Categories
Health Law Highlights

HHS Issues Guidance to Teaching Hospitals and Medical Schools on Informed Consent Requirements

From The HIPAA Journal, by Steve Alder:

The Department of Health and Human Services (HHS) has issued a letter to teaching hospitals and medical schools, emphasizing the necessity of obtaining informed consent from patients before conducting sensitive examinations, particularly when the patient is under anesthesia. The letter comes in response to reports indicating that medical students often perform such examinations without obtaining proper consent during their training. The HHS insists on the importance of documenting informed consent and upholds the patients’ right to refuse such examinations for teaching purposes. The Centers for Medicare & Medicaid Services (CMS) has provided new guidelines to clarify hospital responsibilities regarding informed consent. Furthermore, the Office for Civil Rights (OCR) underscores the HIPAA Privacy Rule, which allows patients to restrict access to their protected health information (PHI), even when unconscious.

Categories
Article

Updated: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

From U.S. Department of Health and Human Services:

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) updated its guidance to regulated entities when using online tracking technologies. These technologies, used to collect and analyze user interaction with websites or mobile applications, must comply with HIPAA rules if the information gathered includes protected health information (PHI). Unauthorized disclosures of PHI to tracking technology vendors, such as for marketing purposes without compliant authorizations, are deemed impermissible.

The update emphasizes that regulated entities should ensure they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule. It provides guidance on the application of HIPAA rules to the use of tracking technologies on user-authenticated webpages, unauthenticated webpages, and within mobile apps. For instance, tracking technologies on user-authenticated webpages generally have access to PHI, and tracking technology vendors are considered business associates if they handle PHI.

Unauthenticated webpages, which do not require user login, usually do not have tracking technologies that access PHI. However, in cases where PHI is accessible, HIPAA rules apply. For mobile apps offered by regulated entities, information collected is generally considered PHI, and the entity must comply with HIPAA rules for any PHI the app uses or discloses. However, HIPAA does not protect information users voluntarily enter into non-regulated mobile apps.

Disclosures of PHI to tracking technology vendors must be specifically permitted by the Privacy Rule. If the vendor is a business associate, a business associate agreement (BAA) must be established. The use of tracking technologies should be addressed in the entity’s Risk Analysis and Risk Management processes. If there’s an impermissible disclosure of PHI, breach notification to affected individuals and the Secretary is required. OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.

Categories
Health Law Highlights

Hey Doc, Be Careful on TikTok – Legal Pitfalls of Healthcare Providers in the Social Media Age

From Buckingham, Doolittle & Burroughs, LLC, by Monica Davis:

Impact of Social Media on Healthcare: Social media platforms have enabled physicians to expand their practices, increase marketing, discover new clients, and build their reputations. However, they also pose risks..

HIPAA Violations: The Health Insurance Portability and Accountability Act (HIPAA) ensures strict confidentiality in physician-patient relationships. Violations, such as disclosing Protected Health Information (PHI) without patient authorization, can lead to severe penalties, including lawsuits, fines, and loss of license.

Cyber-Security Risks: Social media can expose healthcare providers to cyber-security threats, including viruses and hackers. The potential consequences are devastating if a hacker gains access to a patient’s private information. Strong authentication mechanisms and password-protected social media can help mitigate these risks.

Reputation Management: Social media can improve a physician’s reputation and client base, but it can also damage their image. Negative reviews and harassment can quickly tarnish a healthcare provider’s reputation, leading to potential legal action for defamation.

Malpractice and Thoughtful Use: The risk of malpractice increases when healthcare professionals give advice on social media, potentially exposing themselves to negligence allegations. To minimize risk and maximize benefits, healthcare facilities should implement social media risk management strategies, such as obtaining patient consent before posting identifying information, educating staff on HIPAA and privacy laws, and designating a social media manager.

Categories
Alert

HHS’ Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack

From HHS Press Release:

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), reached a settlement with Green Ridge Behavioral Health, LLC under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) due to potential violations identified during an investigation following a ransomware attack, which affected over 14,000 individuals’ protected health information.

This incident marks the second settlement that OCR has reached with a HIPAA-regulated entity following a ransomware attack. The OCR’s investigation revealed that Green Ridge Behavioral Health had failed to accurately assess potential risks and vulnerabilities to electronic protected health information, implement adequate security measures, and monitor its health information systems effectively to guard against cyber-attacks.

As part of the settlement, Green Ridge Behavioral Health agreed to pay a fine and implement a corrective action plan, which will be monitored by OCR for three years, to address potential violations of the HIPAA Privacy and Security Rules. The CAP includes conducting a thorough risk analysis, developing a risk management plan, revising policies and procedures as needed to comply with HIPAA rules, providing workforce training, auditing third-party arrangements for proper business associate agreements, and reporting non-compliance by workforce members to the OCR.

Categories
Health Law Highlights

US Department of Human Services vs Hospital & Tech Sector Showdown

From Telehealth.org, by Marlene Maheu, PhD:

Recent developments in digital privacy ethics in the healthcare sector have led to a lawsuit against the US Department of Health and Human Services (HHS) by the American Hospital Association (AHA), with support from hospitals, health centers, other hospital associations, and the tech sector. The issue stems from the widespread practice of sharing online patient information with technology companies for marketing purposes.

The HHS has been actively investigating the use of tracking technologies and has issued fines and penalties to companies improperly handling sensitive data. As far back as 2022, HHS issued a guidance in 2022, emphasizing the obligations of HIPAA covered entities when using online tracking technologies.

A recent study revealed that 98.6% of US hospitals might still be involved in sharing patient information, highlighting the extent of data dissemination within the healthcare industry. This has led to increased interest in preventing or responding to HIPAA violations.

