Privacy and Security Law Blog : Privacy & Security Law Blog : Davis Wright Tremaine LLP : Seattle, Los Angeles, Washington D.C., New York, San Francisco, Shanghai, Portland and Anchorage Law Firm

Nov. 10, 2011, 1:00pm:  Enforcement Trends in Health Care with Adam Greene

Over the past couple of years, we have seen a significant increase in enforcement of health care privacy laws at both the federal and state level. On November 10th at 1:00 pm EST, Davis Wright Tremaine’s Adam Greene will be presenting on this topic on a webinar of the International Association of Privacy Professionals.  More information, including registration, is available at https://www.privacyassociation.org/events_and_programs/web_conferences/.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Adam H. Greene

On Sept. 19, 2011, the U.S. Department of Health and Human Services (HHS) announced recommendations from an internal Text4Health Task Force on ways in which HHS can best utilize text messaging to improve population health. One of the issues raised by the Task Force is the need for further research and guidance on the privacy and security of health text messaging.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Adam H. Greene

On Sept. 12, 2011, HHS announced the appointment of Leon Rodriguez as the Director of the Office for Civil Rights, the agency responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, and breach notification rules. Mr. Rodriguez is coming from the Department of Justice Civil Rights Division, where he served as the Deputy Assistant Attorney General and chief of staff. He has extensive experience as a prosecutor at Department of Justice, a defense attorney in private practice, and as the county attorney for Montgomery County, Maryland.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This posting has been modified as of Sept. 8, 2011. Audit contracts are now available here.

By Adam H. Greene

In July 2011, DWT issued an advisory on HHS’ recent awarding of a contract to KPMG to conduct HIPAA privacy and security audits, available here. Since that time, we have obtained copies of the audit contracts, available here, and heard from the HHS Office for Civil Rights, shedding some additional light on what covered entities can expect:

• Audits that uncover major violations may lead to formal enforcement;
• The audits will focus on general privacy and security compliance;
• The contractor is expected to precede site visits with advanced requests for documentation, thereby providing some level of advanced notice;
• Audit teams are expected to consist of three to five persons and site visits are expected to last two to five days; and
• Pilot testing of the audit protocol is likely to begin later this year and proceed through January 2012, with the full round of audits occurring through the remainder of the year.

Continue Reading...

• Email This
• Print
• Share Link

HHS has announced its fourth HIPAA formal settlement agreement in less than a year (which does not even include $4.3 million civil money penalty that was also imposed). Adam Greene discusses this new level of HIPAA enforcement, highlights some of the lessons learned from the first settlements, and points to the government's upcoming enforcement opportunities that could bring a new wave of HIPAA headlines. To read more, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this month, HHS awarded a contract to KPMG to conduct as many as 150 HIPAA privacy and security audits through December 31, 2012. Adam Greene explores the limited information that has been publicly released about these upcoming audits, including a number of questions they raise. The advisory can be found here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Next up in our series of advisories relating to emerging issues under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), previous installments of which can be found here and here, Adam Greene looks at a recent proposed HIPAA Privacy Rule expansion that would significantly impact financial institutions that  serve as "business associates" to HIPAA-covered entities, by potentially requiring them to furnish lists of their employees to those entities’ patients/enrollees.  The advisory can be found here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Check out our most recently posted HIPAA-related advisory, by Adam Greene and Michael Sloan.  It explains how telecommunications carriers and Internet service providers (ISPs) may, without even knowing it, be subject to the privacy, security, and breach notification requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules.  It also offers suggestions on how such service providers can start thinking critically about whether they are potentially covered, and other steps they should consider taking.  You can find the advisory here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Adam H. Greene

Dr. Richard Kaye, a former medical director of the Psychiatric Care Center at Sentara Obici Hospital (Suffolk, Virginia), was indicted on June 21, 2011, in the U.S. District Court for the Eastern District of Virginia, on three counts of violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The indictment is significant in that it is the first criminal prosecution under HIPAA premised on communications with a patient’s employer.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The DWT PrivSecBlog is pleased to welcome a new contributor from whom visitors will start seeing posts from time-to-time, Adam H. Green. Adam is a veteran health law attorney and former key regulator at the U.S. Department of Health and Human Services, where he played a fundamental role in administering and enforcing HIPAA privacy, security, and breach notification rules, and where his responsibilities included determining how HIPAA rules apply to new and emerging health information technologies.

Continue Reading...

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Posted by Tom Jeffry

Last week, under pressure from privacy rights activists, Vermont Senator Patrick Leahy introduced an amendment to the Wired for Health Care Quality Act [S.1693].  Until then, this bill was nurtured along by proponents of health information networks and was poised to be “hotlined” for unanimous consent without debate in Congress.  

The proposed amendment uses language familiar to those of you who have read HIPAA.  Terms such as “protected health information” and “notice of privacy practices” appear in both the HIPAA regulations and the proposed amendment. However, the definitions are dramatically different.  For example, the proposed amendment to S. 1693 includes genetic and biometric information in the definition of protected health information and expands it to information collected or used by health researchers, schools and universities, and employers.  The scope of HIPAA was limited to those traditionally engaged in the delivery of health care such as providers and payers. Continue Reading...

• Email This
• Print
• Comments
• Share Link

Posted by Thomas Jeffry

Intel CEO Paul Otellini was quoted recently in the  Financial Times attacking the healthcare industry as "the slowest moving industry in the world" because it was the least penetrated by IT. 

Mr. Otellini’s comments follow several post-mortem reports posted last week by Health Affairs  discussing the reasons for the demise of the Santa Barbara County Care Data Exchange (SBCCDE) last December. SBCCDE was considered a pioneer for community-based electronic health information exchange (HIE) also know as regional health information organization (RHIO). In principle, HIEs are intended to create a simple and secure way to electronically share patient data between health care providers, caregivers, and consumers.

Continue Reading...

• Email This
• Print
• Comments (1)
• Share Link

Posted by Thomas Jeffry

An interesting development from the American Medical Association is worth noting.

The AMA House of Delegates met in Chicago at the end of June where it received a report previously requested by that group’s governing body on the medical and ethical implications of the use of implantable radio frequency identification (RFID) microchips in humans. Use of RFID chips were approved for use in humans by the Food & Drug Administration in 2004. Similar versions of such chips are commonly used to tag pet dogs and cats for identification purposes. 

Continue Reading...

• Email This
• Print
• Comments (1)
• Share Link

Posted by Peerapong Tantamjarik

While not involving computer hackers, here's a story about an old-fashioned invasion of privacy. The Kansas City Star reported on September 28th that a University of Missouri hospital faces a class-action lawsuit after allegedly releasing confidential medical records for hundreds of patients to a company it hired to solicit business. The suit was filed earlier this year on behalf of approximately 800 patients with liver diseases, including hepatitis C. The complaint alleges that records were turned over by University Hospital's internal medicine chairman to a home health care provider dba Option Care, who then allegedly called the patients in an effort to sell them antiviral drugs and keep them in the hospital network. The Option Care nurse who contacted the patients using the list from the hospital stated that the calls were not for solicitation, but for patient safety.

Continue Reading...

• Email This
• Print
• Comments (3)
• Share Link