HHS) Office of the National Coordinator for Health Information Technology (ONC) announced its new Certified HIT Mark, similar to the Good Housekeeping Seal of Approval. The Certified HIT Mark provides a way for consumers to feel confident at a glance that “the HIT meets all applicable requirements under the ONC HIT Certification Program.”

The ONC Certification Program ensures that electronic health record technologies meet the standards and certification criteria adopted by HHS to help providers and hospitals achieve Meaningful Use objectives and measures under the Health Information Technology for Economic and Clinical Health (HITECH) Act.  Additional information from the ONC about the standards and certification criteria, certified health IT product list, and the health IT certification program may be found here.

New EHR Exemptions Proposed

Margaret Young Levi Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Meaningful Use, Physician EMR Stimulus , , , ,

Doctor Speaking with PatientA new bill entitled the “Electronic Health Records Improvement Act” has been introduced in the U.S. House of Representatives. Its stated purpose is to “amend certain requirements and penalties implemented under the Medicare and Medicaid programs by the HITECH Act of 2009, which would otherwise impede eligible professionals from adopting electronic health records to improve patient care.” Most notably, this bill proposes two new exemptions to the requirements to be a meaningful user of electronic health records (“EHRs”) that will be beneficial to solo physician practices and physicians nearing retirement:

  • Eligible Professionals in Small Physician Practices.  A physician who is a solo practitioner in 2015 would be exempt from the application of the downward payment adjustment for not demonstrating EHR meaningful use during the payment years 2015-2017.  Implementing EHRs require significant investments in time for vendor selection, capital, and staff resources—and solo practitioners typically do not have the necessary resources to invest in EHRs.  This exemption allows undercapitalized solo practitioners an additional three years to become a meaningful EHR user.
  • Exception for Certain Physicians Near Retirement Age.  A physician who will be eligible for Social Security by December 31, 2015 (or will be eligible during the 5-year period following that date) is also exempt from the application of the downward payment adjustment for not demonstrating EHR meaningful use during the payment years 2015-2017.  This exemption will encourage physicians nearing retirement to continue practicing medicine for several more years instead of retiring early to avoid implementing an EHR.  (Because this section of the Bill uses the terms “eligible professional” (in the text) and “physician” (in the title), there is some question as to whether this exception applies only to physicians nearing retirement or also applies to other types of eligible professionals, such as dentists, chiropractors, podiatrists, and optometrists.  Hopefully, this confusion will be clarified if this Bill progresses into law.)

Here is a link to H.R. 1331. This Bill is currently in committee, and we will watch its progress closely.

Update (1/31/2015):  Unfortunately, H.R. 1331 died in Committee.

Sample BAA Provisions

Margaret Young Levi Federal Law Resources, Health Information Technology, Privacy & Security ,

The final HIPAA-HITECH Omnibus Rule (Omnibus Rule), released in January, substantially increases the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors.  These new requirements will need to be reflected in business associate agreements (BAAs) between the covered entity and the business associate as well as in agreements between a business associate and its subcontractor.

For example, BAAs must now contain provisions requiring business associates to notify the covered entity of any data breaches.  Moreover,  the Omnibus Rule expanded the definition of “business associates” to include subcontractors, which means business associates must now enter into BAAs with their subcontractors who access PHI. 

The Department of Health & Human Services (HHS), Office for Civil Rights (OCR) has posted sample BAA provisions on its website to help covered entities and business associates more easily comply with the additional BAA requirements found in the Omnibus Rule.  While these sample provisions are written for use in a contract between a covered entity and its business associate, the language may be tailored for purposes of a contract between a business associate and its subcontractor.

These sample provisions do not constitute a sample contract but are only a starting point.  It is not enough to print and sign these provisions.  As OCR warns, “These provisions address only concepts and requirements set forth in the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, and alone may not be sufficient to result in a binding contract under State law. They do not include many formalities and substantive provisions that may be required or typically included in a valid contract.  Reliance on this sample may not be sufficient for compliance with State law, and does not replace consultation with a lawyer or negotiations between the parties to the contract.”  Moreover, there are common concepts in BAAs that are notably missing from the sample provisions, such as indemnification, notification, and mitigation, which should be considered for inclusion with any BAA. 

 

If your current BAA was signed on or before January 24, 2013, then it will be deemed HIPAA compliant through September 23, 2014 (at which time the BAA will need to have been amended for compliance with the Omnibus Rule).  Any new BAAs signed after January 24, 2013 should comply with the new requirements under Omnibus Rule, and be in place by September 23, 2013.

Report 2012 HIPAA Small Breaches by Friday, 3/1

Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, Privacy & Security

by Ann F. Triebsch

Friday, March 1, is the deadline for HIPAA covered entities to report to HHS small breaches of unsecured protected health information that occurred in 2012.  A small breach includes less than 500 individuals.  Affected individuals must be notified within 60 days of the breach’s discovery, but the breach also must be reported to HHS within 60 days of the close of that calendar year, or by March 1of the following year.  To file a report, follow this link.