Privacy & Security/HIPAA/HITECH

With the New Year underway, the deadline is quickly approaching for HIPAA covered entities to file their annual breach reports with the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”).

While breaches involving 500 or more individuals must be reported no later than 60 calendar days from the date of discovery, breaches involving less than 500 individuals can be documented throughout the course of the year and submitted 60 days after the end of the calendar year.[1] This means that covered entities have until February 28, 2018 to complete their annual breach reporting obligations.

If you need assistance completing or filing your breach reports, please contact Julie Sullivan at 303.749.7255 or your usual Husch Blackwell attorney.

[1] 45 C.F.R. §§ 164.408(b),(c), available at https://www.law.cornell.edu/cfr/text/45/164.408.

As most healthcare providers know, HIPAA requires that covered entities or business associates  conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (“ePHI”) held by the covered entity or business associate.[1] Providers who receive Meaningful Use incentive payments from the Centers for Medicare and Medicaid Services (“CMS”) for implementing electronic health record (“EHR”) systems into their practices or operations are also likely aware of the fact that one of the many requirements for these incentive payments is to conduct a HIPAA security risk analysis annually. Now, perhaps more than ever before, both CMS and the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) is demonstrating the importance of ensuring that these risk analyses are performed, or providers can face dire consequences. Below are the top reasons to conduct a thorough HIPAA security risk analysis. Continue Reading Top 5 Reasons to Conduct a Thorough HIPAA Security Risk Analysis

Medicine and new technologyA little rain can’t stop SXSW. Husch Blackwell attorneys have attended dozens of interesting presentations and met countless innovative minds. We will continue to post live updates on Twitter (@HBhealthcarelaw) and release brief blog posts related to certain presentations throughout the event. With former VP Joe Biden in town to discuss his cancer moonshot today, our focus is precision medicine.

Precision medicine is an innovative approach to medical treatment that takes into account individual differences in people’s genes, environments, and lifestyles. The promise of precision medicine is delivering the right treatments, at the right time, to the right person. The potential of precision medicine is recognized at the highest levels of government. In his 2015 State of the Union address, former President Barack Obama launched the Precision Medicine Initiative (“PMI”), a bold new research effort to revolutionize health and the treatment of disease. Subsequently, Sylvia M. Burwell, Secretary of the U.S. Department of Health & Human Services (“DHHS”), announced the FY 2016 budget would include $215 million for the PMI, with $200 million of this to be used by the National Institutes of Health (“NIH”) to launch the All of Us program, a national cohort of a million or more Americans who volunteer to share genetic, clinical, and other data to improve research. The funds will also be used to invest in expanding current cancer genomics research and to initiate new studies on how a tumor’s DNA can inform prognosis and treatment choices.

Continue Reading Precision Medicine – The All of Us Program

cellphone137457731Today kicks-off one of Austin’s largest and best-known events, the South by Southwest Interactive Conference. In the spirit of Husch Blackwell’s involvement in several aspects of the conference, this post will touch on emerging health technology and pushing the limits of HIPAA.

New technology is being developed to be used in healthcare settings on a near daily basis. Telehealth, mobile apps, medical devices, implantables, robotics, electronic health records, e-prescriptions, digital pills, and wearables are just a few of the innovations that contribute to a patient’s treatment. There are more ways for people to access medical care, and more ways to produce and share patient data with healthcare providers than ever before. At some point in the development stage, you and your team probably asked questions like these:

  • What data are we collecting? Where do we keep it?
  • How can we use it? How can we not use it?
  • Who owns it? Can we own it?
  • Does HIPAA apply to us?
  • Are there other laws we need to worry about?
  • What if we lose some data?

First things first, a quick primer on HIPAA, the law you’re likely generally aware of.  HIPAA is comprised of a privacy component and a security component. The HIPAA privacy rule addresses the confidentiality of certain health information and the HIPAA security rule sets basic security standards for certain health information held or transferred in electronic form. These regulations apply to covered entities and their business associates. Generally, a covered entity is a health plan, a healthcare clearinghouse, or a healthcare provider. A business associate is an individual or entity that creates, receives, maintains or transmits PHI in the course of performing services on behalf of a covered entity. Basically, PHI may not be used or disclosed by a covered entity (or a business associate on its behalf) without patient authorization unless an exception applies. One frequently cited exemption relates to the use and disclosure of PHI necessary to carry out treatment, to obtain payment, or to conduct healthcare operations. When PHI is shared between a covered entity and a business associate the parties execute a business associate agreement that governs the business associate’s use and security of PHI.

Innovative technology is pushing the limits of HIPAA. Companies may encrypt and store data for a covered entity but never have access to it, and companies may act purely as a conduit to connect two hospital systems sharing data but never store or alter the data in any way. Should companies like this be subject to HIPAA?  This is a point of contention that the government is trying to clarify.  This has been done through guidance issued by Health and Human Services addressing the application of HIPAA to cloud service providers (found here). Further, the OCR has developed an online privacy and security portal for mobile app develops (found here) and HIMSS has developed a mobile health security kit (found here). It will be important to remain aware of further guidance that may be issued by multiple government agencies.

