HIPAA & Health Information Technology Blog

William Maruca, Michael Kline and Elizabeth Litten maintain a blog that provides information regarding current legal and practical issues that health care providers and business must consider with regard to the exchange of health information, including the use of electronic health records (EHR). The HIPAA Privacy Rule and Security Rule requirements are among the legal standards with which there must be compliance when utilizing EHR, as well as sharing and exchanging health information in general. This blog also considers possible solutions to maneuver the legal and other barriers to establishing an EHR system and infrastructures for the beneficial exchange of health information.

View the HIPAA & Health Information Technology Blog

Physician Law Blog

Todd A. Rodriguez and Edward J. Cyran maintain a blog that can be used as a resource for current legal issues and news affecting physicians and other non-institutional health care providers. Their blog provides updates on new legislation and legal issues relating to practice management, billing and coding, ancillary services, malpractice insurance, fraud and abuse developments and other important legal issues affecting physicians in their personal and professional lives.

View the Physician Law Blog

Recent Blog Posts

  • Foreshadowing HIPAA Trends for 2020 As she has done for a number of years now, our good friend Marla Durben Hirsch highlighted Fox Rothschild (Fox) lawyers in her annual predictions articles in the January 2020 issue of Medical Practice Compliance Alert (MPCA).  In her first article entitled “Technology will propel compliance trends in 2020”, Marla included the following quotes for Fox attorneys on a number of prediction items: In making a prediction “Ransomware will not abate”, Fox partner William Maruca stated, “Cybersecurity attacks will ramp up... More
  • CA Senate Proposes Expanded CCPA Carve-Outs Related to HIPAA, Biomedical Research On the sixth day of CCPA the California Senate Health Committee gave to me … a HIPAA carve-out. AB 713, reported favorably by the California Senate Health Committee, would expand the exemption related to HIPAA and medical research. Specific carve-outs: De-identified PHI or medical information, provided that the business does not attempt nor actually re-identify the information “Business associates” Personal information collected for, or used in, biomedical research subject to institutional review board standards and the Common Rule. Personal information collected for or used in research,... More
  • HIPAA versus FERPA: New Joint Guidance Highlights Emergencies and Complexities More than eleven years have passed since the U.S. Department of Health and Human Services (HHS), the agency responsible for the privacy of protected health information under HIPAA, and the U.S. Department of Education (DOE), the agency responsible for the privacy of student records under FERPA, issued joint guidance on the interplay between HIPAA and FERPA. New joint guidance issued earlier this month (the “2019 Update”) provides updates and helpful clarifications as to when and how HIPAA and FERPA apply. The following 6... More
  • 2019 HIPAA BREACHES: THE BOX SCORES It’s that time again for year-in-review articles. On December 16, 2019,  Modern Healthcare has published an infographic that compares HIPAA breaches which occurred in 2019 to aggregate breach statistics from 2010-2018.  The 2019 data was analyzed through the end of November. A few interesting trends appear.  Let’s go to the numbers: Breaches by Location: In 2019, 40% of breaches involved email, compared to only 13% during 2010-2018.  This may suggest an increase in phishing and more sophisticated “spear-phishing” techniques.  Privacy officers should... More
  • The California AG May Be Watching You, Covered Entity As Fox partner Odia Kagan posted yesterday, early enforcement of CCPA will focus on data related to kids.   In addition, according to a recent article in the San Francisco Chronicle, the California Attorney General will focus on how large companies that deal with sensitive information, including health data, comply with CCPA. A post this past summer warned that compliance with HIPAA or California’s Confidentiality of Medical Information Act (CMIA) does not give a free pass for HIPAA-regulated covered entities, business associates,... More
  • Clear Message from OCR: Don’t Ignore (or Overcharge for) Patient Requests for Records Last week, the Office for Civil Rights (OCR) announced its second enforcement action and settlement with a provider  for failing to comply with HIPAA’s patient access requirements.  Korunda Medical, LLC, a primary care and pain management practice in Florida, agreed to pay $85,000 and comply with a Corrective Action Plan (CAP) as a result of a patient’s complaint that it refused to provide the records in the requested electronic format and charged more than the reasonable, cost-based fee prescribed under... More
  • How the Grinch Steals Health Care Data: OCR Warnings and Tips in Time for the Holidays More and more often, health care data is stolen or made inaccessible by targeted ransomware attacks. The Office for Civil Rights (OCR) published a newsletter this week that provides warnings for HIPAA covered entities and business associates. It also provides practical tips to prevent and help you survive these attacks. OCR’s warnings should resonate with covered entities and business associates alike: You are a ransomware target.  Cybercriminals … found that customizing their attacks to specific, “quality” targets led to an increase in the... More
