OCR
Subscribe to OCR's Posts

HIPAA Compliance 101: Lessons from a Recent OCR Settlement

The US Department of Health and Human Services Office for Civil Rights (OCR) recently announced a settlement with a community hospital resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. While the settlement involved a medical provider, it offers some important lessons for other HIPAA-covered entities, including employer-sponsored group health plans.

The settlement involved impermissible data breaches by non-medical staff who, allegedly, used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The lesson here is straightforward: all HIPAA-covered entities must “protect the privacy and security of health information.”

The HIPAA privacy and security rules are complex, and full compliance requires substantial resources that are, as a practical matter, beyond the reach of many organizations. While OCR routinely refers to these rules as “scalable,” that claim is difficult to square with our experience. Full compliance with the particulars of the rule is costly and time-consuming, and it requires no shortage of expertise. Thankfully, in practice, OCR tends to focus its investigative resources on certain features of these rules. These features include the following items which covered entities must perform to comply:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
  • Develop, maintain and revise, as necessary, written HIPAA policies and procedures;
  • Enhance HIPAA and security training programs to provide workforce training on the updated HIPAA policies and procedures; and
  • Review relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

Where group health plans are concerned, fully insured plans routinely rely on their carriers for HIPAA compliance, which requires that plan sponsors get only “summary” health information at renewal. This option is not available to self-funded plans, however, even those that contract with a carrier for administrative services. Employers in this latter category should be reasonably confident of surviving an OCR audit or investigation only, at a minimum, by taking the actions listed above.




read more

HHS Issues Guidance on Requirements Under HIPAA for Online Tracking Technologies, Addressing Privacy and Security Concerns Related to Health Information

On December 1, 2022, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued a Bulletin on the obligations of covered entities and business associates (regulated entities) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) when using online tracking technologies, such as cookies, web beacons and pixels. The Bulletin aims to provide further clarity on when identifiable information collected by such tracking technologies may also constitute protected health information (PHI) as defined and interpreted under the HIPAA Rules. In such instances, the Bulletin instructs that the technology vendor may be seen as providing a service to the regulated entity that would, in light of the use and disclosure of PHI, create a direct or downstream business associate relationship. Accordingly, the Bulletin states that the regulated entities would need to enter into a business associate agreement (BAA) with the vendor of the technology (and the vendor would, in turn, become a regulated entity) and meet other requirements under the HIPAA Rules. The Bulletin provides long-awaited guidance to help regulated entities review their positions and procedures concerning tracking technologies to ensure that the trackers they implement either do not collect PHI or meet the prerequisites outlined in the Bulletin.

Access the full article.




read more

GAO Releases Report on Telehealth

On September 26, the US Government Accountability Office (GAO) released a report titled “Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks.” The 75-page report describes the utilization of Medicare telehealth services under current pandemic-related waivers, the Centers for Medicare & Medicaid Services (CMS) efforts to identify and monitor risks posed by the current waivers, and a change made by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to the enforcement of regulations governing patients’ protected health information during the COVID-19 public health emergency (PHE).

GAO made four recommendations—three directed to CMS and one directed to OCR—aimed at remedying the issues set forth in the report:

  • CMS should develop an additional billing modifier or clarify its guidance regarding billing of audio-only office visits to allow the agency to fully track these visits.
  • CMS should require providers to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes.
  • CMS should comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the PHE.
  • OCR should provide additional education, outreach or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services.

Among its utilization findings, the GAO report found that the use of telehealth services increased from about five million services pre-waiver (April to December 2019) to more than 53 million services post-waiver (April to December 2020) and that, post-waiver, 5% of providers delivered more than 40% of telehealth services, and 5% of beneficiaries accounted for almost 40% of telehealth utilization.

The report noted that CMS lacks complete data on the use of audio-only technology and telehealth visits furnished in patients’ homes, because there is no billing mechanism for providers to identify all instances of audio-only visits, and because providers are not required to use available codes to identify visits furnished in homes. The GAO report also noted that OCR did not advise providers about specific language to use or give direction on explaining risks to patients, with respect to OCR’s March 2020 policy that it would not impose penalties against providers for noncompliance with privacy and security requirements in connection with the good faith provision of telehealth during the PHE.

This GAO report comes on the heels of a recent report from the HHS Office of Inspector General that found little evidence of waste and fraud related to Medicare telehealth services during the first year of the pandemic. These reports are part of a broader push by Congress and the Biden administration to examine current telehealth flexibilities and determine how to extend them beyond the COVID-19 PHE.




read more

HHS Finalizes Anti-Discrimination Revisions to ACA Section 1557

On June 12, 2020, the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) finalized a rule under Section 1557 of the Patient Protection and Affordable Care Act (the 2020 Final Rule) that rescinds certain protections afforded to LGBTQ individuals and persons with limited English proficiency. At the same time, the 2020 Final Rule removes burdensome disclosure requirements that may be a welcome relief for entities covered by Section 1557. On June 15, 2020, the Supreme Court of the United States ruled that workplace discrimination based on gender identity and sexual orientation is forbidden under Title VII of the Civil Rights Act of 1964. Although Title VII is not included in the precedential civil rights laws that gave rise to Section 1557, we nevertheless anticipate that the Supreme Court’s holding will lead to legal challenges in a number of areas, including healthcare and health insurance, religious exemptions and the 2020 Final Rule from HHS OCR.

