Data Privacy & Security/HIPAA/HITECH

Hospice Insights

With all that 2020 has brought, the Information Blocking Rule that came out of the Cures Act was under the radar of many hospices. Thankfully, HHS extended the compliance date for the Rule to April 5, 2021, from November 2, 2020. With this additional time, hospices need to evaluate how they will achieve compliance; what

HIPAA Regulations

On October 29, 2020, HHS extended the effective date of compliance for the “Information Blocking” final rule promulgated as part of the 21st Century Cures Act (Information Blocking Rule). The Information Blocking Rule, which was set to take effect on November 2, 2020, prohibits health care providers, IT developers, and health information exchanges from unreasonably interfering with the access, exchange, or use of electronic health information (EHI). We previously discussed the practice of information blocking and the eight exceptions in our blog post Information Blocking: Ready or Not, Here it Comes!.

Matrix on blue with rays

The combination of a significant increase in COVID-19 cases, political tensions in the final days of a national election season, and law enforcement’s focus on election security created an opportunity for cybercriminals to target the computer networks of America’s healthcare and public health (HPH) sector. That opportunity has come to fruition this week.

On October 28, 2020 the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) published Alert AA20-302A (Alert) describing ransomware activity that has targeted the HPH sector. In the Alert, CISA, FBI and HHS assess that cybercriminals are targeting the HPH sector with TrickBot and BazarLoader malware, which are frequently followed by ransomware attacks, data theft, and disruption of healthcare services.

Two new federal rules will make it easier for consumers to access, use and transmit their personal healthcare information using an app on their smartphone or tablet.  The regulations implement prior legislation and advance the current Administration’s intent to empower patients to be better consumers and transform the healthcare industry.

The two final rules were released on March 9 by the Department of Health and Human Services (DHHS):  from the Office of the National Coordinator for Health Information Technology (ONC), the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program final rule; and, from the Centers for Medicare and Medicaid Services (CMS), the final rule on Interoperability and Patient Access.

On April 8, 2020, the U.S. Department of Health & Human Services (HHS) Office of the Assistant Secretary for Health released guidance authorizing pharmacists to order and administer COVID-19 tests.  Immediately following this guidance, on April 9, 2020, the HHS Office of Civil Rights (OCR) announced that it will exercise its enforcement discretion and will refrain from imposing penalties for violations of HIPAA for covered entities or business associates participating, in good faith, in the operation of COVID-19 Community-Based Testing Sites (CBTS) during the nationwide public health emergency.  The guidance regarding pharmacists testing for COVID-19 and the notice related to the relaxation of HIPAA rules comes on the heels of pharmacies, such as CVS and Walgreens, taking on a more active and critical role in the fight against the COVID-19 pandemic.

On March 27, 2020, President Trump signed the Coronavirus Aid, Relief and Economic Security Act (the CARES Act) into law. Section 3221 of the CARES Act ratified fundamental changes to the Public Health Service Act, codified at 42 U.S.C. § 290dd-2 and associated regulations, which govern the confidentiality requirements of substance use disorder records, commonly known as 42 C.F.R. Part 2, or simply, “Part 2.” Substance use disorder (SUD) records are defined broadly as “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research.” The changes are significant and align with the increasing movement to align the Part 2 rules with the Health Insurance Portability and Accountability Act (HIPAA). The CARES Act requires the Department of Health and Human Services (HHS) to revise the Part 2 regulations within 12 months to comply with the CARES Act.

On March 17, 2020, the Department of Health and Human Services, Office of Civil Rights (OCR) issued guidance related to how Covered Entities can comply with HIPAA and the Privacy Rule and still disclose protected health information (PHI) about individuals infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities (Essential Providers).

With the New Year underway, the deadline is quickly approaching for HIPAA covered entities to file their annual breach reports with the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”).

While breaches involving 500 or more individuals must be reported no later than 60 calendar days from the date of discovery,

As most healthcare providers know, HIPAA requires that covered entities or business associates  conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (“ePHI”) held by the covered entity or business associate.[1] Providers who receive Meaningful Use incentive payments from the Centers for Medicare and Medicaid Services (“CMS”) for implementing electronic health record (“EHR”) systems into their practices or operations are also likely aware of the fact that one of the many requirements for these incentive payments is to conduct a HIPAA security risk analysis annually. Now, perhaps more than ever before, both CMS and the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) is demonstrating the importance of ensuring that these risk analyses are performed, or providers can face dire consequences. Below are the top reasons to conduct a thorough HIPAA security risk analysis.

A little rain can’t stop SXSW. Husch Blackwell attorneys have attended dozens of interesting presentations and met countless innovative minds. We will continue to post live updates on Twitter (@HBhealthcarelaw) and release brief blog posts related to certain presentations throughout the event. With former VP Joe Biden in town to discuss his cancer moonshot today, our focus is precision medicine.

Precision medicine is an innovative approach to medical treatment that takes into account individual differences in people’s genes, environments, and lifestyles. The promise of precision medicine is delivering the right treatments, at the right time, to the right person. The potential of precision medicine is recognized at the highest levels of government. In his 2015 State of the Union address, former President Barack Obama launched the Precision Medicine Initiative (“PMI”), a bold new research effort to revolutionize health and the treatment of disease. Subsequently, Sylvia M. Burwell, Secretary of the U.S. Department of Health & Human Services (“DHHS”), announced the FY 2016 budget would include $215 million for the PMI, with $200 million of this to be used by the National Institutes of Health (“NIH”) to launch the All of Us program, a national cohort of a million or more Americans who volunteer to share genetic, clinical, and other data to improve research. The funds will also be used to invest in expanding current cancer genomics research and to initiate new studies on how a tumor’s DNA can inform prognosis and treatment choices.