Disclaimer
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Privacy Policy
View our privacy policy.
HIPAA Enforcement: Lessons from the OCR’s Recent Settlements
/in HIPAABy Kim Stanger
The OCR has announced a surprising number of HIPAA settlements in the past few months with penalties ranging from $10,000 to $6.5 million. Here are some of the key takeaways for healthcare providers:
1. Protect against cyberattacks. Healthcare entities remain a prime target for healthcare entities with disastrous effects for victims, including providers and patients whose information is compromised or destroyed. The HIPAA security rule is intended to ensure that healthcare entities maintain the integrity, availability and confidentiality of electronic protected heath information; successful cyberattacks often expose security rule violations. Premera Blue Cross agreed to pay $6.85 million after a phishing scam deployed malware that affected the information of 10.4 million persons. Another entity agreed to pay $2.3 million after a hacker accessed records of 6.1 million persons. Per the OCR, “The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by HIPAA Rules …. is inexcusable.” https://www.hhs.gov/about/news/2020/09/23/hipaa-business-associate-pays-2.3-million-settle-breach.html. Cybersecurity is a major focus for HHS. In December 2018, the federal government published a guide to help healthcare providers of all sizes protect against cyberthreats, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx. In July 2020, HHS launched its Health Sector Cybersecurity Coordination Center (“HC3”) website, https://www.hhs.gov/about/agencies/asa/ocio/hc3/index.html, to offer additional support for healthcare providers. Cybersecurity is vital not only for regulatory compliance; it is essential to protect patients and ensure continued operation of the provider. Read more
Paying Employees for Referring Healthcare Business
/in Anti-Kickback, Employee Benefits, StarkBy Kim Stanger
Many healthcare employers may want to incentivize or compensate their employees for referring patients to or generating business for the employer, but they (appropriately) fear application of the federal Stark law or Anti-Kickback Statute. The “Paying for Referrals” White Paper analyzes these laws and relevant exceptions that may permit referral-based compensation structures under certain circumstances.
Telehealth in Idaho and Elsewhere
/in TelehealthBy Kim Stanger
Telehealth expanded dramatically in response to the COVID pandemic. Now that providers, patients, payers and public officials have seen the benefits, it is almost certain that telehealth will continue to play an increasingly important role in our healthcare delivery system. Providers wishing to practice telehealth in Idaho (and elsewhere) must beware the legal and practical requirements, including those set forth in statute or licensing board regulations. Read more
Healthcare Providers: Beware New Information Blocking Rule
/in COVID-19, Data Privacy, IT, Provider NetworksBy Kim Stanger
Healthcare providers focusing on COVID-19 may have missed the final Interoperability and Information Blocking Rule that was published May 1, 2020 and takes effect November 3, 2020. (45 C.F.R. Part 171). The Rule implements the 21st Century Cures Act and furthers the government’s efforts to enable the exchange of electronic health information (“EHI”) to facilitate better outcomes, lower costs, and greater patient access to information. In general, the Rule prohibits covered actors from blocking the flow of EHI; violations may result in significant civil penalties as discussed below.
Application to Healthcare Providers. The Rule applies to healthcare providers, health IT developers of certified health IT,1 health information exchanges, and health information networks (collectively referred to as “actors”). “Healthcare provider” is defined to include nearly any entity rendering healthcare, including physicians, practitioners, group practices, hospitals, long term care facilities, clinics, ambulatory surgery centers, and other entities determined appropriate by HHS.2
Prohibited Information Blocking. The Rule generally prohibits “information blocking,” i.e., a practice that the healthcare provider “knows3…. is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information”4 unless (i) the practice is required by law, or (ii) the practice fits within one of the exceptions listed below. (45 C.F.R. § 171.103(a)). Information blocking may occur, for example, when a healthcare provider refuses, ignores, delays, or imposes unreasonable conditions in response to requests to share EHI, including requests from patients, other providers, or payors. (See 85 FR 25811). It may occur when contracts, business associate agreements, license terms, or organizational policies unnecessarily restrict data sharing, or when technology is implemented, configured, or disabled so as to limit system interoperability. (85 FR 82511-12). The Rule generally prohibits any practices that increase the cost, complexity or burdens associated with accessing, exchanging or using EHI, or that limit the utility, efficacy or value of EHI such as diminishing the integrity, quality, completeness, or timeliness of the data. (85 FR 25809). Ultimately, “[a]ny analysis of whether an actor’s practices constitute information blocking will depend on the particular facts and circumstances of the case,” including whether the action rises to the level of an impermissible interference, whether the actor acted with the requisite intent, and whether the actor had control over the EHI or interoperability elements necessary to access, exchange or use the EHI in question. (85 FR 25811 and 25820).5 Read more
Idaho COVID-Related Civil Liability Immunity – Special Session Legislation
/in COVID-19, Idaho Healthcare LawBy William Myers III
When Gov. Little called the Legislature into Special Session on August 24th, he did so with a proclamation that attached draft legislation establishing immunity from liability when a person or company makes “good faith efforts” to undertake activities safely during the coronavirus emergency.
The draft legislation must be introduced and passed in the House and Senate and that has not happened as of this writing. However, a review of the draft bill attached to the Governor’s proclamation gives an idea where the legislation may go. Read more