HIPAA, HITECH and Health Information Technology Blog

William Maruca, Michael Kline and Elizabeth Litten maintain a blog that provides information regarding current legal and practical issues that health care providers and business must consider with regard to the exchange of health information, including the use of electronic health records (EHR). The HIPAA Privacy Rule and Security Rule requirements are among the legal standards with which there must be compliance when utilizing EHR, as well as sharing and exchanging health information in general. This blog also considers possible solutions to maneuver the legal and other barriers to establishing an EHR system and infrastructures for the beneficial exchange of health information.

View the HIPAA, HITECH and Health Information Technology Blog

Physician Law Blog

Todd A. Rodriguez and Edward J. Cyran maintain a blog that can be used as a resource for current legal issues and news affecting physicians and other non-institutional health care providers. Their blog provides updates on new legislation and legal issues relating to practice management, billing and coding, ancillary services, malpractice insurance, fraud and abuse developments and other important legal issues affecting physicians in their personal and professional lives.

View the Physician Law Blog

Recent Blog Posts

  • The Blindfolded Business Associate: New HHS Guidance on HIPAA & Cloud Computing According to the latest HIPAA-related guidance (Guidance) published by the U.S. Department of Health and Human Services (HHS), a cloud service provider (CSP) maintaining a client’s protected health information (PHI) is a business associate even when the CSP can’t access or view the PHI. In other words, even where the PHI is encrypted and the CSP lacks the decryption key, the CSP is a business associate because it maintains the PHI and, therefore, has HIPAA-related obligations with respect to the... More
  • Six Tips for a Small Business to Avoid HIPAA Security Breach Headaches Last week, I blogged about a recent U.S. Department of Health and Human Services Office of Civil Rights (OCR) announcement on its push to investigate smaller breaches (those involving fewer than 500 individuals).   The week before that, my partner and fellow blogger Michael Kline wrote about OCR’s guidance on responding to cybersecurity incidents.  Today, TechRepublic Staff Writer Alison DeNisco addresses how a small or medium sized business (MSB) can deal with the heightened threat of OCR investigations or lawsuits emanating... More
  • King of Nursing Homes Sentenced to 2 Years in Prison and $786,000 in Repayments and Fines In March 2016, we covered the conviction of Dr. Venkateswara Kuchipudi for violating the federal anti-kickback statute by referring nursing home patients to Sacred Heart Hospital (in Chicago) in exchange for kickbacks. For a summary of the case, please see our post here: Nursing Home Fraud Scam Results in Conviction for King of Nursing Homes Dr. Kuchipudi was convicted of one count of conspiracy to defraud the United States and nine counts of illegally soliciting or receiving benefits in return for... More
  • Small HIPAA Breaches, Big HIPAA Headaches What you might have thought was not a big breach (or a big deal in terms of HIPAA compliance), might end up being a big headache for covered entities and business associates. In fact, it’s probably a good idea to try to find out what “smaller” breaches your competitors are reporting (admittedly not an easy task, since the “Wall of Shame” only details breaches affecting the protected health information (PHI) of 500 or more individuals). Subscribers to the U.S. Department of... More
  • Eight Tips to Confront the New Initiative by HHS on PHI Security In a recent Guidance, the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) appears to have attempted to reverse an impression that its emphasis is more on privacy of protected health information (“PHI”) than on security of PHI. Its July 2016 article draws attention to the need by covered entities and business associates for equal attention to PHI security. Relative to this OCR initiative, our partner Elizabeth Litten and I were recently featured again by our good... More
  • Happy HIPAA 20th Birthday! Co-authored by Elizabeth G. Litten and Michael J. Kline HIPAA turns 20 today.   A lot has changed in the two decades since its enactment.  When HIPAA was signed into law by President Bill Clinton on August 21, 1996, DVDs had just come out in Japan, most people used personal computers solely for word processing, the internet domain had just come online, Apple stock was at a ten-year low, and Microsoft Windows CE 1.0 would soon be released (in November of... More
