US Department of Health and Human Services
Subscribe to US Department of Health and Human Services's Posts

HIPAA Compliance 101: Lessons from a Recent OCR Settlement

The US Department of Health and Human Services Office for Civil Rights (OCR) recently announced a settlement with a community hospital resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. While the settlement involved a medical provider, it offers some important lessons for other HIPAA-covered entities, including employer-sponsored group health plans.

The settlement involved impermissible data breaches by non-medical staff who, allegedly, used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The lesson here is straightforward: all HIPAA-covered entities must “protect the privacy and security of health information.”

The HIPAA privacy and security rules are complex, and full compliance requires substantial resources that are, as a practical matter, beyond the reach of many organizations. While OCR routinely refers to these rules as “scalable,” that claim is difficult to square with our experience. Full compliance with the particulars of the rule is costly and time-consuming, and it requires no shortage of expertise. Thankfully, in practice, OCR tends to focus its investigative resources on certain features of these rules. These features include the following items which covered entities must perform to comply:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
  • Develop, maintain and revise, as necessary, written HIPAA policies and procedures;
  • Enhance HIPAA and security training programs to provide workforce training on the updated HIPAA policies and procedures; and
  • Review relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

Where group health plans are concerned, fully insured plans routinely rely on their carriers for HIPAA compliance, which requires that plan sponsors get only “summary” health information at renewal. This option is not available to self-funded plans, however, even those that contract with a carrier for administrative services. Employers in this latter category should be reasonably confident of surviving an OCR audit or investigation only, at a minimum, by taking the actions listed above.




read more

HHS OIG Develops Toolkit to Analyze Telehealth Claims to Assess Program Integrity Risks

The US Department of Health and Human Services Office of the Inspector General (HHS OIG) recently unveiled a new toolkit that seeks to help analyze telehealth claims for federal healthcare program integrity risks. It is based on methodologies highlighted in OIG’s September 2022 data brief; the data brief identified billing practices by Medicare providers that OIG was concerned posed a high risk to program integrity. OIG intends for the toolkit to be used by public and private parties—including Medicare Advantage plan sponsors, private health plans, State Medicaid Fraud Control Units and other federal healthcare agencies—to assess program integrity risks and identify providers whose billing may warrant further scrutiny.

Read more here.




read more

Federal Government to Wind Down Vaccination Mandates

The Biden administration has announced that the federal government will wind down its remaining COVID-19 vaccination mandates (including those for federal workers, contractors and international air travelers) effective May 11, 2023. This action coincides with the conclusion of the COVID-19 public health emergency (PHE). Additionally, the US Department of Health and Human Services (HHS) will initiate steps to terminate the vaccination prerequisites for healthcare facilities that are certified by the Centers for Medicare & Medicaid Services (CMS).

Read more here.




read more

OCR Issues Proposed Rule to Modify HIPAA Privacy Rule to Include Explicit Protections for Reproductive Healthcare

On April 12, 2023, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking detailing its proposal to modify the HIPAA Privacy Rule (Proposed Rule). The Proposed Rule comes as a part of the Biden administration’s response to the US Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization.

The Proposed Rule would provide special protections for protected health information (PHI) related to reproductive healthcare. Following the Dobbs decision, many healthcare providers expressed concerns that PHI related to reproductive healthcare may be sought by state and local governments for use in criminal, civil or administrative investigations or proceedings. OCR noted that such compelled uses and disclosures of PHI could have a chilling effect on lawfully obtained healthcare and erode trust in confidential communications between a patient and provider. Additionally, providers could elect to leave out critical details from a patient’s medical record if they fear the information could later be used by a state or local government actor against the patient.

Stakeholders may submit comments on the proposed rule on or before June 16, 2023.

Read more here.




read more

HHS Nondiscrimination Proposal on Gender Procedures, Abortions Meets Resistance

Multiple Republican lawmakers are opposing a US Department of Health and Human Services (HHS) proposed rule that would expand the Affordable Care Act’s Section 1557 requirement preventing most health plans from discriminating on the basis of sex. According to this SHRM article, the rule applies to health insurers or plans that receive federal funds or that contract with the government. McDermott lawyers previously wrote about this proposed rule, noting that the definition of a covered entity is “similar in many ways to the 2016 Final Rule” but “does not explicitly include employee benefit group health plans as covered entities subject to Section 1557.”

