HHS Seeks Public Comment on the HIPAA Privacy Rule

Earlier today the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR) issued a Request for Information (RFI) seeking public input on the HIPAA Privacy Rule. Specifically, HHS OCR is interested in how the HIPAA Privacy Rule could be modified to further Secretary Azar’s goal of promoting coordinated, value-based health care mirziamov.ru. This is the latest RFI issued as part of the “Regulatory Sprint to Coordinated Care” initiative being spearheaded by Deputy Secretary Eric Hargan. Previous RFIs have sought information regarding the Stark Law and Anti-Kickback Statute. In the press release announcing the HIPAA RFI, HHS OCR emphasized its ongoing commitment to protect individual privacy and health information, while recognizing that current rules “may limit or discourage information sharing needed for coordinated care or to facilitate the transformation of value-based health care.” The announcement cites stories heard in addressing the opioid crisis about how the HIPAA Privacy Rule stood in the way of needed care. Health care providers and entities are encouraged to submit any information regarding HIPAA provisions that currently present barriers to coordinated, value-based care without meaningfully adding to patient privacy and security of … Continue reading

Posted in Health Care, HIPAA

Share this Article:

Required Reporting of Privileged Information

Arizona physicians must report to the Medical Board “any information that appears to show that a doctor of medicine is or may be medically incompetent, is or may be guilty of unprofessional conduct or is or may be mentally or physically unable to safely engage in the practice of medicine.”   A.R.S. § 32-1451(A).  In fact, failure to make such a report is an act of unprofessional conduct.  Id. Physicians typically learn of the unprofessional or incompetent practice of others either: (1) when seeing a new patient for the first time and learning of their past providers’ practices; or (2) witnessing the potentially unprofessional practices of colleagues or peers.  Occasionally, however, a physician may have another provider as her patient.  In this case, if a medical condition is causing the patient to be “mentally or physically unable to safely engage in the practice of medicine,” the treating physician likely has an obligation to report her patient to the Arizona Medical Board rusbankinfo.ru. See id. The obligation and potential report, however, raise concerns for physician-patient privilege, HIPAA protections, and other privacy issues.  The Arizona Medical Board has taken the position that these … Continue reading

Posted in direct primary care, Health Care, HIPAA

Share this Article:

(Un)Protected Health Information Held for Ransom

Recent experiences of major health care companies offer a reminder of the importance of data security and following a well-written policy for compliance with the HIPAA Privacy Rule. Lithuanian police reported on Tuesday that a hacking group had illegally obtained and published over 25,000 private photos and personal data from a chain of European plastic surgery clinics. According to the report, hackers made the theft known and demanded a $385,000.00 ransom for the data.  When the demands for payment were refused, the information was published on the Internet.  The investigation is in its early stages and it is not clear how many individual patients are affected. Although this breach involves a European provider, not covered by HIPAA, it highlights the value and vulnerability of healthcare data. In fact, there have been reports of similar breaches involving potentially millions of American patients.  Data security experts have estimated that nearly 1 million new malware threats are released every day, with ransomware being the most common type. The HIPAA Privacy Rule (42 C.F.R. Part 164) requires covered entities to implement administrative, physical, and technical safeguards to guard against the breach of protected health … Continue reading

Posted in Health Care, HIPAA, Uncategorized

Share this Article:

HIPAA and the Cloud’s Shared Responsibility Models

Cloud-based service providers (CSPs), like Amazon Web Services and Microsoft Azure, offer online access to shared computing resources. As such, they have developed a “shared responsibility model” for how CSPs and companies that use their cloud services will share responsibilities when it comes to ensuring security in the cloud. A lot of companies believe that, if they host protected health information (PHI) with a CSP, it is the CSP that is ultimately responsible for ensuring HIPAA compliance. That is NOT the case. While the CSP will generally be responsible for ensuring that their cloud infrastructure is secure under the HIPAA rules, companies using the cloud services are responsible for ensuring the use and disclosure of their own PHI, as well as any of their platforms, applications, and operating systems that live in the cloud, comply with HIPAA. Business Associate Agreements CSPs that want to do business with a company that is subject to HIPAA (like a hospital or physician) will need to sign a Business Associate Agreement (BAA) with that company before any PHI is transmitted or uploaded. Under this BAA, the CSPs generally will agree to maintain appropriate safeguards … Continue reading

Posted in Cloud Based Services, Health Care, HIPAA

Share this Article: