Articles Posted in HIPAA

Published on:

The U.S. Department of Health and Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS) recently issued a proposed rule to implement requirements of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Specifically, this proposed rule would adopt standards for “healthcare attachments” transactions, which would support both healthcare claims and prior authorization transactions, and a standard for electronic signatures to be used in conjunction with healthcare attachments transactions. CMS has stated that it believes the proposed rule would result in significant cost savings and a reduction in administrative paperwork, allowing healthcare providers to allocate more time on direct patient care.

The HIPAA Administrative Simplification rule is designed to ensure consistent electronic communication across healthcare systems and promote efficient transfer of administrative data between health plans, healthcare providers, and clearinghouses. This regulation requires HIPAA-covered entities to adopt standards for transactions involving the electronic exchange of healthcare data and specifies standards to be used in all HIPAA-covered transactions.

Healthcare attachments are documents that provide additional information to aid in the healthcare payment decision-making process. This information typically includes patient or case-related information, patient test results, and medical records. The proposed rule would mandate a standard format for the transmission of healthcare attachments between HIPAA-regulated entities to support electronic healthcare claims and prior authorization transactions, which currently lack an efficient and uniform method of sending attachments.

Published on:

The use of telemedicine has exploded over the last few years. The COVID-19 pandemic spurred a shift from in-person services to services provided by telemedicine. As healthcare providers and patients experience the added convenience of telemedicine in some circumstances, some of the large-scale shifts to telemedicine will likely become permanent. However, with increased use comes increased scrutiny from regulators. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) and the Department of Justice (DOJ) recently released guidance regarding the provision of telehealth services to individuals with disabilities or with limited English proficiency.

Collectively, several federal laws generally prohibit discrimination on the basis of disability, race, color, and national origin, among other bases. Federal regulations also generally require covered health programs or activities provided by covered entities through electronic or information technology to be accessible to individuals with disabilities unless doing so would result in undue financial and administrative burdens or fundamental alteration of the health program. According to the joint guidance, “A health care provider’s failure to take appropriate action to ensure that care provided through telehealth is accessible can result in unlawful discrimination.”

HHS and DOJ’s guidance generally directs providers to make exceptions to their telemedicine policies or to make special accommodations to individuals with disabilities or limited English proficiency, such as allowing extra time for familiarization with the telemedicine platform or for communication with the provider, allowing caregivers or others to be present during a telemedicine visit, adding additional capabilities or support for functions like real-time captioning or screen reader software, and use of language assistance services. A provider’s obligation to accommodate disabilities over telemedicine is generally the same as when providing in-person services.

Published on:

On September 10, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of its twentieth investigation under its HIPAA Right of Access Initiative. In early 2019, OCR stated that they would create an initiative to enforce patients’ right of access to their own health information in a timely and reasonable manner. This concept is not novel to OCR as it has already been outlined as a stated goal of HIPAA within the Privacy Rule. This aspect of HIPAA has been enforced at various times in the past, however it has never been enforced with any regularity until the OCR initiative was established. To date, OCR has remained dedicated to ensuring that every patient is afforded access to their health information that HIPAA has long stated such patients deserve.

In OCR’s latest settlement, a hospital and medical center located in Omaha, Nebraska agreed to take corrective actions and pay $80,000 to settle a potential violation of the HIPAA Privacy Rule. The alleged violation stems from a May 2020 complaint filed by a parent alleging that the hospital had failed to provide her with timely access to her minor daughter’s medical records. The hospital provided some records, but did not provide all of the requested records to the parent’s multiple follow-up requests. OCR alleged that the hospital failed to provide timely access to the requested medical records and thus potentially violated the HIPAA right of access standard. That standard generally requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days if an extension is applicable). As a result of OCR’s investigation, the parent did in fact receive all of the requested records.

Healthcare providers often afford heightened focus to preventing unauthorized access or sharing of health information, which sometimes means that less focus is given to providing quick and affordable health records to patients. In light of OCR’s initiative and dedication to enforce patients’ right of access under the Privacy Rule, healthcare providers should take care to be knowledgeable about this aspect of their operations.

