Health Information Technology

HHS Proposed Rule Aligns Regulation on Confidentiality of Substance Use Disorder Treatment Records with HIPAA

Kathie McDonald-McClure data breach; notification, Data Privacy & Security, Health Information Technology, HIPAA , , , , , , , ,

by Kathie McDonald-McClure

UPDATE: On February 16, 2024, HHS published a Final Rule (89 Fed Reg 12472) to amend Part 2 rules on patient confidentiality of SUD records. While the Final Rule’s effective date is April 16, 2024, the deadline for compliance is February 16, 2026. Based on public comments to the Proposed Rule, HHS included further substantive modifications in the Final Rule, which HHS outlines in a Fact Sheet on the Part 2 Final Rule.

On November 28, 2022, the Secretary for the United States Department of Health & Human Services (HHS) released a Proposed Rule to amend the requirements in Title 42, Part 2, on confidentiality of substance use disorder (SUD) patient records in federally assisted Part 2 Programs.  Part 2 protects the confidentiality of SUD patient records (which generally include alcoholism, alcohol abuse, and drug abuse treatment and prevention records) by restricting the circumstances under which Part 2 Programs or other lawful holders can disclose such records.

Continue reading

A Supreme Development in Employer Computer Protection

WyattLLP Data Privacy & Security, Health Information Technology, HITECH Law ,

By: Courtney Samfordcontributing author Blake Sims, Wyatt Summer Associate

This image has an empty alt attribute; its file name is pexels-mikhail-nilov-6930431-1024x617.jpg

Employers commonly supply computer and work devices to employees and state that the electronics may only be used for business related purposes, and employers have always had the ability to discipline employees who violate computer use policies through improper use. In some Federal Court of Appeals Circuits, employers may have been able to rely on threats of criminal and civil liabilities under 18 U.S.C. § 1030 to further deter improper use. On June 3, 2021, however, an evenly split conservative-liberal majority of the Supreme Court reversed the Eleventh Circuit Court of Appeals in Van Buren v. United States, holding that an individual only violates the Section 1030 of Computer Fraud and Abuse Act “when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Van Buren v. United States, No. 19-783 (Sup. Ct. June 3, 2021).

Continue reading

INFORMATION BLOCKING RULE EFFECTIVE APRIL 5, 2021: ARE PROVIDERS READY?

WyattLLP Cures Act and Program Interoperability, Health Information Technology , , , ,

By Kathie McDonald-McClure and Margaret Young Levi

The Information Blocking Final Rule, a provision of the 21st Century Cures Act geared towards ensuring access, exchange and use of electronic health information (EHI), was published on May 1, 2020, and became effective on June 20, 2020.  However, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) extended the compliance effective dates for the Final Rule several times over the last year—and most providers were hopeful that it would be extended once again—but there are no more delays.  Information Blocking compliance is now effective, as of April 5, 2021.  Health care providers should take immediate steps to ensure compliance.

Continue reading

Federal Agencies Warn of Cyberattacks on U.S. Hospitals

Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology , , , , ,

By Margaret Young Levi and Kathie McDonald-McClure

On October 28, 2020,  the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning hospitals and the health care community about coordinated ransomware attacks on hospitals designed to steal data and freeze hospital information systems for financial gain. 

Six U.S. hospitals fell victim to this attack on October 27th and the FBI, HHS, and CISA have credible information that more hospitals will be targeted in this attack. The ransomware behind these attacks is known as Ryuk, which utilizes TrickBot malware and other malware to execute the attack. The Ryuk ransomware is designed to allow the cybercriminals to stealthily access, map and move laterally across the victim’s network before encrypting critical data files and deleting connected backups.

Continue reading

The EPCS Mandate: Kentucky Requires Electronic Prescribing Of Controlled Substances

WyattLLP Electronic Health Records, Health Information Technology , , , ,

by Lindsay K. Scott

In an ongoing effort to battle the opioid crisis, Kentucky House Bill 342 was signed into law on March 26, 2019.  This bill created a new statute, KRS 218A.182, to require that all prescriptions for controlled substances be submitted electronically, unless certain exceptions apply (the “EPCS Mandate”).  Effective January 1, 2021, practitioners who prescribe controlled substances to be dispensed by a Kentucky pharmacy must issue the prescription electronically (“e-prescribe”) directly to the pharmacy unless an exception applies. Continue reading