Articles Posted in HIPAA

HealthcareImage_062618-700x525-1-e1682709849274Our healthcare and business law firm works with healthcare businesses to assist in compliance matters, including the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The HITECH Act was designed to strengthen HIPAA in many ways.  A question our healthcare business-owning clients often have is whether patients with insurance can choose to pay cash instead of billing to insurance.  This post focuses on what the HITECH Act states on this subject.  If you have a question about the HITECH Act or would like to discuss this blog post, you may contact our healthcare and business law firm at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@littlehealthlaw.com. You may also learn more about our law firm by visiting www.littlehealthlaw.com.

  • Summary of Self-Pay Rule

Congress passed the HITECH Act in 2009. It provides in part that health care providers must honor a patient’s request—even an insured patient’s request—to pay out-of-pocket for services, and thus not have their Protected Health Information (“PHI”) shared with third parties like billers or insurers—if the patient requests it. The patient, however, must pay in full 42 U.S.C. 17935(a). Continue reading ›

HIPAA-Breaches-Healthcare-Students-e1615468812558On April 11, 2023, U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced its plan to allow the Notifications of Enforcement Discretion issued under HIPAA and the HITECH Act during the COVID-19 Public Health Emergency (PHE) to expire on May 11, 2023.

Early on in the COVID-19 pandemic, the use of telehealth appointments increased dramatically in an effort to prevent the spread of COVID-19 as millions of doctors’ visits and health care examinations were often postponed or even canceled. OCR quickly recognized the critical need to assist the healthcare sector and the public in responding to this unprecedented crisis and in 2020 and 2021, published four Notifications of Enforcement Discretion in the Federal Register regarding how the Privacy, Security, Breach Notification, and Enforcement Rules under HIPAA would be applied to certain violations during the PHE. Continue reading ›

Cooperation-e1683920749306For the better part of the last three years, many healthcare providers either voluntarily or by force have put many of the mandated HIPAA self-assessment audit requirements on the back burner. As has been seen most recently, that is all about to change…significantly.

By way of background, the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) requires the Department of Health and Human Services to periodically audit covered entities and business associates for their compliance with the requirements of HIPAA.  During these audits, covered entities are often asked to produce policies and procedures as well as evidence that they have been conducting accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronically-protected health information (PHI) that they create, receive, maintain or transmit.To assist these entities in maintaining compliance, the Office of Civil Rights (OCR) has provided many different self-assessment tools, many of which can be found here.

Since the onset of COVID however, many covered entities have been faced with other significant challenges including strict adherence to vaccine and quarantine requirements as well as significant reductions in workforce and discretionary income often needed to conduct such intensive HIPAA self-assessments. Continue reading ›

freestock_1383571985-scaled-e1635348607461Welcome to the third and final post in our three-part HIPAA Breach series! In the first post, HIPAA Breach Primer: Part 1—The Risk Assessment, we provided an overview of HIPAA requirements and how to conduct a Risk Assessment to determine the risk that a HIPAA violation occurred. In the second post, HIPAA Breach Primer: Part 2—Patient Notification, we outlined requirements and considerations when the rules require patient notification.

This post explores the last step—reporting the breach to the U.S. Department of Health and Human Services (HHS).  Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach.  If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@littlehealthlaw.com. You may also learn more about our law firm by visiting www.littlehealthlaw.com.

Timing of Report

If the Risk Assessment revealed that a HIPAA breach likely occurred, the next step is to think about what notice is required.  In addition to notifying impacted patients, the Covered Entity (or, in some circumstances, Business Associate) must report the breach to the Secretary of HHS.  If a breach affects 500 or more individuals, the timing for reporting to HHS is the same as for notifying patients—without unreasonable delay and in no case later than 60 days following a breach.

Continue reading ›

ehrsiner_770-e1634851226990Welcome to the second post in our three-part HIPAA Breach series! In the first post, HIPAA Breach Primer: Part 1—The Risk Assessment, we provided an overview of HIPAA requirements and how to conduct a Risk Assessment to determine the risk that a HIPAA violation occurred. To recap, there are generally three initial steps a practice takes in the face of a potential HIPAA breach.  First, performing a risk assessment to determine whether a breach, in fact, occurred.  Second, if the risk assessment reveals a probability that personal health information (PHI) was likely compromised, then the patients involved must be notified.  Third, the breach must be reported to HHS’s Office of Civil Rights (OCR).

This post explores the second step—notifying patients.  Future posts will discuss the third step required if the risk assessment reveals a breach occurred.  Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach.  If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@littlehealthlaw.com. You may also learn more about our law firm by visiting www.littlehealthlaw.com.