Access the article.




read more

GAO Releases Report on Telehealth

On September 26, the US Government Accountability Office (GAO) released a report titled “Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks.” The 75-page report describes the utilization of Medicare telehealth services under current pandemic-related waivers, the Centers for Medicare & Medicaid Services (CMS) efforts to identify and monitor risks posed by the current waivers, and a change made by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to the enforcement of regulations governing patients’ protected health information during the COVID-19 public health emergency (PHE).

GAO made four recommendations—three directed to CMS and one directed to OCR—aimed at remedying the issues set forth in the report:

  • CMS should develop an additional billing modifier or clarify its guidance regarding billing of audio-only office visits to allow the agency to fully track these visits.
  • CMS should require providers to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes.
  • CMS should comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the PHE.
  • OCR should provide additional education, outreach or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services.

Among its utilization findings, the GAO report found that the use of telehealth services increased from about five million services pre-waiver (April to December 2019) to more than 53 million services post-waiver (April to December 2020) and that, post-waiver, 5% of providers delivered more than 40% of telehealth services, and 5% of beneficiaries accounted for almost 40% of telehealth utilization.

The report noted that CMS lacks complete data on the use of audio-only technology and telehealth visits furnished in patients’ homes, because there is no billing mechanism for providers to identify all instances of audio-only visits, and because providers are not required to use available codes to identify visits furnished in homes. The GAO report also noted that OCR did not advise providers about specific language to use or give direction on explaining risks to patients, with respect to OCR’s March 2020 policy that it would not impose penalties against providers for noncompliance with privacy and security requirements in connection with the good faith provision of telehealth during the PHE.

This GAO report comes on the heels of a recent report from the HHS Office of Inspector General that found little evidence of waste and fraud related to Medicare telehealth services during the first year of the pandemic. These reports are part of a broader push by Congress and the Biden administration to examine current telehealth flexibilities and determine how to extend them beyond the COVID-19 PHE.




read more

Texas Abortion-related Litigation ‘just getting started’

It was a busy end of August for abortion-related litigation in Texas. Multiple pro-reproductive justice nonprofit groups sued Texas Attorney General Ken Paxton and other prosecutors to protect the ability of pregnant Texans to obtain abortions in outside states, and Texas’ new trigger ban law went into effect. In this MedCity News article, McDermott Partner Caroline Reignley notes how the US Supreme Court’s landmark Dobbs decision “did not end the debate over abortion or limit court intervention.”

Access the article.




read more

HHS Issues Proposed Rule Under Section 1557 of the Affordable Care Act: Nondiscrimination in Health Programs and Activities

On August 4, 2022, the US Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM or proposed rule) to reinterpret section 1557 of the Affordable Care Act (ACA), which prohibits discrimination on the basis of race, color, national origin, sex, age or disability in a health program or activity, any part of which is receiving federal financial assistance. The proposed rule restores and strengthens certain civil rights protections under federally funded health programs and HHS programs which were limited following the 2020 Trump-era version of the rule, specifically regarding discrimination on the basis of sex, including sexual orientation and gender identity, and returns certain protections for individuals with limited English proficiency (LEP). Additionally, the proposed rule bolsters protections against discrimination in healthcare by clarifying that funds received under several federal healthcare programs, including Medicare Part B, are included in the definition of federal financial assistance under the law. As such, under the proposed rule, the list of entities expected to comply with the nondiscrimination measures outlined in Section 1557 of the ACA is significantly expanded, in many ways aligning with the 2016 Obama-era version of the rule. The NPRM also proposes to expand the applicability of the post-Bostock interpretation of “on the basis of sex” to Medicaid, Children’s Health Insurance Programs (CHIP) and Programs of All-Inclusive Care for the Elderly (PACE). For now, portions of the 2020 Final Rule not discordant with Bostock continue to apply.

Read more here.




read more

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

Top ranked chambers 2022
US leading firm 2022