Health Law



HIPAA, HITECH and Health Information Technology Blog

William Maruca, Michael Kline and Elizabeth Litten maintain a blog that provides information regarding current legal and practical issues that health care providers and business must consider with regard to the exchange of health information, including the use of electronic health records (EHR). The HIPAA Privacy Rule and Security Rule requirements are among the legal standards with which there must be compliance when utilizing EHR, as well as sharing and exchanging health information in general. This blog also considers possible solutions to maneuver the legal and other barriers to establishing an EHR system and infrastructures for the beneficial exchange of health information.

View the HIPAA, HITECH and Health Information Technology Blog

Recent Blog Posts

  • The Blindfolded Business Associate: New HHS Guidance on HIPAA & Cloud Computing According to the latest HIPAA-related guidance (Guidance) published by the U.S. Department of Health and Human Services (HHS), a cloud service provider (CSP) maintaining a client’s protected health information (PHI) is a business associate even when the CSP can’t access or view the PHI. In other words, even where the PHI is encrypted and the CSP lacks the decryption key, the CSP is a business associate because it maintains the PHI and, therefore, has HIPAA-related obligations with respect to the... More
  • Six Tips for a Small Business to Avoid HIPAA Security Breach Headaches Last week, I blogged about a recent U.S. Department of Health and Human Services Office of Civil Rights (OCR) announcement on its push to investigate smaller breaches (those involving fewer than 500 individuals).   The week before that, my partner and fellow blogger Michael Kline wrote about OCR’s guidance on responding to cybersecurity incidents.  Today, TechRepublic Staff Writer Alison DeNisco addresses how a small or medium sized business (MSB) can deal with the heightened threat of OCR investigations or lawsuits emanating... More
  • Small HIPAA Breaches, Big HIPAA Headaches What you might have thought was not a big breach (or a big deal in terms of HIPAA compliance), might end up being a big headache for covered entities and business associates. In fact, it’s probably a good idea to try to find out what “smaller” breaches your competitors are reporting (admittedly not an easy task, since the “Wall of Shame” only details breaches affecting the protected health information (PHI) of 500 or more individuals). Subscribers to the U.S. Department of... More
  • Eight Tips to Confront the New Initiative by HHS on PHI Security In a recent Guidance, the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) appears to have attempted to reverse an impression that its emphasis is more on privacy of protected health information (“PHI”) than on security of PHI. Its July 2016 article draws attention to the need by covered entities and business associates for equal attention to PHI security. Relative to this OCR initiative, our partner Elizabeth Litten and I were recently featured again by our good... More
  • Happy HIPAA 20th Birthday! HIPAA turns 20 today.   A lot has changed in the two decades since its enactment.  When HIPAA was signed into law by President Bill Clinton on August 21, 1996, DVDs had just come out in Japan, most people used personal computers solely for word processing, the internet domain had just come online, Apple stock was at a ten-year low, and Microsoft Windows CE 1.0 would soon be released (in November of 1996 as a portable operating system solution).  In... More
  • Nine Tips for Avoiding HIPAA Breaches When Responding to Widespread Healthcare Emergencies The aftermath of the Orlando nightclub tragedy has led to much discussion about ways that healthcare providers can and should deal with compliance with health information privacy requirements in the face of disasters that injure or sicken many individuals in a limited time frame. One aspect is the pressure to treat patients while simultaneously fulfilling the need to supply current and relevant information to family, friends and the media about patient status without breaching HIPAA by improperly disclosing protected health information... More
  • Is Your Facility a PokéStop? (A what?) Are strangers wandering around your health care facility with their noses buried in their smartphones? And if so, what should you do about it? They’re playing Pokémon GO, a location-based augmented reality mobile game that was released for iOS and Android devices on July 6, 2016. Its popularity exceeded all expectations (my kids are probably playing it right now). The game’s objective requires players to search in real-world locations for icons that appear on a GPS-like virtual map. The icons may... More
  • “I Want My PHI”, Part 2 – OCR Audits Will Focus on Individual Access Rights We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights. In an email sent to listserv participants on July 12, 2016 from [email protected], the U.S. Department of Health and Human Services (HHS) included the following list of areas of focus for the desk... More
  • Lack of Preparedness and Government Access Top Data Security Agenda The private sector is still not prepared – and generally lacks the knowledge – to respond effectively to a major cyber breach, according to 80 percent of respondents in a survey released by Fox Rothschild LLP. “There is an alarming lack of awareness at the senior level when it comes to data governance practices in the private sector” said Fox partner Scott Vernick, who chairs the firm’s data security and privacy practice. In its survey of cybersecurity professionals and risk experts across insurance, legal... More
  • Health Care Providers: Have You Considered HIPAA Compliance for Your Practice’s Group Health Plans? Contributed by Elizabeth R. Larkin and Jessica Forbes Olson Health care providers know about and have worked with HIPAA privacy and security rules for well over a decade. They have diligently applied it to their covered entity health care provider practices and to their patients and think they have HIPAA covered. What providers may not realize is that they may actually have two separate HIPAA covered entities. A provider that offers an employee group health plan (which includes a self-insured medical, dental,... More