Continue reading ›

data-storage-1-1155466-mWelcome to the first post in our three-part HIPAA Breach series! Our healthcare and business law firm often works with medical practices to determine whether an act involving patient privacy constitutes a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requiring notification and reporting of any breach.  By law, a patient’s health information can only be used and disclosed for specific reasons.  When there is a risk that patient information has been accessed, used, or disclosed in a way that is not permitted, there may be a HIPAA violation.  More information about the HIPAA rules can be found on our website here and the U.S. Department of Health and Human Services’ (HHS) website here.  There are generally three initial steps a practice takes in the face of a potential HIPAA breach.  First, performing a risk assessment to determine whether a breach, in fact, occurred.  Second, if the risk assessment reveals a probability that personal health information (PHI) was likely compromised, then the patients involved must be notified.  Third, the breach must be reported to HHS’s Office of Civil Rights (OCR).

This post is the first of a three-part series on HIPAA breaches.  This post explains the first step—conducting the risk assessment.  Future posts will discuss the second and third steps required if the risk assessment reveals a breach occurred.  Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach.  If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@littlehealthlaw.com. You may also learn more about our law firm by visiting www.littlehealthlaw.com.

Continue reading ›

By: Brian Field

6E9A1516-lower-res-e1630337874585

With the ever-changing climate of technology, the Health Insurance Portability and Accountability Act (HIPAA) continues to make patient-centered modifications intended to protect personal health records. Key components to the most recent updates to HIPAA include prohibition of records withholding.

The inspiration for the recent changes come from the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS).  A goal of both entities is to protect the health of all Americans and ensure essential human services. The OCR continues to reinforce a focus on patients regarding health and health records by aiming to eliminate technical barriers and reducing or eliminating cost to patients.

Following HIPAA law changes can be daunting, but if there is one thing to keep in mind, it is that HIPAA prioritizes patients. The information below is a snapshot of what you should know as you navigate health records storage for your patients before, during, and after their care with you has ended:

Continue reading ›

As a healthcare and business law firm, we assist many clinical laboratories in compliance and regulatory matters, and because of COVID-19, Georgia has seen a rise in the number of clinical lab-testing-adobe-stock-300x200laboratories.  A compliance question faced by many of our clients, particularly those who conduct COVID-19 testing, is how to properly maintain and share patient records.  Herein, we note some of the rules around retaining and sharing patient records under Georgia law for clinical laboratories.

Record Retention

Georgia Code, Title 31, Chapter 22 provides rules for Clinical Laboratories.  For entities that meet the definition of “clinical laboratory,” section 31-22-4(f) provides that “[r]ecords involving clinical laboratory services and copies of reports of laboratory tests shall be kept for the period of time and in the manner prescribed by the department.”  The department refers to the Georgia Department of Community Health (“DCH”).  DCH’s rules require reports of “all clinical laboratory services, including records of laboratory test requests and reports” to be retained for at least two (2) years for general laboratory records and quality control records, at least five (5) years for records of immunohematology and cytology, and at least ten (10) years for surgical pathology records.  Rule 111-8-10-.26.

Welcome to the third of our business and healthcare law firm’s holiday-themed blog posts. This week’s post is inspired by my favorite holiday movie, A Christmas Story, and the eloquent words websiteshowart15167-300x300Ralphie wrote: “A Red Ryder BB gun with a compass in the stock, and this thing which tells time.” Analyzing Ralphie’s literary genius, he gave Miss Shields three enticing facts: the main description, a vital component, and an interesting addition. Following suit, I will provide three enticing facts of CMS’ new proposed rule.

First, the shortened name of the rule is: “Reducing Provider and Patient Burden by Improving Prior Authorization Processes and Promoting Patients’ Electronic Access to Health Information.”  According to CMS, the purpose of the proposed rule is “[t]o drive interoperability, improve care coordination, reduce burden on providers and payers, and empower patients.” The ingenuity of the proposed rule stems from the fact that it is not only designed to grant patients better access to their records; it is designed to grant all vital parties’ necessary access to records—meaning patients, payors, and providers.

Second, the new rule requires each payer to use an Application Programming Interface (“API”) that allows each payer’s system to communicate with other payers. The new rule also does not require patients to request the transfer of claims data.  As such, a patient’s new payer will have access to all of his or her claims data almost immediately upon enrollment. Importantly, on the new API, payers can send “patient claims, encounter data, and clinical data directly to providers[].” Verma, Seema, Reducing Provider and Patient Burden and Promoting Patients’ Electronic Access to Health Information, CMS.gov (Dec. 10, 2020). 

AOA WebinarOn April 6, 2020, Lee Little Health Law co-presented with Brian Tuttle, Navigating HIPPAA and Telemedicine during COVID19.

The United States Office for Civil Rights (OCR) has issued new COVID-19 guidance on various aspects of its jurisdiction under both HIPAA and the federal civil rights laws.  Many of these changes were directly relating to telemedicine and relaxing some of the HIPAA Security and Privacy regulations.  However, this DOES NOT mean we can just use any technology we want to, there are still guidelines.  This in-depth 60-minute webinar discussed the do’s and don’ts relating to telemedicine during this national emergency caused by COVID19.

Contact Information