As most healthcare providers know, HIPAA requires that covered entities or business associates conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (“ePHI”) held by the covered entity or business associate.[1] Providers who receive Meaningful Use incentive payments from the Centers for Medicare and Medicaid Services (“CMS”) for implementing electronic health record (“EHR”) systems into their practices or operations are also likely aware of the fact that one of the many requirements for these incentive payments is to conduct a HIPAA security risk analysis annually. Now, perhaps more than ever before, both CMS and the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) is demonstrating the importance of ensuring that these risk analyses are performed, or providers can face dire consequences. Below are the top reasons to conduct a thorough HIPAA security risk analysis.
Data Privacy & Security/HIPAA/HITECH
Precision Medicine – The All of Us Program
A little rain can’t stop SXSW. Husch Blackwell attorneys have attended dozens of interesting presentations and met countless innovative minds. We will continue to post live updates on Twitter (@HBhealthcarelaw) and release brief blog posts related to certain presentations throughout the event. With former VP Joe Biden in town to discuss his cancer moonshot today, our focus is precision medicine.
Precision medicine is an innovative approach to medical treatment that takes into account individual differences in people’s genes, environments, and lifestyles. The promise of precision medicine is delivering the right treatments, at the right time, to the right person. The potential of precision medicine is recognized at the highest levels of government. In his 2015 State of the Union address, former President Barack Obama launched the Precision Medicine Initiative (“PMI”), a bold new research effort to revolutionize health and the treatment of disease. Subsequently, Sylvia M. Burwell, Secretary of the U.S. Department of Health & Human Services (“DHHS”), announced the FY 2016 budget would include $215 million for the PMI, with $200 million of this to be used by the National Institutes of Health (“NIH”) to launch the All of Us program, a national cohort of a million or more Americans who volunteer to share genetic, clinical, and other data to improve research. The funds will also be used to invest in expanding current cancer genomics research and to initiate new studies on how a tumor’s DNA can inform prognosis and treatment choices.
On the Heels of SXSW – Privacy and Emerging Health Technology (It’s More Than HIPAA)
Today kicks-off one of Austin’s largest and best-known events, the South by Southwest Interactive Conference. In the spirit of Husch Blackwell’s involvement in several aspects of the conference, this post will touch on emerging health technology and pushing the limits of HIPAA.
New technology is being developed to be used in healthcare settings on a…
Don’t miss Emerging Issues in Healthcare Law
Emerging Issues in Healthcare Law is coming to the Big Easy. The American Bar Association’s 18th annual conference is slated for New Orleans March 8-11.
Husch Blackwell is a platinum sponsor of this event featuring the most emergent topics facing the healthcare bar. As the industry faces changes and continues to grow under healthcare reform and enforcement, this conference allows attendees a perfect opportunity to stay ahead of the developments.
St. Clair v. CVS Pharmacy, Inc. and healthcare calls under the TCPA’s emergency purpose exception
A California federal court handed down a decision last Friday that may further influence how healthcare entities should approach the Telephone Consumer Protection Act’s (TCPA) “emergency purpose” exception as applied to calls or texts related to patient health and safety. In St. Clair v. CVS Pharmacy, Inc., No. 16-CV-04911-VC, 2016 WL 7489047, at *1 (N.D. Cal. Dec. 30, 2016), the plaintiff alleged that CVS Pharmacy called him multiple times about his prescriptions after he told a customer representative that he no longer wished to be called. CVS moved to dismiss the lawsuit by claiming that all of the calls at issues fell under the emergency purpose exception contained in the statute, and therefore were not subject to the TCPA.
Anticipating data issues in your contract process
Any agreement between two parties begins with the rosy optimism that the good times will last forever. In the world of technology licensing and development, however, we know this is rarely the case. While the Byte Back blog has previously considered data security oversight by the board of directors of the company, it is…
Congress’ suggestions for ransomware treatment under HIPAA
Backing up electronic health record data may become an important aspect of complying with and mitigating risk under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) if the U.S. Health and Human Services Office of Civil Rights (OCR) heeds legislators’ recommendations.
Orders can be submitted by text – the Joint Commission update
On April 29, 2016, the Joint Commission released an update (“Update”) providing for the use of text messaging to submit orders for patient care, treatment, or services to the hospital or other health care settings for all accreditation programs. Back in 2011, the Joint Commission believed that the technology necessary to secure contents of a text message, verify the identity of the person sending the message, and retain the original message within the medical record were not readily available, and, therefore, prohibited the use of text messaging to submit orders. However, this has changed as reasonably accessible technology has been developed which mitigates the security and record retention risks the Joint Commission previously identified. In the Update, the Joint Commission said, “effective immediately, licensed independent practitioners or other practitioners in accordance with professional standards of practice, law and regulation, and policies and procedures may text orders as long as a secure text messaging platform is used and the required components of an order are included.”
Caution – Vendors are not the only ones charging you to use your EHR/EMR!
Based on recent news stories and our experience, it appears that cybercriminals may be targeting healthcare providers with ransomware attacks. Publicly reported incidents and others of which we are aware have involved providers ranging from clinics and imaging centers to hospitals, and these entities have had to pay hundreds to thousands of dollars to gain access to their medical records, billing records or other vital computer systems – often after significant interruption of operations. On March 31, 2016, the U.S. Dept. of Homeland Security issued an alert about these attacks as a result of recent attacks on businesses including healthcare facilities and hospitals worldwide.
They’re back – Round two of the HIPAA audits announced!
The U.S. Department of Health & Human Services Office for Civil Rights (OCR) released its plans for Phase 2 of the HIPAA Audit Program (Phase 2). Whereas Phase 1 was a pilot program conducted by KPMG and intended to assess the controls and processes of 115 covered entities with respect to HIPAA compliance, in Phase…