Blogs

HIPAA & Health Information Technology Blog

William Maruca, Michael Kline and Elizabeth Litten maintain a blog that provides information regarding current legal and practical issues that health care providers and business must consider with regard to the exchange of health information, including the use of electronic health records (EHR). The HIPAA Privacy Rule and Security Rule requirements are among the legal standards with which there must be compliance when utilizing EHR, as well as sharing and exchanging health information in general. This blog also considers possible solutions to maneuver the legal and other barriers to establishing an EHR system and infrastructures for the beneficial exchange of health information.

View the HIPAA & Health Information Technology Blog

Physician Law Blog

Todd A. Rodriguez and Edward J. Cyran maintain a blog that can be used as a resource for current legal issues and news affecting physicians and other non-institutional health care providers. Their blog provides updates on new legislation and legal issues relating to practice management, billing and coding, ancillary services, malpractice insurance, fraud and abuse developments and other important legal issues affecting physicians in their personal and professional lives.

View the Physician Law Blog

Recent Blog Posts

  • Wearable Devices, Wellness Programs, and Health Apps: The Fringes of HIPAA With the explosion of health data sifting through cutting-edge companies, industry stakeholders are left to wonder how wearable devices, wellness programs, health applications, and the like should be regulated. Despite current belief, the Health Insurance Portability and Accountability Act (“HIPAA”) does not regulate all health information. HIPAA regulates health information collected and retained by covered entities and imposes downstream obligations on entities called business associates. HIPAA began with a limited purpose and was not created to cover all health information held... More
  • One of Three $3 Million Lessons: Encrypt Mobile Devices A large New York hospital system learned this lesson the expensive way.  According to a U.S. Department of Health and Human Services (HHS) press release issued earlier this week, the Office for Civil Rights (OCR) investigated a hospital system breach back in 2010 involving the loss of an unencrypted flash drive. According to the press release, OCR provided technical assistance to the hospital system as a result of that breach. The hospital system apparently didn’t follow or benefit from OCR’s technical assistance,... More
  • Training Opportunity: Best Practices for Medical Practice Confidentiality, Safekeeping Obligations and HIPAA Join Elizabeth G. Litten and Mark G. McCreary, co-chairs of Fox Rothschild’s Privacy & Data Security Practice Group, in Fox Rothschild’s Exton, Pennsylvania office for a complimentary training on medical practice confidentiality and safekeeping obligations, as well as an update on recent HIPAA issues and best practices for employee training. Hosted by Health Law Practice Co-chair Todd Rodriguez and Partner Al Riviezzo. Who Should Attend: Medical practice health care professionals, including management-level practice administrators, physician leaders and key office staff. Wednesday, November 13,... More
  • NY State Law Prohibits Ambulances and First Responders From Selling Patient Data “New York Gov. Andrew Cuomo recently signed legislation that will effectively prohibit ambulance and first response service providers from disclosing or selling patient data to third parties for marketing purposes. The bill was signed into law on October 7. The new law bans the sale of patient data, or individually identifying information to third parties, outside of sales to health providers, the patient’s insurer, and other parties with appropriate legal authority. Under the law, all information that can be used to identify... More
  • Pennsylvania’s Electronic Prescription Requirement for Controlled Substances Beginning on October 24, 2019, every licensed health care practitioner in Pennsylvania (excluding veterinarians) will be required to electronically prescribe controlled substances (regardless of the dosage) by sending the prescription directly to a pharmacy via the Internet.  Faxes will not qualify as an electronic transmission under the Law. The primary goals of Act 96 of 2018, passed by the Pennsylvania General Assembly on October 24, 2018 (the “Law”), are to fight the opioid epidemic by using electronic prescriptions to minimize medication... More
  • Data Privacy and Bias Concerns in AI Health Tech Artificial Intelligence (“AI”) refers to algorithm tools that simulate human intelligence, mimic human actions, and can incorporate self-learning software. The benefits of AI tech can reduce spending, provide alternative treatment ideas, and improve patient experience, diagnosis, and outcome. Consider virtual health assistants who deliver medication alerts and patient education, AI used to detect abnormalities in x-rays and MRIs, and AI that gives simultaneous feedback to patients and their physicians from elements captured on patient smartphones and wearable devices.  But with the... More
