Health Law Alert
2012: Issue 6 - Focus on HIPAA/Privacy
It's Coming: The HIPAA/HITECH Rule; What To Expect and What To Do Now
On March 24, 2012, the Department of Health and Human Services (HHS) sent the much anticipated rule implementing the HITECH Act changes to HIPAA (HITECH Rule) to the Office of Management and Budget (OMB). This starts the clock running on the 90-day period allowed for OMB review. It is expected that, given the scope of the regulations, OMB will take most, if not all, of its allotted 90 days. In any event, the HITECH Rule is expected by late June 2012. While the authors have noted references to this as the "Final Rule" in publications about the HHS document released to the OMB, the HHS announcement actually states that what was released to the OMB will be a "notice and comment rulemaking, as required by the administrative procedures act." Thus, the final rule will not be published until after the notice and comment period has ended. (See the discussion at the end of this article as to possible effective dates.) According to HHS, the HITECH Rule will include changes to the regulations regarding:Click to continue...
Relief for Eligible Professionals? Proposed Stage 2 Meaningful Use Rule Includes Important (Potential) Exceptions
Eligible professionals who have been frustrated by the requirements of the Electronic Health Record (EHR) Incentive Program (the "Program" or "Meaningful Use") were offered some (potential) relief in CMS's new proposed rule for Stage 2 of the Program. Providers interested in the new potential exceptions (which could help them avoid penalties, or ease reporting burdens) should review these important provisions and comment as appropriate.
Since the Program's inception, certain professionals (especially those in specialties or situations that offer minimal patient contact, such as radiology, pathology; or employed physicians who have little control over their patient contact or the records system they must use) have been frustrated by the Program's "all or nothing" standards. An eligible professional must meet each and every Program requirement (which may be impossible for some types of otherwise eligible professionals) or the professional will both lose the ability to collect the Program's substantial incentive payments and face penalties (which could be triggered as early as 2013) for failing to meaningfully use certified EHR technology as required. Hospital-based professionals are not eligible and, accordingly, are exempt from both Program incentives and penalties. Hospital-based professionals are those who provide 90 percent or more of their covered services in a hospital setting (inpatient hospital or emergency room). For professionals, all of this is decided on a calendar-year-by-calendar-year basis. The Stage 2 proposed rule offers at least the potential for some exceptions for professionals in these difficult positions.Click to continue...
OCR Settles with Small Physician Practice for HIPAA Violations
By: Sarah E. Swank
On the heels of its $1.5 million settlement with a large payor, Blue Cross Blue Shield of Tennessee, the Department of Health and Human Services Office for Civil rights (OCR) announced on April 17, 2012, that it settled with a small physician practice for HIPAA violations. Phoenix Cardiac Surgery, P.C., a practice owned by two physicians, entered into a settlement agreement [PDF] and agreed to pay $100,000 after OCR found the practice lacked adequate HIPAA safeguards.
Over a year-and-a-half period, the practice posted 1,000 entries of ePHI on a publically accessible, Internet-based calendar. In addition, over three years the practice transmitted ePHI on a daily basis over an Internet-based email account to workforce members' personal Internet- based email accounts. OCR, after investigation of a complaint, found that the physician practice failed to:Click to continue...