Privacy & Security

Don’t Forget to Protect your Paper Health Records!

Margaret Young Levi Electronic Health Records, Health Information Technology, Privacy & Security , ,

191563_blog_medical%20RecordsEven as health care providers have moved to convert from paper to electronic health records, it remains just as important to continue to protect paper health information records.  While the majority of data breaches involve mobile devices such as laptops and flash drives, a significant number of large data breaches (those affecting 500 or more individuals) Continue reading

Conducting HIPAA Breach Risk Assessments Using the “LoProCo” Analysis

Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security , , , , , , , ,

by Margaret Young Levi and Kathie McDonald-McClure

clip_image009The U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) has a new acronym, “LoProCo,” relating to assessing data breaches under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus Rule that became effective March 26, 2013.

It is OCR’s position that a breach is Continue reading

Retention of Paper Medical Records After Converting to Electronic Health Records

Margaret Young Levi Electronic Health Records, Federal Law Resources, HITECH Law, Meaningful Use, Privacy & Security , , , , , ,
191563_blog_medical%20Records

NOTE: On February 18, 2010, we posted an article about what to do with paper medical records when converting to an electronic health record (EHR). To date, this has been the most popular article on the HITECH Law Blog. We decided to re-review the topic, update it, and repost it. Actually, not much has changed in the way of the law applicable to this topic. So, the article below reiterates most of the tips from our original article with a few refinements, including additional information about retention periods. This article also is relevant to deciding on the retention period for legacy EHR records when converting to another EHR.

Many hospitals have electronic health records (EHRs) that are hybrid digital records. While the hospital may be using electronic data entry in the emergency department, inpatient nursing care, pharmacy, lab, and pre-op anesthesia, oftentimes, these EHRs are not integrated and, thus, are not merged into a single EHR. The short-term solution may have been to scan printed records from some department, like lab or pharmacy, into the patient’s on-line digital record. As a result, the hospital’s “electronic health record” contains information that is not captured in a “coded format.” For one, this will not meet the “meaningful use” criteria under the HITECH Act.

But let’s assume that the hospital can overcome this hurdle by working with vendors to integrate these records in a way that will meet HITECH EHR certification standards. If the hospital has been maintaining certain portions of patient records in a paper format, what does it do with those paper records after converting to an EHR? If the hospital scans all the paper patient records into its EHR, how long should the hospital retain the paper record after it is scanned into their EHR?

Continue reading

OCR Delays Revisions to Laboratories’ Notices of Privacy Practices

Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Meaningful Use, Privacy & Security , , , , ,

lab_specimensLate last week the Office for Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) announced a delay in its enforcement of the requirement that certain laboratories revise their notices of privacy practices (NPPs). 

As we have previously posted on the HITECH Law Blog, HHS has in the works revisions to the Clinical Laboratory Improvement Act of 1988 (CLIA) regulations concerning whether a lab must release results directly to patients.   Rather than forcing labs to revise their NPPs by September 23, 2013 (today) and then revise them again when the new CLIA regulations are final, HHS chose to delay enforcement until the new CLIA-specific rule is released.

This delay applies to HIPAA-covered,  CLIA-certified or CLIA-exempt laboratories that are not required to provide an individual with access to his or her laboratory test reports under the HIPAA Privacy Rule because the information is subject to the exceptions to the right of access.  The delay does not apply to laboratories that operate as part of a larger legal entity, such as a hospital, and by virtue of that relationship, do not have their own, laboratory-specific, NPPs.

To read more about the HHS Proposed Rule that will enable direct access to laboratory test results by patients, see our September 14, 2011 blog post.  To read the Proposed Rule, click here.

Privacy Breaches – They’re FTC Territory, Too!

Ann Feldkamp Triebsch Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security ,

by Ann F. Triebsch

Lock and KeyWe’ve all heard about HIPAA privacy breaches until we think there couldn’t be anything else to worry about. Think again—the Federal Trade Commission (FTC) is prosecuting privacy breaches in the health care industry as a violation of Section 5 of the FTC Act. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is charged with enforcing HIPAA, but some of those same privacy breaches can be scrutinized by the FTC to determine if they are “unfair or deceptive acts or practices in or affecting commerce”, which the FTC Act prohibits. On August 29, 2013, the FTC filed suit in Federal District Court in Atlanta against LabMD, a medical testing laboratory, and its president, to compel it to comply with an investigative demand for information on whether it failed to properly protect private information of about 9,000 consumers (FTC v. LabMD, U.S.D.C. N.D. Ga., Case No. 1:12-CV-3005) .

Continue reading