HITECH Law

A Supreme Development in Employer Computer Protection

WyattLLP Data Privacy & Security, Health Information Technology, HITECH Law ,

By: Courtney Samfordcontributing author Blake Sims, Wyatt Summer Associate

This image has an empty alt attribute; its file name is pexels-mikhail-nilov-6930431-1024x617.jpg

Employers commonly supply computer and work devices to employees and state that the electronics may only be used for business related purposes, and employers have always had the ability to discipline employees who violate computer use policies through improper use. In some Federal Court of Appeals Circuits, employers may have been able to rely on threats of criminal and civil liabilities under 18 U.S.C. § 1030 to further deter improper use. On June 3, 2021, however, an evenly split conservative-liberal majority of the Supreme Court reversed the Eleventh Circuit Court of Appeals in Van Buren v. United States, holding that an individual only violates the Section 1030 of Computer Fraud and Abuse Act “when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.” Van Buren v. United States, No. 19-783 (Sup. Ct. June 3, 2021).

Continue reading

HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

Kathie McDonald-McClure Data Privacy & Security, HIPAA, HITECH Law , , , , ,

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021.  This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA). 

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule. 

Continue reading

CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications”

Kathie McDonald-McClure Cures Act and Program Interoperability, Data Privacy & Security, EHR Certification Standards, Electronic Health Records, Health Information Technology, HIPAA, HITECH Law , , , , ,

By Kathie McDonald-McClure and Margaret Young Levi

Doctor Speaking with Patient

Summary: CMS proposes new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital EHR to send electronic event notifications to post-acute care providers when a patient has been admitted, discharged, or transferred.  What must hospitals do, and how much time is needed, to operationalize the new CoPs, considering a process will need to be developed that identifies providers who should and can receive these event notices? What will be required, and how much time is needed, to reconfigure EHRs to send the notifications and demonstrate compliance with the multiple facets of the CoP?  Will PAC providers be obligated to operationalize the receipt and use of these notifications under the IMPACT Act?  CMS is seeking stakeholder input on its proposal, including a reasonable time frame for implementation. Comments are due June 3, 2019.* Continue reading

New HIPAA Auditing Process Begins – Are You Ready?

Erin Brisbay McMahon Data Privacy & Security, HIPAA, HITECH Law , , ,

audit checklistThe Department of Health and Human Services’s Office for Civil Rights (OCR) announced last week that it has launched Phase 2 of its HIPAA Audit Program. Under this Audit Program, OCR will review whether entities subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Data Breach Notification regulations are complying with those regulations.  OCR has already begun to send initial emails to “covered entities” and “business associates” (defined in the HIPAA regulations) regarding the audits that seek to verify contact information.

Tip:  These emails may be incorrectly classified as spam by corporate or email filters.  OCR expects covered entities and business associates to check spam and junk email folders for emails from OCR.

WarningSophisticated cybercriminals could use the OCR audits as an opportunity to send fake OCR emails (“phishing emails”) in an attempt to trick employees into turning over individual health information or to click on links that download harmful malware into the organization’s computer network.  Do not click on links or supply any documentation until Continue reading

Stages 1, 2, And Now 3, Meaningful Use Criteria

Margaret Young Levi Electronic Health Records, Health Information Technology, HITECH Law, Meaningful Use , , , , , , , ,

The Centers for Medicare & Medicaid Services (“CMS”) proposed Meaningful Use criteria to implement Stage 3 and allow eligible professionals, eligible hospitals and critical access hospitals (“CAHs”) to qualify for incentive payments (or avoid downward payment adjustments) under the Medicare and Medicaid Electronic Health Record (EHR) Incentive Program implemented by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009. stethoscope, keyboardThen CMS made changes to Stage 1 and Stage 2 Meaningful Use criteria to better align with the proposed Stage 3 criteria just two weeks later.

On March 30, 2015, CMS published a long-awaited proposed rule which, if finalized, would implement Stage 3, making changes to the objectives and measures of meaningful use for providers effective in Continue reading