Disclaimer
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Privacy Policy
View our privacy policy.
HIPAA, Psychotherapy Notes, and Other Mental Health Records
/in Data Privacy, HIPAABy Kim Stanger
The HIPAA privacy rules give special protection to “psychotherapy notes,” but providers often misunderstand what are and are not covered and how they differ from other mental health records.
I. “Psychotherapy Notes” Defined.
Contrary to popular belief, HIPAA does not provide special protection to mental health records in general, but it does give added protection to “psychotherapy notes”. As defined by HIPAA,
Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
CMS Issues Final Rule on Price Transparency by Healthcare Facilities
/in Hospitals & Health Systems, LegislationBy Little V. West, Kaitlyn Luck, and Lisa Carlson
On November 15, 2019, CMS issued a final rule pursuant to President Trump’s June 24, 2019, Executive Order to ensure price transparency by healthcare facilities. This price transparency rule will go into effect January 1, 2021, and will require hospitals operating within the United States to establish, update, and publicize all standard charges for all items and services provided by the hospital. Hospitals will also be required to display, in a consumer-friendly manner, standard charges for at least 300 shoppable services provided by the hospital. The stated purpose of this rule is to “increase market competition, and ultimately drive down the cost of healthcare services, making them more affordable for all patients.”
Read more
Encrypt Your Devices or Face HIPAA Penalties
/in Uncategorizedby Kim Stanger
This week, the Office for Civil Rights (“OCR”) announced a $3,000,000 HIPAA settlement arising from a medical center’s loss of an unencrypted laptop and flash drive. (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/urmc/index.html). This is simply the latest of many HIPAA settlements based on the failure to encrypt mobile devices. Similar settlements have arisen from lost or stolen smartphones, computers, hard drives, or other electronic media that were not properly encrypted.
Encryption is an addressable standard under the HIPAA Security Rule, which generally requires covered entities and business associates to “[i]mplement a mechanism to encrypt and decrypt electronic protected health information” and, for such data transmitted over a network, to “[i]mplement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)). The OCR explained the standard in a FAQ:
Read more
Contacting Parents, Spouses or Others to Obtain Payment
/in UncategorizedBy Kim Stanger
Healthcare providers sometimes mistakenly assume that they cannot contact a patient’s spouse, parents, or other third parties to obtain payment without the patient’s consent. However, HIPAA generally allows healthcare providers to use or disclose protected health information for purposes of obtaining payment without the patient’s consent or authorization unless the provider has agreed otherwise with the patient. (45 CFR §§164.506(a), (c) and 164.524(a)). The Office for Civil Rights (“OCR”) published the following FAQ discussing this rule:
Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill?
Read more
CMS Issues Final Rule for Hospitals & Home Health Agencies for Patient Discharge Planning
/in MedicareBy J. Malcolm (Jay) DeVoy and Lisa Carlson
On September 26, 2019, the Centers for Medicare and Medicaid Services and Department of Health and Human Services published commentary and its final rule affecting how hospitals, including critical access hospitals (“CAHs”), and home health agencies (“HHAs”) must plan and document the discharge of patients in order to avoid re-admissions.1 CMS published this new rule with commentary in the Federal Register on September 30, 2019.2
In order to “empower patients to make informed decisions about their care as they are discharged”3 from hospitals or transferred from HHAs to the post-acute care (“PAC”) setting, CMS adopted this final rule under the Improving Medicare Post-Acute Care Transformation Act (“IMPACT Act”) of 2014. CMS’s final rule is predicated on hospitals, CAHs and HHAs using the quality and resource use information CMS gathers from HHAs, skilled nursing facilities (“SNFs”), inpatient rehabilitation facilities (“IRFs”), and long-term care hospitals (“LTCHs”) under the IMPACT Act. Hospitals, CAHs, and HHAs must now provide this information to patients and their caregivers so that they may consider it when selecting the PAC provider or services they will utilize to continue their treatment. Read more