Federal Law Resources

Health Insurance Portability and Accountability Act

Kentucky Medicaid Further Expands Telehealth Coverage

WyattLLP Data Privacy & Security, Health Information Technology, HIPAA , , , , ,

By Lindsay K. Scott

Following expansion by the Department of Human Health Services’ Office for Civil Rights (“OCR”) and the Centers for Medicare and Medicaid Services (“CMS”) of federal telehealth services and relaxation of certain requirements, Kentucky Medicaid is following suit.

On March 17, 2020, the Centers for Medicare and Medicaid Services published guidance expanding the use of telehealth and relaxing restrictions on its use. The Office for Civil Rights, the agency responsible for enforcement of HIPAA, followed up with guidance making it clear that it will not enforce penalties for the use of technology that is not HIPAA compliant, when used in the good faith provision of telehealth services:

Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Continue reading

OCR Settlement a Message to Providers: Every Day Counts to Notify Affected Persons After a HIPAA Data Breach

Margaret Young Levi Data Privacy & Security, HIPAA, Privacy & Security , , , ,

The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements typically concern a covered entity’s failure to properly secure protected health information; this marks the first settlement involving a provider’s failure to report a data breach in a timely manner.

Under the HIPAA Breach Notification Rules, covered entities must provide notification of a breach without unreasonable delay and in no case later than 60 days following the discovery of a breach to affected individuals, and, in breaches affecting more than 500 individuals, to OCR and the media.

Presence Health is a not-for-profit health system serving 150 locations in Illinois. Presence Health first discovered that some paper copies of its surgery schedules at one location were missing on October 22, 2013, and these documents contained the protected health information of 836 individuals. The information consisted of the Continue reading

FTC issues Final Order and data security lessons in LabMD case

Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, FTC Enforcement, HIPAA, Privacy & Security , , , , , , ,

After HoursOn July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ).  The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act.  It issued an Opinion and Final Order requiring LabMD to “notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.”

This fight began in 2013 when the FTC first filed a Complaint contending that LabMD failed to reasonably protect data maintained on its computer network.  Two alleged security incidents form the basis of the Complaint.  In the first incident, Tiversa, trying to solicit LabMD’s business, discovered that a June 2007 insurance aging report containing personal information was available on a peer-to-peer (P2P) file-sharing network and informed LabMD.  In the second incident, dozens of day sheets and a small number of Continue reading

A Single Stolen, Unencrypted Laptop Can Cost Entities Millions of Dollars

Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Privacy & Security , , , , , ,

laptop encryptionEarlier this week, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced two, multimillion dollar settlements relating to “potential” privacy and security violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Both settlements stem from the entity’s reports to OCR of the thefts of unencrypted laptops containing electronic protected health information (ePHI) even though one of the laptops was password protected.

First, on March 16, 2016, OCR announced that North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle potential violations of the HIPAA Privacy and Security Rules after a laptop containing the ePHI of 9,497 individuals was stolen from the vehicle of one of its contractors in July 2011.

OCR’s subsequent investigation determined that North Memorial failed to enter into a business associate agreement with this contractor, as required under the HIPAA Privacy and Security Rules.  The investigation also discovered that North Memorial failed to conduct an organization-wide risk analysis to address all of the risks and vulnerabilities to its ePHI.  OCR concluded Continue reading

New HIPAA Exception Allows Covered Entities to Report Behavioral Health Considerations Applicable to Possessing a Firearm

Margaret Young Levi Privacy & Security , , , , , , , , ,

gun rangeAs of February 5, 2016, a change in the law allows certain health care providers to report the identity of an individual who is prohibited from possessing a firearm for mental health reasons to the National Instant Criminal Background Check System (“NICS”).  The Department of Health & Human Services (“HHS”) amended the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to allow such reporting by health care providers who are a “covered entity” under HIPAA and who are: state agencies; designated by the state with lawful authority to make the adjudications or commitment decisions that make individuals subject to a “mental health prohibitor”; or serve as repositories of information for NICS reporting purposes.  The Final Rule that makes this amendment to HIPAA was published in the Federal Register on January 6, 2016: click here.

Before this amendment, health care providers who are “covered entities” under HIPAA could report information to the NICS only if:

(1) the health care provider had designated itself as a “hybrid entity” where the Privacy Rule would apply only to the entity’s functions that are subject to Continue reading