  • Wearable Devices, Wellness Programs, and Health Apps: The Fringes of HIPAA With the explosion of health data sifting through cutting-edge companies, industry stakeholders are left to wonder how wearable devices, wellness programs, health applications, and the like should be regulated. Despite current belief, the Health Insurance Portability and Accountability Act (“HIPAA”) does not regulate all health information. HIPAA regulates health information collected and retained by covered entities and imposes downstream obligations on entities called business associates. HIPAA began with a limited purpose and was not created to cover all health information held... More
  • One of Three $3 Million Lessons: Encrypt Mobile Devices A large New York hospital system learned this lesson the expensive way.  According to a U.S. Department of Health and Human Services (HHS) press release issued earlier this week, the Office for Civil Rights (OCR) investigated a hospital system breach back in 2010 involving the loss of an unencrypted flash drive. According to the press release, OCR provided technical assistance to the hospital system as a result of that breach. The hospital system apparently didn’t follow or benefit from OCR’s technical assistance,... More
  • Training Opportunity: Best Practices for Medical Practice Confidentiality, Safekeeping Obligations and HIPAA Join Elizabeth G. Litten and Mark G. McCreary, co-chairs of Fox Rothschild’s Privacy & Data Security Practice Group, in Fox Rothschild’s Exton, Pennsylvania office for a complimentary training on medical practice confidentiality and safekeeping obligations, as well as an update on recent HIPAA issues and best practices for employee training. Hosted by Health Law Practice Co-chair Todd Rodriguez and Partner Al Riviezzo. Who Should Attend: Medical practice health care professionals, including management-level practice administrators, physician leaders and key office staff. Wednesday, November 13,... More
  • NY State Law Prohibits Ambulances and First Responders From Selling Patient Data “New York Gov. Andrew Cuomo recently signed legislation that will effectively prohibit ambulance and first response service providers from disclosing or selling patient data to third parties for marketing purposes. The bill was signed into law on October 7. The new law bans the sale of patient data, or individually identifying information to third parties, outside of sales to health providers, the patient’s insurer, and other parties with appropriate legal authority. Under the law, all information that can be used to identify... More
  • Pennsylvania’s Electronic Prescription Requirement for Controlled Substances Beginning on October 24, 2019, every licensed health care practitioner in Pennsylvania (excluding veterinarians) will be required to electronically prescribe controlled substances (regardless of the dosage) by sending the prescription directly to a pharmacy via the Internet.  Faxes will not qualify as an electronic transmission under the Law. The primary goals of Act 96 of 2018, passed by the Pennsylvania General Assembly on October 24, 2018 (the “Law”), are to fight the opioid epidemic by using electronic prescriptions to minimize medication... More
  • Small Doses: Personal Data in NJ Now Includes Online Account Credentials Any practice (whether medical, dental or orthodontic) that provides patients with the opportunity to log-on to the practice’s website for scheduling, bill payment or other information should note that, as of July 1, 2019, the patient’s login credentials (i.e., username/email address in combination with a password or answer to a security question) will be considered “personal data” under New Jersey law.   The new amendment to the definition of “personal data” can be accessed here:  Amendment to NJ Personal Data Law As with... More
  • Time for New Jersey Medical Practices to Update Certain Patient Disclosures and Comply with the Surprise Medical Billing Law The New Jersey Out-of-Network Consumer Protection, Transparency, Cost Containment and Accountability Act (the “Law”), New Jersey’s “surprise” medical billing law, went into effect on August 30, 2018.  Among other things, it requires licensed health care professionals in New Jersey (including, but not limited to, physicians, physician assistants and nurse practitioners) that bill health benefits plans issued or delivered in New Jersey (“NJ Health Plans”) to make certain patient disclosures regarding participation in such plans.  Additional patient disclosures are required for... More
  • Diagnostic Imaging Services Must Follow Patient Reporting Obligations Under New PA Law Pennsylvania’s Patient Test Result Information Act, which is set to take effect December 23, 2018, requires diagnostic imaging services providers that identify a “significant abnormality” in their test results to directly notify the patient or his/her designee within 20 days of the completed test, its review and its delivery to the ordering health care practitioner.  The new law defines the circumstances under which a patient notice is mandatory, as well as required information and language that must be included in... More