Pennsylvania’s recently passed Medical Marijuana Act (MMA) has left employers dazed and confused about whether they may continue to enforce zero tolerance drug policies. The MMA, which provides qualifying patients with access to medical marijuana through a safe and effective delivery method, is intended to balance patient need for access with patient safety. However, balancing these interests is not always an easy task, especially because marijuana remains an illegal substance under the Federal Controlled Substances Act. The attempt to balance patient access and safety, and the juxtaposition between state and federal law, can put employers in a sticky situation, particularly when it comes to establishing and enforcing zero tolerance drug policies. Continue Reading
Providers participating in the Medicare Electronic Health Record (EHR) Incentive Program now have an additional thirteen days to register and attest to meeting the meaningful use requirements for 2016. The Centers for Medicare & Medicaid Services has extended the reporting deadline until March 13, 2017, at 11:59 p.m. ET. This extension is intended to allow providers additional time to attest to the 2016 program requirements and avoid a 2018 payment adjustment. Continue Reading
Earlier this month, Presence Health agreed to pay $475,000 and enter into a corrective action plan (CAP) with the Office for Civil Rights (OCR) based upon its failure to timely report a data breach in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and HIPAA’s Breach Notification Rule. Continue Reading
On August 21, 1996, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law by President Bill Clinton. The original purpose of the Act, which amended the Internal Revenue Code of 1986, was to improve the portability and continuity of health insurance coverage, combat waste, fraud, and abuse, promote the use of medical savings accounts, improve access to long-term care services, and simplify the administration of health insurance.
At the time, there were no such things as electronic medical records (EMR), electronic Health Information Exchange (HIE), Covered Entities or Business Associates. Healthcare administration and patient privacy was complicated by varying rules and regulations across states, and a lack of uniformity at the federal level. Experts recognized the need to standardize regulations, better protect patient privacy and allow employees to retain health coverage when leaving their jobs. They also recognized the increased use of technology, and foresaw its coming impact on the healthcare industry. Continue Reading
If you are an entity covered by Section 1557 of the Patient Protection and Affordable Care Act (Section 1557), you have less than a week to prepare your non-discrimination notices and taglines. The final rule implementing 1557 requires that by October 16, 2016, healthcare providers and other covered entities publish and disseminate non-discrimination notices, including disclosures that they provide language assistance services to individuals with limited English proficiency (LEP).
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights issued the final rule implementing Section 1557 on May 18, 2016. Section 1557 prohibits discrimination in health care programs and activities on the basis of race, color, national origin, sex, age, or disability. Section 1557 applies to “covered entities” or any entity that operates or administers either: (i) a health program or activity, any part of which receives federal financial assistance provided or made available by HHS; (ii) a health program or activity administered by HHS; or (iii) a health program or activity administered by an entity established by Title I of the Affordable Care Act.
Among the requirements included in Section 1557, is the requirement that covered entities publish and disseminate non-discrimination notices. To help you prepare your notices for the October 16th deadline, the Health Law Gurus have outlined what you need to know. Continue Reading
In today’s busy world, convenience is a prized commodity. From pre-ordering and paying online for your favorite Starbucks drink to pulling up instantaneous directions on Google Maps, people value solutions that save time and make their lives easier. This trend carries over into the health care industry; most notably in the increasing popularity of urgent care centers. Since health insurance companies, like Independence Blue Cross, began to cover the health care provided at these clinics, their popularity and prevalence has skyrocketed.
Urgent care centers are modeled to facilitate quality, affordable, and convenient medical care for non-life threatening injuries and illnesses. Urgent care centers generally allow for walk-in appointments, which spares patients the time required to schedule an appointment with a primary care physician and to wait for the appointment time and date. Moreover, urgent care centers tend to have flexible hours. They may be open on weekends or evenings, and may be more convenient for someone juggling a busy schedule. In addition, many urgent care centers have x-rays or laboratory testing, but are generally less expensive than a hospital emergency room. Continue Reading
This month marked the largest HIPAA settlement to-date for a single entity. Advocate Health Care Network (“Advocate”) agreed to pay $5.5 million and adopt a corrective action plan after an investigation by the Department of Health and Human Services’ Office for Civil Rights (“OCR”) revealed that Advocate’s widespread noncompliance with the requirements of HIPAA affected the protected health information (“PHI”) of four million individuals.
OCR’s investigation into Advocate began in 2013 after its subsidiary, Advocate Medical Group (“AMG”), reported three separate data breaches. AMG reported: (i) a laptop computer stolen from an AMG office building, (ii) unauthorized access into a business associate’s computer network, and (iii) an unencrypted laptop taken from an employee’s unlocked vehicle. In combination, the three data breaches compromised the names, addresses, credit card information, clinical information, and health insurance information of four million individuals. Continue Reading
One of the fastest growing areas of cybercrime is ransomware. Ransomware is a type of malicious software that encrypts data and makes it inaccessible to authorized users. The hackers who orchestrate ransomware attacks demand that authorized users pay a ransom in order to obtain the key to decrypt their data. Payment is generally required to be paid in bitcoin (or other forms of cryptocurrency) in order to maintain anonymity.
In an effort to combat the proliferation of ransomware attacks, the Office for Civil Rights (“OCR”) has released guidance on ransomware attack prevention and recovery from a healthcare entity’s perspective. OCR’s guidance includes a discussion on the role of the Health Insurance Portability and Accountability Act (“HIPAA”) in assisting covered entities and business associates to prevent ransomware attacks, recover from ransomware attacks, and how HIPAA breach notification should be handled in response to ransomware attacks. Portions of OCR’s guidance, along with commentary, are summarized below. Continue Reading
Medical records are a powerful weapon in the courtroom. They may reveal the extent of an individual’s injury in a personal injury case or substantiate the severity of an individual’s mental illness when that mental illness is being used as a defense. However, while using medical records in litigation can be a dream come true for litigators, it can be a nightmare for health care providers (“Providers”). Upon receiving a subpoena or other document requesting access to medical records, a Provider must determine whether he or she is required to release medical information or is prohibited from doing so under state and federal law. If a Provider improperly releases information, the penalty could be a hefty fine.
The Health Information Portability and Accountability Act (“HIPAA”) and its implementing regulations place constraints on the release of an individual’s protected health information (“PHI”) by Providers to litigants. 45 C.F.R. 164.512(e). Under HIPAA, there are four methods to obtain access to medical records for the purposes of judicial and administrative proceedings. Each of these methods is more fully explained below: Continue Reading
Oregon Health & Science University (“OHSU”) has paid $2.7 million to the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) to settle allegations that it violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). OHSU must also comply with a three-year corrective action plan.
OCR began an investigation of OHSU’s compliance with HIPAA after OCR received notice from OHSU in 2013 that (i) an OHSU laptop computer was stolen resulting in a breach of unsecured electronic protected health information (“ePHI”), and (ii) OHSU stored ePHI with an internet-service provider without a business associate agreement, which is required under HIPAA. Continue Reading