But what if you’re not a covered entity and you don’t have a relationship with a covered entity that makes you a business associate? Just because you have access to a medical data does not necessarily mean HIPAA applies. When someone buys a Misfit fitness tracker off the shelf, the data collected by the wearable is not protected by HIPAA. However, if a person receives a wearable from their physician to track certain data, that information likely is protected under HIPAA. This is an important distinction.

So if HIPAA doesn’t apply, what does?  The Federal Trade Commission (FTC) has issued the Health Breach Notification Rule to require certain businesses to notify their customers if there’s a breach of unsecured, individually identifiable electronic health information. This applies to any entity that is not subject to HIPAA, but collects or maintains identifiable health information on an individual. Further, the FTC is becoming very active in enforcing its consumer protection laws against companies for misrepresenting how an individual’s data is used or a company’s failure to adhere to its own data use and protection policies.
Finally, states are able to establish rules more stringent than HIPAA so it is very important to take such laws into consideration. A state may expand the definition of a covered entity or business associate, and may have its laws apply to any entity that has access to the health information of a resident of the state. This may mean that the laws of a state where you don’t have a physical location may apply to you through the data you collect.

If you have any questions about what privacy laws may apply to your operations, please feel free to contact me directly at (214) 999-6132 or john.ferguson@huschblackwell.com.

abaEmerging Issues in Healthcare Law is coming to the Big Easy. The American Bar Association’s 18th annual conference is slated for New Orleans March 8-11.

Husch Blackwell is a platinum sponsor of this event featuring the most emergent topics facing the healthcare bar. As the industry faces changes and continues to grow under healthcare reform and enforcement, this conference allows attendees a perfect opportunity to stay ahead of the developments. Continue Reading Don’t miss Emerging Issues in Healthcare Law

Phone_000011163163SmallA California federal court handed down a decision last Friday that may further influence how healthcare entities should approach the Telephone Consumer Protection Act’s (TCPA) “emergency purpose” exception as applied to calls or texts related to patient health and safety. In St. Clair v. CVS Pharmacy, Inc., No. 16-CV-04911-VC, 2016 WL 7489047, at *1 (N.D. Cal. Dec. 30, 2016), the plaintiff alleged that CVS Pharmacy called him multiple times about his prescriptions after he told a customer representative that he no longer wished to be called. CVS moved to dismiss the lawsuit by claiming that all of the calls at issues fell under the emergency purpose exception contained in the statute, and therefore were not subject to the TCPA. Continue Reading St. Clair v. CVS Pharmacy, Inc. and healthcare calls under the TCPA’s emergency purpose exception

Single or divorced woman alone missing a boyfriendAny agreement between two parties begins with the rosy optimism that the good times will last forever. In the world of technology licensing and development, however, we know this is rarely the case. While the Byte Back blog has previously considered data security oversight by the board of directors of the company, it is also important for a company’s legal and procurement teams to establish a plan for the security, use, and transition of its data throughout the contracting process. These issues are particularly important in highly regulated industries such as healthcare.

Read more.

dataLocks148650499Backing up electronic health record data may become an important aspect of complying with and mitigating risk under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) if the U.S. Health and Human Services Office of Civil Rights (OCR) heeds legislators’ recommendations. Continue Reading Congress’ suggestions for ransomware treatment under HIPAA

cellphone137457731On April 29, 2016, the Joint Commission released an update (“Update”) providing for the use of text messaging to submit orders for patient care, treatment, or services to the hospital or other health care settings for all accreditation programs. Back in 2011, the Joint Commission believed that the technology necessary to secure contents of a text message, verify the identity of the person sending the message, and retain the original message within the medical record were not readily available, and, therefore, prohibited the use of text messaging to submit orders. However, this has changed as reasonably accessible technology has been developed which mitigates the security and record retention risks the Joint Commission previously identified. In the Update, the Joint Commission said, “effective immediately, licensed independent practitioners or other practitioners in accordance with professional standards of practice, law and regulation, and policies and procedures may text orders as long as a secure text messaging platform is used and the required components of an order are included.” Continue Reading Orders can be submitted by text – the Joint Commission update

keyboard_iStock_000003183204Small-computerkeyboardBased on recent news stories and our experience, it appears that cybercriminals may be targeting healthcare providers with ransomware attacks. Publicly reported incidents and others of which we are aware have involved providers ranging from clinics and imaging centers to hospitals, and these entities have had to pay hundreds to thousands of dollars to gain access to their medical records, billing records or other vital computer systems – often after significant interruption of operations. On March 31, 2016, the U.S. Dept. of Homeland Security issued an alert about these attacks as a result of recent attacks on businesses including healthcare facilities and hospitals worldwide. Continue Reading Caution – Vendors are not the only ones charging you to use your EHR/EMR!