Showing 11 posts in Privacy.
A recent Memorandum issued by the Centers for Medicare & Medicaid Services ("CMS") to state survey agency directors (the "Memorandum") discusses a nursing home's responsibility to protect residents' privacy, particularly with regard to social media. The Memorandum was issued following a series of media reports documenting the inappropriate posting of residents' photographs on social media by nursing home staff. Read More ›
OCR Issues Clarifying Guidance on HIPAA Privacy Rule Regarding Access to Protected Health Information
The Office of Civil Rights (“OCR”) recently issued new guidance (“Guidance”) concerning the right of individuals to access their protected health information (“PHI”) under the HIPAA Privacy Rule. The OCR explained in the Guidance that based on its enforcement experience and recent studies, individuals continue to have difficulty accessing information - even from entities required to comply with the HIPAA Privacy Rule. This is also despite improvements in technology that make access more readily available. Bottom line is that individuals must have access to their PHI and health providers need to be providing such access.
However, the Guidance further clarifies a number of issues, including permissible charges for providing information to patients, security issues, submission of requests for information, and the manner for providing access to information. Read More ›
The Department of Health and Human Services (“HHS”) recently released a HIPAA overview called “HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules” (the “Overview”). The Overview is intended to provide HIPAA Covered Entities such as physicians, hospitals, and other health care providers with a basic overview of HIPAA’s rules and responsibilities. The fact sheet also provides an overview to Business Associates (such as law firms and accounting firms who receive protected health information ("PHI") from Covered Entities). The Overview can be found here.
The Overview explains that the HIPAA Privacy Rule protects individually identifiable PHI, which includes information such as an individual’s past, present, or future physical or mental health condition. Read More ›
On March 12, 2015 Foster Swift Attorney Jennifer Van Regenmorter co-presented the Michigan Health Law Update (“Annual Update”) at the 21st Annual Health Law Institute. The Annual Update provides an overview of the most significant Michigan-specific health law developments from the past year, many of which have been covered on this blog. This article will summarize the highlights from this year’s Annual Update. Read More ›
The Michigan Court of Appeals recently decertified a class action suit against Henry Ford Health System (HFHS) and its subcontractor, a medical transcription service, for inadvertently disclosing sensitive patient information online. On December 18, 2014, a unanimous three-judge panel reversed the trial court’s denial of summary judgment in favor of the defendants. The court held that an invasion of privacy claim requires an intentional act rather than mere negligence and that the plaintiff’s claims for negligence and breach of contract require proof of an actual injury.
The class consisted of 159 patients who visited HFHS between June 3, 2008 and July 18, 2008. The case arose when the defendant subcontractor made a configuration change to its server which left certain patient records unsecured. As a result, Google’s automated web server, “Googlebot,” indexed the information and made it available for users to search online. The information included each patient’s name, date of service, and diagnoses. The unnamed lead plaintiff alleged that her records revealed a sexually transmitted disease. Read More ›
Categories: Electronic Health Records, Privacy
Last month, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued guidance addressing the treatment of same-sex spouses under the HIPAA Privacy Rule in light of the Supreme Court’s decision in United States v. Windsor.
In Windsor, the Supreme Court held Section 3 of the Defense of Marriage Act (“DOMA”) to be unconstitutional. Section 3 of DOMA had excluded same-sex marriages from recognition under federal law.
As a result of the Windsor ruling, legally married same-sex spouses are entitled to additional rights under several federal regulations, one of which is the HIPAA Privacy Rule ("Rule"). The Rule provides certain protections to family members of patients. In its guidance, OCR clarifies that legally married same-sex spouses are family members for the purposes of the Rule, regardless of where they live. Read More ›
Categories: HIPAA, Privacy
While the healthcare industry has historically been knocked as slow to adapt to emerging technologies, the technological modernization of the industry is now occurring at a furious pace. From the digitization of health care records, to improved means of communications between doctors and patients, technology is transforming healthcare.
Tech behemoths like IBM, as well as scrappy Silicon Valley startups, have recognized the potential and are pouring resources into healthcare IT. According to data from investment company Rock Health, venture capital funding to healthcare information technology companies for 2014 reached $2.3 billion as of mid-year 2014. That's more than 10 times the nearly $200 million that was invested in healthcare IT in 2007.
One of the healthcare industry's newest tech innovations, called Figure 1, is the brainchild of a doctor named Josh Landy. Figure 1 is an Instagram-style app that allows doctors to share photos of patient conditions with other medical professionals in order to get their opinions regarding diagnosis and treatment. Read More ›
Categories: Physicians, Privacy
"It's a war we're in." That's how John Halamka, the chief information officer of Boston-based Beth Israel Deaconess Medical Center, described the current state of affairs between the health care industry and the hackers and identity thieves who are trying to steal patient records.
A recent Boston Globe article detailed the threat and provided some interesting - and sobering - statistics and information:
- There is high demand for health records, and a single health record may be worth $50 according to the FBI
- Criminal intrusions into health care systems have risen 100 percent in the past four years
- Of 614 total identity theft breaches in 2013, 269 (43.8 percent) were in health care (the most of any industry)
- Despite being the subject of the most attacks, a recent study by BitSight Technologies found that health care providers are the slowest in any industry to respond to data breaches.
Hackers are motivated to target health records in order to facilitate identity theft, financial fraud and illegal drug use. The Boston Globe article, in particular, highlighted two recent incidents involving cyber-security breaches: (1) Chinese hackers seized the personal information of 4.5 million patients at a Tennessee-based hospital network, and (2) federal officials disclosed on September 4 that a hacker managed to install malicious software on HealthCare.gov. Read More ›
As hospitals and doctors across the country become more technologically sophisticated and use more and more medical devices that are connected to the Internet in some fashion, they are increasingly being attacked and compromised by sophisticated cyberattacks. Attacks on US hospitals’ medical data – which put patient records and personal information at risk – have more than doubled since 2010, according to a new study by the Ponemon Institute.
In its report, the Ponemon Institute states that 90 percent of health care institution respondents had at least one data breach in the last two years, while 38 percent had more than five data breaches during that same time period. While many of these breaches stemmed from lost or stolen computers, technical glitches, and third-party problems, several were due to criminal attacks. Read More ›
Health Plans Take Notice: Compliance with HIPAA Administrative Simplification Rules is still Required
On Jan. 2, 2014, the Department of Health and Human Services (“HHS”) issued a proposed rule related to the Administrative Simplification requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Specifically, it delayed the date by which health plans must certify compliance with certain operating rules imposed by the Affordable Care Act (“ACA”).
The ACA required the Secretary of HHS to adopt operating rules related to claims status, eligibility, electronic funds transfers ("EFT") and health care payment and remittance advice transactions ("ERA"). Health plans (and other covered entities) were required to comply with the claims status and eligibility operating rules by Jan. 1, 2013 and the EFT and ERA operating rules by Jan. 1, 2014. Additionally, health plans were required to file a statement with HHS certifying that the health plan is in compliance with the operating rules. This certification statement was due by Dec. 31, 2013. Read More ›
- Electronic Health Records
- Digital Assets
- Labor Relations
- Accountable Care Organizations
- Health Insurance Exchange
- Fraud & Abuse
- News & Events
- Health Care Reform
- Employee Benefits
- HITECH Act
- Long Term Care
- 6th Circuit Court of Appeals