Data Privacy & Security/HIPAA/HITECH

Having no need to brandish bandanas to obscure identity or firearms to force entry, it was reported Wednesday that cyber bandits, in a sophisticated and well-orchestrated robbery, recently waltzed into the IT vaults of Anthem, the second-largest U.S. health insurer, and walked off with personally identifiable information on about 80 million current and former members, a population that comprises Anthem customers, employees and its CEO, Joseph R. Swedish. The haul is reported to have included names, birthdates, social security numbers, medical identification numbers, street and email addresses and employee income data. Fortunately, there’s no indication at this point that credit-card numbers, claims information, test results or diagnostic codes were compromised as part of the crime. That said, to minimize the potential harm, Anthem has called in the FBI and is notifying affected individuals and offering free credit and identity-theft monitoring.

Seemingly picking up where we left off in our recent white paper and Advisory Board article, the Obama administration released a 166-page draft plan January 30th intended to drive providers and patients toward a common set of electronic clinical information and a commitment to more fully connected EHR systems by the end of 2017.

Due diligence is often perceived as a mundane part of the mergers & acquisitions (M&A) process, but its importance in healthcare transactions is critical. Due diligence is one of the first steps of any transaction and involves a buyer undertaking an in-depth examination of the target to evaluate the business and uncover potential issues or liabilities. In the healthcare industry, diligence is especially important considering the heavy regulation of the industry, the unique areas of risk, and the significant liabilities that could be imposed upon a buyer if issues and liabilities are not identified before the transaction closes.

By now you have probably heard about the ongoing FIN4 cyber attacks on publicly traded entities in the healthcare and pharmaceutical industries. If not, here’s a brief recap.

On Sunday, Nov. 30, security consulting firm FireEye published a report on the current hacking efforts of a group dubbed FIN4. FIN4 has targeted more than 100 organizations, 68 percent of them publicly traded healthcare and pharmaceutical companies, stealing non-public information for illicit trading advantage. Additional targets include law firm partners and M&A consultants privy to proprietary information on imminent merger and acquisition transactions or other non-public, market-moving developments.

A Dec. 1 Strafford webinar on the legal and regulatory challenges of Ebola will feature five Husch Blackwell attorneys. The 90-minute CLE webinar with interactive Q&A will provide guidance to healthcare counsel and their clients in addressing HIPAA and EMTALA concerns when treating Ebola patients.

The panel will discuss state and federal mandatory reporting requirements, employment issues and lessons learned from the first U.S. Ebola cases.

The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) released a bulletin on Nov. 10 reminding entities covered under the Health Insurance Portability and Accountability Act (HIPAA) that the protections continue to be in effect during emergencies, including Ebola and other outbreaks. HHS wants to make sure healthcare providers are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in emergency situations.

Now that patients with Ebola have landed on U.S. soil, hospitals and other healthcare providers must prepare for the possibility that a patient with Ebola will walk through the doors. In this Oct. 30 webinar, Husch Blackwell presenters will look at some of the pressing legal issues related to treating patients with communicable diseases such as Ebola, and what providers can do now to prepare their clinical, compliance and legal teams.

In the Electronic Health Records (EHR) space, unconnected and competing systems carry the potential for organizational train wrecks.

Until robust, efficient, and mandatory interoperability standards emerge, providers should consider linking systems through other means, as failure to do so may lead to malpractice and regulatory compliance issues.

A new White Paper, Driving the Golden Spike:

The U.S. Department of Health & Human Services (“HHS”) issued final regulations in January 2013 modifying the privacy, security and enforcement provisions under the Health Information Portability and Accountability Act of 1996 (“HIPAA”). Covered entities and business associates were generally required to comply with the final regulations by Sept. 23, 2013. To reduce administrative burden and costs of renegotiating existing business associate agreements, HHS provided a transition period. Business associate agreements in place as of Jan. 25, 2013, and not modified or renewed between March 26, 2013, and Sept. 23, 2013, were deemed to comply with the new regulations for up to 12 months. All relevant entities should note that the deemed compliance period ends Sept. 22, 2014.