Access the full article.




read more

HIPAA Boss Sees ‘Low-Hanging Fruit’ Ripe For Enforcement

Healthcare providers and insurers are still making tons of rookie mistakes on patient privacy, turning themselves into easy enforcement targets, according to Roger Severino, director of the US Department of Health and Human Services.

Severino made headlines in 2017 for expressing interest in punishing a “big, juicy, egregious” privacy breach, and seemingly followed through with a $16 million settlement stemming from Anthem Inc.’s megabreach involving 79 million patients. But, an emphasis on smaller violations makes sense in light of the OCR’s recent acknowledgement of limits on its penalty powers, said Edward G. Zacharias, a McDermott partner.

Access the full article.

Originally posted on Law360, February 2020




read more

Transgender Health Benefits: Best Practices and Legal Considerations

A growing number of medical organizations, courts and administrative bodies have stated that transition-related medical care is medically necessary and should be covered by employer-sponsored medical plans. Access to employer-sponsored healthcare coverage for transgender workers has become an issue of focus for civil rights advocacy groups such as Lambda Legal and the American Civil Liberties Union, and there has been an uptick in discrimination lawsuits filed against health plans and insurers denying such care.

These trends highlight the importance of weighing the legal and business considerations that come with providing (or not providing) comprehensive health benefits for transgender workers. Health plan sponsors and insurers should consider how the decision to provide or exclude transition-related medical coverage will affect their legal compliance, overall costs and workplace culture—all of which are discussed in this article.

Access the full article.

Originally published in Benefits Magazine, August 2019.




read more

2018 Digital Health Data Developments – Navigating Change in 2019

Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott’s 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in 2019. Here, we summarize four key issues that stakeholders should watch in the coming year. For more in-depth discussion of these and other notable issues, access the full report.

  1. EU General Data Protection Regulation (GDPR) enhances protections for certain personal data on an international scale. US-based digital health providers and vendors that either (a) offer health care or other services or monitor the behavior of individuals residing in the EU, or (b) process personal data on behalf of entities conducting such activities should be mindful of the GDPR’s potential applicability to their operations and take heed of any GDPR obligations, including, but not limited to, enhanced notice and consent requirements and data subject rights, as well as obligations to execute GDPR-compliant contracts with vendors processing personal data on their behalf.
  2. California passes groundbreaking data privacy law. The California Consumer Privacy Act (CCPA), which takes effect on January 1, 2020, will regulate the collection, use and disclosure of personal information pertaining to California residents by for-profit businesses – even those that are not based in California – that meet one or more revenue or volume thresholds. Similar in substance to the GDPR, the CCPA gives California consumers more visibility and control over their personal information. The CCPA will affect clinical and other scientific research activities of academic medical centers and other research organizations in the United States if the research involves information about California consumers.
  3. US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) continues aggressive HIPAA enforcement. OCR announced 10 enforcement actions and collected approximately $25.68 million in settlements and civil money penalties from HIPAA-regulated entities in 2018. OCR also published two pieces of guidance and one tool for organizations navigating HIPAA compliance challenges in the digital health space.
  4. Interoperability and the flow of information in the health care ecosystem continues to be a priority. The Office of the National Coordinator for Health Information Technology (ONC) submitted its proposed rule to implement various provisions of the 21st Century Cures Act to the Office of Management and Budget (OMB) in September 2018; this is one of the final steps before a proposed rule is published in the Federal Register and public comment period opens. The Centers for Medicare & Medicaid Services (CMS) released its own interoperability proposed rule and finalized changes to the Promoting Interoperability (PI) programs to reduce burden and emphasize interoperability of inpatient prospective payment systems and long-term care hospital prospective payment systems.



read more

Phase 2 HIPAA Audits Are Underway

The US Department of Health and Human Services Office for Civil Rights (OCR) will soon begin a second phase of audits for compliance with HIPAA privacy, security and breach notification standards as required by the HITECH Act. In this second phase, OCR will audit both covered entities and their business associates, unlike the pilot audits of 2011 and 2012, which focused on covered entities alone. This On the Subject details practical steps that covered entities, including employer-sponsored group health plans, and their business associates can take to prepare for a potential audit.

Read the full article.




read more

OCR Launches Phase 2 HIPAA Audit Program with Pre-Audit Screening Surveys

HIPAA covered entities have reported that the HHS Office for Civil Rights recently sent pre-audit screening surveys to a pool of covered entities that may be selected for the previously delayed second phase of HIPAA compliance audits. This On the Subject describes the phase two audit program and identifies steps that covered entities and business associates should take to prepare for these audits.

Read the full article.




read more

STAY CONNECTED

TOPICS

ARCHIVES

Top ranked chambers 2022
US leading firm 2022