Privacy Breaches – They’re FTC Territory, Too!

September 20, 2013March 12, 2014 Ann Feldkamp Triebsch Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security breach, FTC

by Ann F. Triebsch

We’ve all heard about HIPAA privacy breaches until we think there couldn’t be anything else to worry about. Think again—the Federal Trade Commission (FTC) is prosecuting privacy breaches in the health care industry as a violation of Section 5 of the FTC Act. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is charged with enforcing HIPAA, but some of those same privacy breaches can be scrutinized by the FTC to determine if they are “unfair or deceptive acts or practices in or affecting commerce”, which the FTC Act prohibits. On August 29, 2013, the FTC filed suit in Federal District Court in Atlanta against LabMD, a medical testing laboratory, and its president, to compel it to comply with an investigative demand for information on whether it failed to properly protect private information of about 9,000 consumers (FTC v. LabMD, U.S.D.C. N.D. Ga., Case No. 1:12-CV-3005) .

Continue reading →

HIPAA BAA Deadline is Monday, September 23, 2013

August 26, 2013March 12, 2014 Margaret Young Levi Federal Law Resources, Health Information Technology, Privacy & Security Business Associate Agreement, covered entity, subcontractor

by Margaret Young Levi

Reminder: the clock is ticking for covered entities and business associates to come into compliance with new requirements under HITECH-HIPAA Omnibus Rule. Monday, September 23, 2013 is the deadline for covered entities and business associates to put into place new Business Associate Agreements (“BAAs”). As we blogged on March 4th, any new BAAs signed after January 24, 2013 should comply with added requirements under the Omnibus Rule. These new agreements must be signed and in place by September 23, 2013.

Current BAAs (those signed on or before January 24, 2013) will be grandfathered and deemed HIPAA compliant through September 23, 2014, at which time the BAA will need to have been amended for compliance with the Omnibus Rule.

As a first step, covered entities should verify that they have identified all of their business associates, particularly in light of the revised definition of “business associate” in the Omnibus Rule. Covered entities should enter into compliant BAAs with any newly identified Business Associates or with existing business associates if the agreements are renewed after January 24^th (excluding those BAAs that automatically renewed).

Business associates will now be directly liable for their actions under HIPAA and should take steps to identify their downstream business associates, called “subcontractors” and enter into BAAs with those subcontractors.

See our March 4, 2013 post for additional details.

HIPAA Breaches in the News Again!

August 21, 2013March 12, 2014 Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security breach

It has been widely reported that WellPoint Inc. recently agreed to pay a $1.7 million fine to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. The U.S. Department for Health & Human Services’ (“HHS”) press release asserts that WellPoint failed to “implement appropriate administrative and technical safeguards” required by HIPAA when it left an online application database unsecured and exposed the electronic protected health information (“PHI”) of more than 600,000 individuals. WellPoint self reported this issue when it submitted a breach notification required under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. This breach highlights the importance of ensuring that PHI is secured when system updates are performed.

Continue reading →

ONC Announces New Certified HIT Mark

July 15, 2013March 12, 2014 Margaret Young Levi EHR Certification Standards, Health Information Technology, Meaningful Use

Last week, the Department of Health and Human Service’s (HHS) Office of the National Coordinator for Health Information Technology (ONC) announced its new Certified HIT Mark, similar to the Good Housekeeping Seal of Approval. The Certified HIT Mark provides a way for consumers to feel confident at a glance that “the HIT meets all applicable requirements under the ONC HIT Certification Program.”

The ONC Certification Program ensures that electronic health record technologies meet the standards and certification criteria adopted by HHS to help providers and hospitals achieve Meaningful Use objectives and measures under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Additional information from the ONC about the standards and certification criteria, certified health IT product list, and the health IT certification program may be found here.

Technical Corrections to HIPAA Omnibus Rule Released

June 6, 2013March 12, 2014 Kathie McDonald-McClure Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security HIPAA Omnibus Rule, HITECH Act

The U.S. Department for Health & Human Services (HHS) announced it is releasing technical corrections to the HIPAA Omnibus Rule tomorrow. These technical corrections are “to address public comment received on the interim final Breach Notification Rule, and to make certain other modifications to the HIPAA Rules to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.” HHS “determined that the corrections in this final rule are minor, routine determinations in which the public would not be particularly interested, or about which the public has already been put on notice, given the context of the errors or omissions to be corrected.”

These technical corrections are scheduled to be published on June 7, 2013, but until then, you can download the pre-publication, PDF version here.