  • Does Your Practice Have a Leadership Succession Plan? Many medical groups have difficulty developing a succession plan for practice leadership. Some practices do not even have a formal governance structure in place (though they should), but even those that do may find it challenging to identify and train new leaders to assume responsibility when senior physician leaders step down. Having a leadership succession plan in place is critical for a number of reasons. In practices where leadership is handled by one physician or concentrated in a small... More
  • Nine Tips for Avoiding HIPAA Breaches When Responding to Widespread Healthcare Emergencies The aftermath of the Orlando nightclub tragedy has led to much discussion about ways that healthcare providers can and should deal with compliance with health information privacy requirements in the face of disasters that injure or sicken many individuals in a limited time frame. One aspect is the pressure to treat patients while simultaneously fulfilling the need to supply current and relevant information to family, friends and the media about patient status without breaching HIPAA by improperly disclosing protected health information... More
  • Is Your Facility a PokéStop? (A what?) Are strangers wandering around your health care facility with their noses buried in their smartphones? And if so, what should you do about it? They’re playing Pokémon GO, a location-based augmented reality mobile game that was released for iOS and Android devices on July 6, 2016. Its popularity exceeded all expectations (my kids are probably playing it right now). The game’s objective requires players to search in real-world locations for icons that appear on a GPS-like virtual map. The icons may... More
  • What is the Medicare Quality Payment Program and How May It Affect My Practice? There are big changes coming to the Medicare incentive programs as we know them.  Beginning on January 1, 2017, the new Quality Payment Program (the “Program”) will replace all existing Medicare incentive programs with a comprehensive incentive model.  The Program will involve a modified set of EHR Meaningful Use requirements, new quality of care metrics, new cost efficiency goals and “clinical practice improvement activities” (for which physicians will be rewarded for care coordination, beneficiary engagement and patient safety).  The Program... More
  • “I Want My PHI”, Part 2 – OCR Audits Will Focus on Individual Access Rights We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights. In an email sent to listserv participants on July 12, 2016 from [email protected], the U.S. Department of Health and Human Services (HHS) included the following list of areas of focus for the desk... More
  • Lack of Preparedness and Government Access Top Data Security Agenda The private sector is still not prepared – and generally lacks the knowledge – to respond effectively to a major cyber breach, according to 80 percent of respondents in a survey released by Fox Rothschild LLP. “There is an alarming lack of awareness at the senior level when it comes to data governance practices in the private sector” said Fox partner Scott Vernick, who chairs the firm’s data security and privacy practice. In its survey of cybersecurity professionals and risk experts across insurance, legal... More
  • Food for Thought: Is a Free Meal the Way to a Physician’s Heart (and Prescription Pad)? Long gone are the days when drug reps enticed physicians with extravagant meals at five-star restaurants and box seats to the Phillies’ playoffs (and sadly, gone are the days when the Phillies actually made the playoffs). According to a recent study published in the journal, JAMA Internal Medicine, physicians who are provided a meal for less than $20 from drug reps are more inclined to prescribe that rep’s name-brand drug, which is not always covered by insurance, over the less pricy... More
  • Health Care Providers: Have You Considered HIPAA Compliance for Your Practice’s Group Health Plans? Contributed by Elizabeth R. Larkin and Jessica Forbes Olson Health care providers know about and have worked with HIPAA privacy and security rules for well over a decade. They have diligently applied it to their covered entity health care provider practices and to their patients and think they have HIPAA covered. What providers may not realize is that they may actually have two separate HIPAA covered entities. A provider that offers an employee group health plan (which includes a self-insured medical, dental,... More
  • Upcoming Deadline to Apply for ‘Hardship Exception’ to 2015 Meaningful Use Requirements — July 1, 2016 The deadline for providers to file a hardship exception application to the electronic health record (EHR) meaningful use requirements for the 2015 reporting period is July 1, 2016. If you have any concern that your practice or certain eligible professionals in your practice may have been unable to meet the meaningful use requirements for the 2015 reporting period, it may be appropriate for the applicable provider to file a hardship exception application with CMS to avoid future payment adjustments.  Note also that certain provider types... More