OCR’s 2019 Right of Access Initiative Bears First Fruit

Hospital Agrees to Pay $85,000 for Failure to Provide Patient Timely Access to Records

by Margaret Young Levi and Kathie McDonald-McClure

On September 9, 2019, the Office for Civil Rights (OCR) announced its first settlement under its “Right of Access Initiative.” Without admitting any wrongdoing, a hospital has agreed to pay $85,000 to the United States Department of Health & Human Services (HHS) as a result of a 10-month delay in providing access to protected health information (PHI). Importantly, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to “act on” requests for access within 30 days of a request. The hospital also entered into a Corrective Action Plan (CAP) that required the hospital to implement, and train staff on, policies and procedures to ensure individuals have timely access to their requested PHI.

What led to the settlement? The patient raised the issue of untimely access in a complaint to the OCR on August 14, 2018. The patient alleged that on October 18, 2017, she requested her unborn child’s fetal heart monitor records from Bayfront Health – St. Petersburg (Hospital), a Florida hospital.  At the time of her OCR complaint, nine months had passed without receiving any records.  The reason given to the patient by the Hospital for not producing the records was that it could not find them. Continue reading

CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications”

By Kathie McDonald-McClure and Margaret Young Levi

Doctor Speaking with Patient

Summary: CMS proposes new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital EHR to send electronic event notifications to post-acute care providers when a patient has been admitted, discharged, or transferred.  What must hospitals do, and how much time is needed, to operationalize the new CoPs, considering a process will need to be developed that identifies providers who should and can receive these event notices? What will be required, and how much time is needed, to reconfigure EHRs to send the notifications and demonstrate compliance with the multiple facets of the CoP?  Will PAC providers be obligated to operationalize the receipt and use of these notifications under the IMPACT Act?  CMS is seeking stakeholder input on its proposal, including a reasonable time frame for implementation. Comments are due June 3, 2019.* Continue reading

Healthcare Privacy Practices Notice Must Include Nondiscrimination Notice

By Margaret Young Levi and Kathie McDonald-McClureprivacy policy

Among the many mandates of the Affordable Care Act (ACA) (a/k/a “Obama Care”) still in force today is Section 1557. Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is the agency vested with responsibility for implementing and enforcing Section 1557. On May 16, 2016, OCR issued a Final Rule that requires entities covered by the ACA to notify beneficiaries, enrollees, applicants, or members of the public of Section 1557’s nondiscrimination prohibitions. This notice must be included in the entity’s “significant” publications and communications.

You might ask, “Why am I reading about this on a legal blog about privacy and security?”  This is because OCR determined that the Notice of Privacy Practices, which healthcare providers and health plans issue to patients and plan members, is a “significant” publication or communication. As a result, health care providers and health plans that are subject to both Section 1557 and the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must add the Section 1557 nondiscrimination notices and taglines to their Notice of Privacy Practices. Health plans should add such notices and taglines to their Summary of Benefits and Coverage as well.

Continue reading

Ransomware Attack on Allscripts’ Cloud-Based EHR and E-Prescribing Platforms: What Providers Need to Know

pexels-photo-263370.jpegBy Kathie McDonald-McClure

What Happened. According to several healthcare news sources, on Thursday, January 18, 2018, Allscripts experienced a ransomware attack on the computer servers that host the Allscripts cloud-based EHR and the Allscripts cloud-based Electronic Prescriptions for Controlled Substances (“EPCS”) platform. Allscripts did not pay the ransom because it had recent data backups that were unaffected by the attack.¹

Initial Impact on Allscripts’ Clients. The EPCS reportedly was restored on Saturday, January 20, 2018. The EHR system reportedly continued to be adversely affected through at least Monday, January 22, 2018, with some providers still reporting log-in issues through Wednesday, January 24, 2018. Allscripts held a conference call with providers in which it advised providers that they may continue to experience usage interruptions with the cloud-based products until Allscripts completed a roll-out of security updates. During down times, Allscripts urged providers to use the Allscripts mobile solution (only available on the iPhone) to view medical histories and schedules but acknowledged that providers would be unable to Continue reading

Can blockchain technology solve healthcare IT security and interoperability challenges?

On March 20-21, 2017, multiple healthcare technology companies came together in Washington, D.C. to host The Healthcare Blockchain Summit.  Blockchain, the technology that underpins bitcoin technology, keeps data secure in a “distributed, encrypted ledger” while allowing control over who can access that ledger.  This is the hottest technology being discussed today as a way to secure confidential or sensitive data.

The on-line technology publication, Wired, describes blockchain’s security method in a February 1, 2017 article as follows: “Rather than having one central administrator that acts as a gatekeeper to data—a list of digital transactions—there’s one shared ledger, but it’s spread across a Continue reading