Health Law



HIPAA, HITECH and Health Information Technology Blog

William Maruca, Michael Kline and Elizabeth Litten maintain a blog that provides information regarding current legal and practical issues that health care providers and business must consider with regard to the exchange of health information, including the use of electronic health records (EHR). The HIPAA Privacy Rule and Security Rule requirements are among the legal standards with which there must be compliance when utilizing EHR, as well as sharing and exchanging health information in general. This blog also considers possible solutions to maneuver the legal and other barriers to establishing an EHR system and infrastructures for the beneficial exchange of health information.

View the HIPAA, HITECH and Health Information Technology Blog

Recent Blog Posts

  • Employer Collection of COVID-19 Data and Employee Privacy The following post is adapted from an article written by Fox Rothschild attorneys Wayne Pinksone and Lucy Li, available here. OSHA recently published guidance for “nonessential businesses” that are intending to reopen and allow their employees to return to work. This guidance is intended to supplement the U.S. Department of Labor and U.S. Department of Health and Human Services’ existing Guidance on Preparing Workplaces for COVID-19 and the White House’s Guidelines for Opening up America Again. Additionally, employers should continue to monitor state and local guidelines for... More
  • FTC Offers Tips for Data Protection in Products Related to Fighting COVID-19 From Fox Rothschild’s Privacy Compliance & Data Security blog The Federal Trade Commission (FTC) has offered tips for data protection during the COVID-19 crisis. Consider privacy and security as you’re developing your products and services, and not after launch. Although we will be flexible and reasonable when it comes to bringing enforcement actions against companies engaged in good faith, thoughtful efforts to address the effects of the pandemic, it doesn’t pay to be in the news for privacy and security problems. Use privacy... More
  • Don’t Get Sprayed: CISA Alert Reminds Health Care Entities to Use Strong Passwords A joint Alert from the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre (NCSC) warns of new cyber attacks targeting COVID-19-related information. Notably, these attacks succeed when system users have weak or common passwords.  NCSC published frequently found passwords here, many of which are used by cyber criminals to gain access networks that contain sensitive research and health care information.  The Alert warns that cyber criminals have been using “password spraying”,... More
  • OCR Webinar on HIPAA and COVID-19: Key Points for Covered Entities and Business Associates Fox Rothschild LLP partner Beth Larkin listened to the HHS Office for Civil Rights 4/24/20 webinar (which should be posted on its website at some point) regarding HIPAA and COVID-19 and took notes. Here’s my summary of key points, based on Beth’s notes: Overview: OCR stresses that the HIPAA Rules are supposed to be balanced and flexible.  The HIPAA Rules do not prohibit sharing PHI, they just require covered entities and business associates to take appropriate steps to safeguard PHI in... More
  • New York Attorney General Warns Health Care Industry of COVID-19 Cyber Scams The New York Attorney General has issued a warning to healthcare providers, hospitals, and other organizations within the health supply chain that cyber criminals are using targeted COVID-19 phishing emails and texts to gain access to sensitive information.  Multiple reports indicate that scammers are sending emails and texts to get a recipient to click on a link purporting to share COVID-19 information that in reality installs malware or permits access to steal passwords and other sensitive information. Details in this post... More
  • OCR Warning: Phone Scammer Posing as Investigator to Obtain PHI The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a warning that it has received reports that someone has been impersonating an OCR inspector in an effort to access HIPAA Protected Health Information (PHI). According to the agency: “The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation. HIPAA covered entities and business associates should alert... More
  • Dos and Don’ts from OCR’s Guidance and FAQs on Telehealth and HIPAA On March 20, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published Guidance and a list of FAQs related to the provision of telehealth and HIPAA compliance. “OCR will exercise enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately.” Here are several... More
  • Medicare and OCR Relax Telehealth Rules Under Medicare and HIPAA By Margaret J. Davino, Salvatore J. Russo and Nawa A. Lodin In the Medicare Telemedicine Healthcare Provider Fact Sheet published March 17, 2020, the Centers for Medicare & Medicaid Services (CMS) broadened access to Medicare telehealth services to allow Medicare patients to receive more services from their doctors without travel to a health care facility. This benefit is available on a temporary and emergency basis under the 1135 waiver authority and Coronavirus Preparedness and Response Supplemental Appropriations Act, to provide telemedicine services during the national... More
  • COVID-19 Update: Limited Waiver of HIPAA Sanctions and Penalties for Certain Hospitals Effective March 15, 2020, certain hospitals that fail to comply with specific HIPAA Privacy Rule requirements will not be subject to HIPAA sanctions and penalties, according to a “COVID-19 & HIPAA Bulletin” issued by U.S. Health and Human Services Secretary Alex M. Azar. The waiver was implemented as a response to President Trump’s recent declaration of a nationwide emergency concerning COVID-19 and Secretary Azar’s declaration of a public health emergency on January 31, 2020. Note that this HIPAA waiver is limited.... More
  • HIPAA and COVID-19: ABCs For Working From Home If your company is a covered entity or a business associate, you face unique challenges when workforce members ask or are required to work from home. Hopefully, your company’s HIPAA Security Policies and Procedures address the use of portable devices, whether they are owned by the employer or by the employee, and your HIPAA security risk assessment should take into account any location in which electronic protected health information (PHI) might be created, received, maintained or transmitted.  Still, it’s important... More