HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021.  This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA). 

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule. 

The HIPAA Security Rule already requires covered entities and business associates to implement appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI) but it does not specify those safeguards. This Amendment recognizes certain safeguards and provides benefits to covered entities and business associates who implemented them.  The Amendment defines “recognized security practices” to mean:

  • the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act,
  • the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and
  • other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.

Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule. 

The Amendment does not permit HHS to fine a covered entity or business associate, nor to increase fines, merely due to choosing not to engage in “recognized security practices”. Likewise, the Amendment does not prevent HHS from imposing fines if the administrative, physical and technical safeguards implemented by the covered entity or business associate were lacking or not appropriate, or if there was a data breach due to a lack of appropriate safeguards.  On the other hand, a covered entity or business associate who has experienced a data breach resulting from a cyber attack could benefit from reduced fines if these recognized security measures were in place.

The Amendment is to be effective retoactively to December 13, 2016, the effective date of The 21st Century Cures Act.   

Audio-Video Conferencing Risks and Tips for Healthcare Providers

by Margaret Young Levi and Kathie McDonald-McClure

Federal and state governments have relaxed restrictions on telehealth to encourage and empower medical providers to serve patients at home during the novel coronavirus (COVID-19) national public health emergency (PHE). Both medical providers and patients have embraced this new way of connecting due to its convenience and, as a result, the expanded use of telehealth is likely here to stay.  The use of audio and video conferencing for patient care, while convenient, risks an unauthorized disclosure of sensitive information if it is used without due regard for whether the connections are secure. 

Following expansion by the U.S. Department of Human Health Services’ Office for Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS) of federal telehealth services and relaxation of certain requirements during the COVID-19 PHE, Kentucky Medicaid followed suit.  See our previous post about Kentucky Medicaid’s expansion of coverage for telehealth. 

OCR Relaxes HIPAA enforcement for telehealth during COVID-19 PHE.  OCR, the agency responsible for enforcement of HIPAA, issued guidance on its enforcement discretion with regard to certain telehealth practices under HIPAA.  This guidance makes it clear that OCR will not enforce penalties for the use of technology that is not HIPAA compliant, when used in the good faith provision of telehealth services.

Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 PHE. 

Continue reading

Kentucky Medicaid Further Expands Telehealth Coverage

By Lindsay K. Scott

Following expansion by the Department of Human Health Services’ Office for Civil Rights (“OCR”) and the Centers for Medicare and Medicaid Services (“CMS”) of federal telehealth services and relaxation of certain requirements, Kentucky Medicaid is following suit.

On March 17, 2020, the Centers for Medicare and Medicaid Services published guidance expanding the use of telehealth and relaxing restrictions on its use. The Office for Civil Rights, the agency responsible for enforcement of HIPAA, followed up with guidance making it clear that it will not enforce penalties for the use of technology that is not HIPAA compliant, when used in the good faith provision of telehealth services:

Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Continue reading

HHS Office for Civil Rights Issues Telehealth HIPAA Guidance during COVID-19 Emergency

On March 17, 2020, the Office for Civil Rights (“OCR”), the agency within the Department of the United States Health & Human Services (“HHS”) responsible for enforcement of HIPAA, issued the following guidance: “Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency.” Pursuant to Telehealth regulatory waivers issued by the HHS Centers for Medicare & Medicaid Services (“CMS”) effective during the COVID-19 Public Health Emergency (“PHE”), providers can use telehealth at any location including in a patient’s home. As more fully explained in its Telehealth Fact Sheet March 17, 2020, HHS stated:

“The provider must use an interactive audio and video telecommunications system that permits real-time communication between the distant site and the patient at home. …  It is imperative during this public health emergency that patients avoid travel, when possible, to physicians’ offices, clinics, hospitals, or other health care facilities where they could risk their own or others’ exposure to further illness.” Continue reading

OCR’s 2019 Right of Access Initiative Bears First Fruit

Hospital Agrees to Pay $85,000 for Failure to Provide Patient Timely Access to Records

by Margaret Young Levi and Kathie McDonald-McClure

On September 9, 2019, the Office for Civil Rights (OCR) announced its first settlement under its “Right of Access Initiative.” Without admitting any wrongdoing, a hospital has agreed to pay $85,000 to the United States Department of Health & Human Services (HHS) as a result of a 10-month delay in providing access to protected health information (PHI). Importantly, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to “act on” requests for access within 30 days of a request. The hospital also entered into a Corrective Action Plan (CAP) that required the hospital to implement, and train staff on, policies and procedures to ensure individuals have timely access to their requested PHI.

What led to the settlement? The patient raised the issue of untimely access in a complaint to the OCR on August 14, 2018. The patient alleged that on October 18, 2017, she requested her unborn child’s fetal heart monitor records from Bayfront Health – St. Petersburg (Hospital), a Florida hospital.  At the time of her OCR complaint, nine months had passed without receiving any records.  The reason given to the patient by the Hospital for not producing the records was that it could not find them. Continue reading