The legal challenge underscores the tension between the need for digital marketing tools in healthcare and the necessity to safeguard patient privacy and will significantly affect how healthcare entities use technology for marketing.

Categories
Health Law Highlights

New Guidelines Anticipated Following HHS’s Health Cybersecurity Concept Paper

From Shutts & Bowen LLP, by Kurtis Hutson, Timothy Monaghan, Ella Shenhav:

Updates to HIPAA Security Rule: The Department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS) plan to update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and propose new cybersecurity requirements in Spring 2024. These changes aim to shift the cybersecurity burden from end users to the owners and operators of technologies in critical infrastructure sectors, including healthcare.

Impact on Healthcare Companies: The new requirements could significantly expand the enforcement capabilities of regulators, impacting all entities involved in the healthcare industry. This includes manufacturers, sellers, service providers, healthcare providers, and payors who access, process, transmit, or store electronic protected health information (ePHI).

Voluntary Cybersecurity Performance Goals: HHS is developing voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs). Although termed “voluntary”, these will be used by CMS to propose new cybersecurity requirements for hospitals and participants in Medicare and Medicaid programs, and will influence the update to the HIPAA Security Rule.

Need for Proactive Measures: Healthcare organizations are advised not to adopt a “wait and see” approach, but to ensure they can demonstrate the implementation of Recognized Security Practices (RSPs). The HITECH Act amendment of January 2021 provides a safe harbor that could lead to reduced fines or termination of HIPAA-related investigations for organizations that can prove they had RSPs in place for at least the previous twelve months.

Categories
Alert

NIST Publishes SP 800-66 Revision 2, Implementing the HIPAA Security Rule

From NIST Computer Security Resource Center:

The National Institute of Standards and Technology (NIST) has released the final version of Special Publication (SP) 800-66r2 (Revision 2), “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide”.

SP 800-66 provides guidance for entities regulated by HIPAA on evaluating and managing risks associated with electronic Protected Health Information (ePHI). It outlines typical activities for an information security program and offers advice to improve cybersecurity posture and assist with HIPAA Security Rule compliance.

NIST’s Cybersecurity and Privacy Reference Tool (CPRT) includes mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework Subcategories and SP 800-53r5 security controls. It also lists NIST publications relevant to each HIPAA Security Rule standard, which can be used as additional resources for implementing HIPAA Security Rule standards and implementation specifications.

Categories
Health Law Highlights

CMS Updates Guidance to Allow Texting of Patient Orders

From Robinson & Cole, by Nathaniel Arden:

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) updated its 2018 memorandum to now allow the texting of patient orders among a patient’s healthcare team.

The 2018 memorandum stated that texting of patient orders did not comply with hospital and critical access hospital (CAH) Medicare conditions of participation (CoPs) due to potential issues with record security, author identification, and HIPAA compliance.

The updated guidance recognizes technological advancements, including encryption and interfaces between texting platforms and electronic health record systems (EHRs) that can ensure compliance with CoPs through the texting of patient orders.

CMS advises hospitals and CAHs using text orders to ensure they use secure, encrypted platforms, maintain author identification integrity, comply with HIPAA, and promptly file texted orders in the EHR.

Categories
Health Law Highlights

HIPAA and Part 2 Harmonized: What Health Care Organizations Need to Know

From Foley & Lardner LLP, by Jane Blaney, Jennifer J. Hennessy, Aaron T. Maguregui:

Part 2 Final Rule Implementation: The U.S. Department of Health & Human Services (HHS) issued the Part 2 Final Rule to revise the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations. This rule, effective 60 days post-publication, implements provisions of the 2020 CARES Act and includes modifications proposed in the November 2022 Notice of Proposed Rulemaking and additional changes based on public comments.

Patient Consent Changes: The rule allows SUD programs to obtain a single patient consent for all future uses and disclosures of Part 2 records for treatment, payment, and healthcare operations (TPO), as per HIPAA regulations. This consent can be revoked by the patient in writing. The rule also permits HIPAA-covered entities and business associates to redisclose records under this consent, barring use in legal proceedings against the patient without specific consent or court order.

Patient Notice and Rights: The rule aligns Part 2’s patient notice requirements more closely with the HIPAA Notice of Privacy Practices. It also provides patients with additional rights, such as requesting restrictions of disclosures to health plans for services paid in full or for purposes of TPO, obtaining an accounting of disclosures, and opting out of fundraising communications.

Breach Notification and Counseling Notes: The rule applies HIPAA’s Breach Notification Rule to breaches of unsecured records by Part 2 programs. It also includes a definition of SUD counseling notes similar to the HIPAA definition of psychotherapy notes, requiring specific consent from the individual for their disclosure.

Data Segregation and Penalties: The rule removes the requirement for segregation or segmentation of Part 2 records but maintains their protection. Violations of Part 2 will be subject to the same civil and criminal penalties as HIPAA violations, and patients can file complaints with HHS for violations of Part 

Categories
Health Law Highlights

Confidentiality of Substance Use Disorder Records Now More Closely Aligned With HIPAA

From Fox Rothschild, by Elizabeth G. Litten:

Part 2 records may be disclosed pursuant to the patient’s written consent, which may be a single consent for all future uses and disclosures for treatment, payment, and health care operations (as such terms are defined under HIPAA)

Part 2 records may be disclosed to a public health authority without patient consent if the records are de-identified (as defined and set forth under HIPAA)

Part 2 records are subject to HIPAA’s breach notification requirements

Part 2 SUD providers must provide HIPAA Notice of Privacy Practices-type notices to patients

Patients have the right to complain to HHS regarding alleged violations of Part 2