After LabMD: FTC, What Do We Comply With?

February 20, 2014April 15, 2014 Ann Feldkamp Triebsch Federal Law Resources, FTC Enforcement, Health Information Technology, Privacy & Security FTC, LabMD, Privacy & Security

by Ann F. Triebsch

As observers of data security enforcement are aware, the Federal Trade Commission (FTC) determined on January 16, 2014, that even entities that are already subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) are also subject to FTC jurisdiction and enforcement powers for data security breaches. In the LabMD decision, the FTC denied the motion to dismiss sought by LabMD in the administrative case against it, which was formally filed in August, 2013. This outcome, though anticipated, has stirred up plenty of discussion, including about how to know whether or not you’re storing data in a way that satisfies the FTC, and what happens if you’re not. For entities that are subject to HIPAA and have been following the HIPAA Security Rule regulations, is this enough? Should they be doing more to also demonstrate compliance to the FTC? Continue reading →

HHS Amends CLIA to Broaden the Patient’s Access Rights to Lab Test Results

February 5, 2014March 12, 2014 Kathie McDonald-McClure Electronic Health Records, Eligible Professional Incentives, Federal Law Resources, Health care reform, Health Information Technology, HITECH Law, Meaningful Use CLIA lab amendment, eligible professional incentives for electronic medical records, linkedin, Meaningful Use, Patient Access to Lab Tests, Uploading Lab Test Results to Patient Portals

by Kathie McDonald-McClure and Elizabeth O’Keeffe

As we have previously reported on the Wyatt HITECH Law blog on September 14, 2013 and September 23, 2011, the Department of Health and Human Services (HHS) has had in the works, for over two years now, revisions to the Clinical Laboratory Improvement Act of 1988 (CLIA) regulations concerning whether a lab may release test results directly to patients. On February 3, 2013, HHS announced the release of a Final Rule (Final Rule) amending the CLIA regulations to allow laboratories to give a patient, or a person designated by the patient, his or her “personal representative”, access to the patient’s completed test reports upon the patient’s or patient’s personal representative’s request. The Final Rule was issued jointly by three agencies within HHS: the Centers for Medicare & Medicaid Services (CMS), which is generally responsible for laboratory regulation under CLIA, the Centers for Disease Control and Prevention (CDC), which provides scientific and technical advice to CMS related to CLIA, and the Office for Civil Rights (OCR), which is responsible for enforcing the HIPAA Privacy Rule. Continue reading →

Legislation would require Kentucky businesses to notify consumers of data breach

January 29, 2014March 12, 2014 Dan Soldato Electronic Health Records, Federal Law Resources, FTC Enforcement, Health Information Technology, HITECH Law data breach, State Breach Notification Law

by Dan Soldato

Data breaches, particularly of consumer information and other private information, are becoming an increasing public concern and a headline in the daily news. We regularly hear about incidents in which electronically stored customer information is lost by or stolen from businesses, including health care companies, retailers, and telecommunications companies. These risks are exponentially increasing with the increased use of mobile devices in businesses (e.g., laptops, tablets, flash drives, smartphones, etc.) and the increased use of mobile apps by consumers. Electronic data, if not adequately secured, can lead to both physical and electronic thefts (e.g., hacking, malware, etc.). In light of the increase in data breach reports, this week, the Consumer Financial Protection Bureau issued an advisory bulletin to provide guidance to consumers on protecting their personal information following the recent high-profile breaches involving debit cards and other payment data (e.g., Target, Michaels, Neiman Marcus). Notice to consumers about a breach of their data is seen as another way to further protect against a loss.

Data Breach Laws. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Section 5 of the Federal Trade Commission Act are two federal laws under which federal agencies aim to protect the confidentiality of sensitive personal information such as health information, social security numbers and other personally identifiable information. In addition, many states have enacted laws that have a similar aim. One such law that many states have enacted is a breach notification law that requires business entities to notify affected individuals when their personally identifiable information has been breached or compromised.

Kentucky is one of a handful of states that has yet to enact a breach notification law. However, on January 21, 2014, Representative Steve Riggs introduced HB232, which, if passed, would implement new standards and requirements to notify affected individuals in the event of a breach of their personally identifiable information. The Bill is now under consideration by the House Labor and Industry Committee. Continue reading →

E-Patient: The Doctor May “See” You Now

January 23, 2014March 12, 2014 C. Elizabeth O'Keeffe Federal Law Resources, Health care reform, Health Information Technology, HITECH Law E-health e-patients telehealth telemedicine, Mobile Health

Welcome to our newest contributing author, Elizabeth O’Keeffe, who prepared the following post

E-health, e-patients, social media, telehealth, telemedicine, mobile health care – what does it all mean to you as a patient? As an employee? As a CEO? “Telehealth” is booming and could substantially disrupt the old-fashioned health care model. In-person doctor appointments, hospitalizations, and follow up visits all occur, but through a new means – technology. The growth in technology and other competitive forces, including market differentiation, market segmentation, costs, efficiencies, and access, have created this new market and while it may all seem like just more “techie stuff,” it is not going away and as in banking (like that first time you used an ATM – what, no teller?), it will change how we approach health care. Continue reading →

Who Accessed My Health Records? Recommendation for Quality over Quantity in Access Reports

January 22, 2014March 12, 2014 Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law accounting of disclosures, Electronic Health Records, HITECH Act, HITECH implementation, privacy and security of protected health information, status of EHR technology to produce access reports, treatment payment and health care operations

By Kathie McDonald-McClure, Ann F. Triebsch and Margaret Young Levi

Group of Healthcare Professionals — Accounting for Disclosures Would Include Disclosures of PHI to All Staff

The Office of National Coordinator (ONC) Health IT Policy Committee voted in December 2013 to recommend that the United States Department of Health & Human Services (HHS) scale back its 2011 proposed rules requiring covered entities to provide patients with reports showing the name of every staff member who accessed their information in an electronic health record (EHR). As reported by Government Health IT, the committee’s Privacy and Security Tiger Team opposes a requirement that entities covered by the Health Insurance Portability & Accountability Act of 1996 (HIPAA) give such broad “accounting of disclosure” reports to patients. Continue reading →