Published on:

On September 30, 2021, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued guidance to help consumers, businesses, and healthcare entities understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about an individual’s COVID-19 vaccination status. As a preliminary note, the guidance reminds readers that the HIPAA Privacy Rule does not apply to employers or employment records. The Privacy Rule only applies to HIPAA covered entities, which include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions and, in some cases, to their business associates.

The guidance initially answers a highly popular and controversial question in light of the COVID-19 pandemic. According to the OCR guidance, the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. Because individuals or entities such as businesses are not covered entities, the Privacy Rule generally does not apply to them. The Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI), for example COVID-19 vaccination status, that covered entities and business associates create, receive, maintain, or transmit. In the opposite direction, the Privacy Rule does not prevent customers or clients of a business from disclosing whether they have been vaccinated. The Privacy Rule does not apply to individuals’ disclosures about their own PHI.

The guidance proceeds to inform readers that employers are not prohibited under the Privacy Rule from requiring employees to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties. Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its employees. However, other federal or state laws address terms and conditions of employment. Federal anti-discrimination laws generally do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement. Under the Americans with Disabilities Act (ADA), documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files. Similarly, the Privacy Rule does not prohibit a covered entity or business associate from requiring its employees to disclose to their employers or other parties whether employees have received a COVID-19 vaccine. The Privacy Rule also generally does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers.

Published on:

On June 24, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published comments that it received during the public comment period for the proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. OCR first announced the proposed rule-making in December 2020. While the proposal was not technically subject to the “regulatory freeze” by the Biden administration, it was effectively delayed because OCR extended the public comment period through May 2021.

The proposed changes to HIPAA are part of the larger transition to a value-based health care system in which providers are compensated based on patient health outcomes. The modifications propose to address standards that may impede the transition to a value-based health care system and other unnecessary burdens by increasing individuals’ rights to access their health information, enhancing information sharing for care coordination and case management, improving family and caregiver involvement for individuals experiencing health emergencies, reducing the administrative burden on HIPAA-covered providers, and facilitating the disclosure of certain health information during emergencies such as the opioid crisis and COVID-19 pandemic.

Some of the major changes to the Privacy Rule include:

Published on:

On February 12, 2021, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced the details of its previously-announced discretion in the enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act related to privacy, security, and date breaches. OCR will not penalize covered health care providers or their business associates for non-compliance under HIPAA for the good faith use of online or web-based scheduling applications (WBSAs) for scheduling COVID-19 vaccination appointments during the COVID-19 pandemic.

During the COVID-19 public health emergency, HIPAA covered providers, such as large pharmacy chains, or business associates acting on behalf of the covered providers, may utilize WBSAs to schedule individual appointments for COVID-19 vaccinations. For the purposes of this exercise of discretion, a WBSA is an online or web-based application that only allows the intended parties to access the data and that provides individual appointment scheduling related to largescale COVID-19 vaccination. Technology that directly connects to electronic health records (EHR) systems used by covered providers is not included in this discretionary measure and does not constitute a WBSA. The HIPAA privacy rules allow business associates of a covered entity to use and disclose protected health information (PHI) for certain functions, only as dictated by a business associate contract or other agreement. However, during the COVID-19 pandemic, health care providers need to quickly schedule many appointments for COVID-19 vaccinations and often do this through WBSAs. Some of these online scheduling applications, and the way in which healthcare providers use them, may not comply with the HIPAA privacy rules.  Furthermore, vendors of the WBSAs may not know providers are using these applications to create and send PHI, potentially making the WBSA vendors business associates under HIPAA.

OCR will exercise discretion in the enforcement of HIPAA privacy rules and will not penalize covered healthcare providers, their business associates, or WBSA vendors who are technically business associates, for noncompliance as it relates to the scheduling of individual COVID-19 vaccination appointments during the COVID-19 pandemic. This enforcement discretion applies to covered healthcare providers and their business associates, which are, in good faith, using WBSAs to schedule COVID-19 vaccination appointments, as well as WBSA vendors whose platform is being used to schedule COVID-19 vaccination appointments. Discretion does not apply to covered providers or business associates for activities unrelated to the scheduling of COVID-19 vaccinations or if the covered providers or business associates fail to act in good faith. Instances where a covered provider or business associate are not acting in good faith include: the use of a WBSA that allows the sale of personal information collected, the use of a WBSA for purposes other than scheduling COVID-19 vaccination appointments, the use of a WBSA without reasonable safeguards to protect the PHI, and the use of a WBSA to screen individuals for COVID-19 before an in-person visit.

