June 5, 2012
On March 24, 2012, the Department of Health and Human Services (HHS) sent the much-anticipated rule implementing the HITECH Act changes to HIPAA (HITECH Rule) to the Office of Management and Budget (OMB). This starts the clock running on the 90-day period allowed for OMB review. It is expected that, given the scope of the regulations, OMB will take most, if not all, of its allotted 90 days. In any event, the HITECH Rule is expected by late June 2012. While the authors have noted references to the final rule in publications about the HHS document released to the OMB, the HHS announcement actually states that it will be a “notice and comment rulemaking required by the Administrative Procedures Act. Thus, the final rule will not be published until after the end of the notice and comment period.
Read More »
April 24, 2012
On the heels of its $1.5 million settlement with a large payor, Blue Cross Blue Shield of Tennessee, the Department of Health and Human Services Office for Civil Rights (OCR) announced on April 17, 2012, that it settled with a small physician practice for HIPAA safeguard violations. Phoenix Cardiac Surgery, P.C., a practice owned by two physicians, entered into a settlement agreement and agreed to pay $100,000 after OCR found the practice posted unsecured calendar appointments and sent unsecured emails. Read More »
March 29, 2012
Increased enforcement is a key message from the Department of Health and Human Services Office for Civil Rights (OCR). Since the start of 2012, OCR has publicized settlements with three entities: two of which concerned civil rights violations under section 504 of the Rehabilitation Act and the most recent of which concerned violations of the HIPAA Security Rule. On March 13, 2012, OCR issued a press release detailing its settlement with Blue Cross and Blue Shield of Tennessee (BCBST), under which BCBST agreed to pay $1.5 million and enter into a 450-day Corrective Action Plan (CAP) to address its HIPAA compliance issues. BCBST settled following an investigation triggered by the report of a “breach” when 57 unencrypted hard drives, including patient records for over a million individuals, were stolen from a leased facility in Tennessee. Read More »
February 13, 2012
In response to provider complaints regarding its web-interface, CMS has extended the deadline to electronically file hardship exemption requests from the 2012 payment adjustment of the eRx Incentive Program (the “Program”). In a statement on a CMS website devoted to the payment adjustments, CMS explained, “The Communication Support Page will remain available for eligible professionals to submit their 2012 eRx Payment Adjustment Significant Hardship Exemption Request until November 8, 2011 at 11:59:59 PM EST.” It is through the Communication Support Page (“CSP”) and only through the CSP that individual eligible professionals (as opposed to group practices) may file electronic requests for exemption from the pending 2012 “payment adjustment” (a 1% decrease in all 2012 Part B professional services paid under the Medicare Fee Schedule). “Eligible Professionals” who are subject to the requirements of the eRx Program and who failed to qualify as “successful electronic prescribers” by June 30, 2011 should immediately take steps to assess, and, as necessary, request a hardship exemption from the 2012 payment adjustments.
Read More »
January 18, 2012
Last summer, the United States Department of Health and Human Services (HHS) sought comments on potential revisions to the Common Rule [PDF] after over two decades of virtually no change. In the advanced notice of proposed rule making [PDF] related to the Common Rule, HHS sought to address concerns about institutional review boards’ (IRBs) review of informational risk, or those risks related to unauthorized release of research subject data, with the goal of balancing the protection provided by IRBs to human subjects with the progression of research. HHS looked to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its privacy and security standards as a potential framework to ensure these protections. In addition, HHS focused on the heightened risk in areas such as genetic research and sought feedback on future use biospecimens (such as tissue) and consent requirements.
Read More »
January 18, 2012
Cloud computing is a hot topic in business (including the health care business) due in large measure to the potential cost savings involved. Health care providers, however, have to consider more than just cost savings. At base, cloud computing is not a new concept and the HIPAA security risks it poses are not new. However, the risks arise in a new context. Providers interested in cloud computing will need to familiarize themselves with the new technological environment to best address the risks and formulate appropriate agreements and compliance structures. Read More »
January 18, 2012
2012 will not, unfortunately, bring certainty to the many providers who submitted hardship exemption requests for the electronic prescribing incentive program (commonly called “eRx”). Although the deadline for submissions for hardship exemptions was extended (as is further described in our bulletin), recent emailed notices from CMS indicate that the overwhelming number of requests will prevent notices from being sent to providers regarding the status of their exemptions. Accordingly, many providers will spend at least part of 2012 uncertain whether they are or are not being penalized 1 percent of their 2012 Part B fees for their failure to become “successful electronic prescribers.” Read More »
January 18, 2012
The Affordable Care Act (ACA), as part of its cost containment efforts, empowered the Secretary of the Department of Health and Human Services (HHS) to adopt electronic transfer standards in an interim final rule with comment period amending the Health Insurance Portability and Accountability Act of 1996 (HIPAA) electronic transaction standards. HHS did so on January 10, 2012, in a new final interim rule entitled Adoption of Health Standards For Health Care Electronic Funds Transfer and Remittance Advice. This final interim rule is slated to save hospitals and physicians time and money on billing matters, allowing them to focus on delivery of quality care to patients. Comments are due March 12, 2012. The rule went into effect on January 10, 2012 and health plans covered by HIPAA must comply by January 1, 2014. Read More »
January 18, 2012
In 2012, new statutes in California and Texas will require that providers make state-specific changes to their existing privacy compliance procedures. The changes made in California are detailed below. Texas’s new law is addressed in “Texas (and California) Increase Privacy Requirements.“
California’s Senate Bill 24 (SB 24), which took effect on January 1, 2012, makes substantial modifications to sections 1798.29 and 1798.82 of the Civil Code, two of the state’s several data breach notification laws. Section 1798.82 applies to any person or business that conducts business in California, and in effect appears to serve as the state’s “floor” provision, applying certain data breach reporting responsibilities to essentially every entity doing business in the state. In addition, under existing California law, certain licensed health care providers are subject to separate, additional breach notification law – Health & Safety Code § 1280.15, for example, which imposes additional specific obligations (including a five-day disclosure deadline) on the specifically identified entity types. SB 24 makes no changes to these existing requirements. Read More »
December 28, 2011
This article originally appeared in the December 28, 2011 issue of Bloomberg’s Health Law Report.
Health care reform is a critical issue facing our nation, and a hot topic for the 2012 elections. Tough economic times leave many Americans unemployed and without health care insurance. At the same time, Congress struggles to balance a hotly contested budget. Compounding the issue are the over 9,000 baby boomers turning 65 each day1 and ultimately becoming eligible for the already overburdened Medicare program. This article explores five trends that will survive the election, regardless of whether a Republican or Democrat lands in the White House. Read More »
On March 24, 2012, the Department of Health and Human Services (HHS) sent the much-anticipated rule implementing the HITECH Act changes to HIPAA (HITECH Rule) to the Office of Management and Budget (OMB). This starts the clock running on the 90-day period allowed for OMB review. It is expected that, given the scope of the regulations, OMB will take most, if not all, of its allotted 90 days. In any event, the HITECH Rule is expected by late June 2012. While the authors have noted references to the final rule in publications about the HHS document released to the OMB, the HHS announcement actually states that it will be a “notice and comment rulemaking required by the Administrative Procedures Act. Thus, the final rule will not be published until after the end of the notice and comment period. 
