This afternoon, the Department of Health and Human Services posted a long-awaited, 563-page omnibus final rule under HIPAA, which will be published in the Federal Register on January 25, 2013, and which makes a variety of modifications to HIPAA’s Privacy, Security, Breach Notification, and Enforcement Rules. According to the executive summary of the rule, these modifications are necessary “to strengthen the privacy and security protections . . . for individual’s health information maintained in electronic health records and other formats. This final rule also makes changes to the HIPAA rules that are designed to increase flexibility for and decrease burden on the regulated entities, as well as to harmonize certain requirements with those under the Department’s Human Subjects Protections regulations.”
Note that while the effective date of the final rules is March 26, 2013, covered entities have until September 23, 2013, to achieve compliance.
We will have further analysis on this final rule in the coming days.
An Indianapolis oncology group has disclosed that data concerning about 55,000 patients was stored on a stolen laptop computer. A backup copy of the Cancer Care Group’s server was stored on the computer, which was stolen from a locked car. Among the data stored on the device were patient names, addresses, Social Security Numbers, medical record numbers, and insurance information. Several employees’ personal information was stored on the compromised device as well.
Today, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) announced that the Alaska Department of Health and Social Services (Alaska DHSS), which is that state’s Medicaid agency, has agreed to pay $1.7 million to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. Alaska DHSS has also agreed to institute a corrective action plan (“CAP”) to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.
OCR’s investigation began in October 2009, after Alaska DHSS filed a breach report, as required by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Alaska DHSS reported that on or about October 12, 2009, a portable electronic storage device potentially containing ePHI was stolen from the vehicle of a DHSS computer technician. Continue reading
Increasingly, nursing homes seek guidance on the considerations involved in the use of surveillance equipment in their facilities. On May 22, 2012, the New York State Department of Health issued a “Dear Administrator Letter” (DAL) addressing the use and installation of audio and/or video surveillance equipment in nursing homes. The DAL is available here. Continue reading
On May 10, 2012, the United States Court of Appeals for the Ninth Circuit issued its opinion in United States v. Zhou, No. 10-50231 (9th Cir. May 10, 2012), and held that the criminal misdemeanor provision of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), located at 42 U.S.C. § 1320d-6(a)(2)—which penalizes the mere unauthorized access to patient documents—does not require a defendant to know that his or her actions were illegal under the statute.
According to press accounts, the defendant, Huping Zhou, was hired as a research assistant at the UCLA Health System in February of 2003. On October 29 of that same year, UCLA issued a notice of intent to dismiss Zhou, citing poor performance. That evening, Zhou, for reasons that were not made clear, allegedly accessed the patient records of co-workers and well-known actors, including Tom Hanks, Drew Barrymore, and Arnold Schwarzenegger, without authorization. UCLA terminated the defendant from his job on November 14, 2003, after a formal internal grievance hearing. Continue reading
Yesterday, the U.S. Department of Health and Human Services (“HHS”) published a proposed rule in the Federal Register which would allow medical patients to get their laboratory test results directly from the lab. A copy of this proposed rule is available here. At present, only a handful of states allow direct access to lab results. This proposal, if it becomes effective, will give patients in most states a new right to go directly to the lab used by their doctor to obtain test results.
HHS Secretary Kathleen Sebelius has made various public statements promoting this proposed rule as empowering patients by granting greater access to personal health information. The HHS press release about this proposal is available here. There is no question that HHS’s proposed rule is in line with the trend of giving patients increased control over their health care choices and their health records. Continue reading
A Virginia physician has become the first person criminally indicted under the Health Insurance Portability and Accountability Act (HIPAA) for communicating with a former patient’s employer.
According to the United States Attorney for the Eastern District of Virginia, Dr. Richard Kaye, the former Medical Director of the Psychiatric Care Center at Sentara Obici Hospital in Suffolk, Virginia, revealed protected health information on three separate occasions when he contacted a former patient’s employer and expressed his view that the former patient posed “a serious and imminent threat to the safety of the public.” Dr. Kaye’s three alleged criminal violations occurred in February 2008. Dr. Kaye discharged the patient in September 2007 because, according to his discharge summary, the patient was stable and posed no threat. Continue reading
The Department of Health and Human Services (HHS) issued its notice of proposed rulemaking to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information (PHI).
The current accounting provision applies to disclosures of paper and electronic PHI, regardless of whether such information is in a designated record set (DRS), for a six-year period prior to the request. HHS is proposing to limit the accounting provision to PHI about the individual in a DRS for a three-year period prior to the request. Continue reading
The Patient Protection and Affordable Care Act (“PPACA”) requires that “standardized extracts” of Medicare claims data be made available to “qualified entities” in connection with their preparation of reports evaluating the performance of providers. Since this information is now “required by law,” these disclosures are allowed under the Health Insurance Portability and Accountability Act’s Privacy Rule. The Centers for Medicare & Medicaid Services (“CMS”) has published this proposed rule, which is available here, to implement the PPACA requirement. This proposed rule is supposed to make Medicare claims data available to qualified entities for the compilation of public reports about the quality of services and supplies provided under Medicare, but it cannot compromise patient privacy in the process. In fact, there is a requirement that these reports do not contain any private or individually identifying information. Continue reading
The Office of the Inspector General (OIG) for the U.S. Department of Health and Human Services (HHS) released a report on the oversight and enforcement actions conducted by the Center for Medicare and Medicaid Services (CMS) pertaining to hospitals’ implementation of the HIPAA Security Rule. The OIG conducted its audits at CMS in Baltimore, Maryland, and seven hospitals in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas. The OIG concluded that CMS oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule to safeguard electronic protected health information (ePHI). Continue reading