Published on:

On December 18, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued new guidance on the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The guidance addresses important questions related to the definition of a health information exchange (HIE), when covered entities can disclose protected health information (PHI) to an HIE without the individual’s authorization, whether covered entities need a direct request from the public health authority (PHA) to disclose PHI, and whether a covered entity must provide notice to individuals regarding disclosures of PHI for public health purposes. In addition, the guidance provides examples for providers and entities relevant to HIPAA and the COVID-19 pandemic.

Questions addressed in the guidance include:

What is a health information exchange (HIE)?

Published on:

On December 10, 2020, the Office of Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) announced a proposal to modify the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. The overarching goal of the proposed rule is to get patients more engaged in their own healthcare, provide easier access to coordinated care, and reduce the burdensome regulations that have an impact on quality of care. HHS has recently rolled out a Regulatory Sprint to Coordinated Care, and the proposed modifications to the HIPAA rule support this measure.

The Regulatory Sprint facilitated a nationwide transformation to value-based care. The public had determined that there were far too many regulatory burdens to have sufficient coordinated care, which made it difficult for patients to have high quality value-based care. In response to this feedback, CMS proposed changes to the Anti-Kickback Statute, Civil Monetary Penalty rules, and the Physician Self-Referral Regulations. As such, the HIPAA rule was the next regulatory burden that needed to be addressed to further the Regulatory Sprint.

For a complete list of the proposed changes to the HIPAA rule, please see the HHS notice. Here are some highlights:

Published on:

On October 29, 2020, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) announced that pursuant to credible information by HHS, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA), hospitals and healthcare providers are at an imminent risk of a cybersecurity attack. As a response to this looming threat, law enforcement is advising healthcare entities to implement best practices to avoid a cyberattack.

Specifically, CISA, HHA, and the FBI are predicting ransomware attacks. Ransomware is a type of malicious software that denies users access to targeted data. Hackers encrypt the data and hold it hostage until a random is paid. If the ransom is not paid, the hackers will permanently destroy all the data. Unfortunately for healthcare providers, the Department of Treasury recently announced that any entity that pays a ransom to get their data returned will be in violation of the International Emergency Economic Powers Act and will thus be subject to paying steep civil monetary penalties, not to exceed $250,000.

This puts providers in a precarious position, so CISA, the FBI, and HHS have come out with various references and guides to help prevent healthcare providers’ systems from being susceptible to a ransomware attack in the first place. Some of these preventive measures include: regularly backing up data, keeping data backups offline from the network, regularly changing passwords and avoid using the same password for different accounts, using two-step verification where available, regularly updating operating systems as soon as updates are available, and always having antivirus and anti-malware programs regularly scanning and updating.

Published on:

Beginning on March 6, 2020, the Centers for Medicare and Medicaid Services (“CMS”) has temporarily expanded telehealth services for Medicare beneficiaries and cut back on HIPAA enforcement to help combat the COVID-19. This expansion will last until the end of the public health emergency as declared by the Secretary of HHS. Telehealth, the remote delivery of healthcare services, often by video conference between patient and provider, is a growing frontier in the age of digital healthcare. However, Medicare was slow to adopt the new technology.

Until recently, Medicare only covered telehealth services provided to beneficiaries in designated rural areas and only if they received the services at a hospital, clinic, or other medical facility. Virtual check-ins and e-visits were reimbursed at a much lower rate. Virtual check-ins encompass brief communications between physicians and patients, such as text messages or emails, where a patient can send images and discuss symptoms and treatment options with their physician. E-visits are conducted through a patient portal and are not face-to-face. This temporary expansion will now reimburse physicians who perform virtual check-ins and e-visits at the rate of an in-person visit.

The expansion was made in pursuant to an 1135 waiver. The Coronavirus Preparedness and Response Supplemental Appropriations Act, as signed into law on March 6, 2020 authorized the Department of Health and Human Services (“HHS”) to waive certain traditional Medicare telehealth requirements during this national emergency. Spurred by the calls for self-quarantine and social distancing, these waivers have led to an expansion of Medicare coverage for telehealth services.

Contact Information