  • Back to School and Back to BAAs: OCR Guidance Provides Reason to Review BAA Provisions Last May, around the time many schools let out for the summer, the Office for Civil Rights (“OCR”) published guidance entitled “Direct Liability of Business Associates” (the “Guidance”), which focuses, not surprisingly, on OCR’s ability to take enforcement action directly against HIPAA business associates. I meant to write about this guidance before Memorial Day, but since the back-to-school season is a good time to get things (including business associate agreements or “BAAs”) in order, this timing feels right. The Guidance caught... More
  • Dutch Hospital Fined Under GDPR for Medical Records Access Lapses The Dutch Data Protection Authority has levied a fine of 460,000 euros on Haga Hospital for insufficient security following an investigation revealing that dozens of hospital staff had unnecessarily checked the medical records of a well-known Dutch person. In addition, if the hospital has not improved security before October 2, 2019, it must pay 100,000 euros every two weeks, up to a maximum of 300,000 euros. According to DutchNews.nl, the authority’s chairman Aleid Wolfsen said: “The relationship between a healthcare provider and... More
  • Do You Need To Worry About The New California Data Privacy Law? Maybe The California Consumer Privacy Act (CCPA) will take effect on January 1, 2020 and regulates most entities that collect personal information of California residents.  CCPA was patterned after the European Union’s General Data Protection Regulation (GDPR) which went online on May 28, 2018 and has been called “GDPR-Lite.”  In May, Fox Rothschild partner Odia Kagan described when CCPA applies in an Alert that listed the categories of entities who are affected: generally,  for-profit businesses who do business in California, collect California consumers’ personal information... More
  • Small Doses: Personal Data in NJ Now Includes Online Account Credentials Any practice (whether medical, dental or orthodontic) that provides patients with the opportunity to log-on to the practice’s website for scheduling, bill payment or other information should note that, as of July 1, 2019, the patient’s login credentials (i.e., username/email address in combination with a password or answer to a security question) will be considered “personal data” under New Jersey law.   The new amendment to the definition of “personal data” can be accessed here:  Amendment to NJ Personal Data Law As with... More
  • Dutch Data Protection Authority Issues Advisory On Medical Records Under GDPR “The right to be forgotten does not apply in principle to medical records. However, as a patient, you may ask your health care provider to remove data from your medical record,” according to the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (AG), which has issued a guidance on GDPR and medical records. Key takeaways: For medical data that are not covered by the Medical Treatment Agreement Act, such as nursing care and in-home care, personal data should not be kept longer than necessary. The... More
  • Too Much (Protected Health) Information Exposed + Too Little Response = $3M and Corrective Action Plan for Medical Imaging Company “TMI” usually means “too much information”, but it was used aptly by the Office for Civil Rights (OCR) as an acronym for a covered entity that exposed protected health information (PHI) of more than 300,000 patients through an insecurely configured server. According to the April 5, 2019 Resolution Agreement, the covered entity, Touchstone Medical Imaging, Inc. (TMI), not only used an insecure file transfer protocol (FTP) that allowed visibility to patient information via google searches, but it seemingly dragged its... More
  • Mental Health Apps Sharing Health Data Without Disclosure or Consent A study shows that “92 percent of 36 mental health apps shared data with at least one third party — mostly services that help with marketing, advertising, or data analytics.” “About half of those apps did not disclose that third-party data sharing, for a few different reasons: nine apps didn’t have a privacy policy at all; five apps did but didn’t say the data would be shared this way; and three apps actively said that this kind of data sharing wouldn’t... More
  • Time for New Jersey Medical Practices to Update Certain Patient Disclosures and Comply with the Surprise Medical Billing Law The New Jersey Out-of-Network Consumer Protection, Transparency, Cost Containment and Accountability Act (the “Law”), New Jersey’s “surprise” medical billing law, went into effect on August 30, 2018.  Among other things, it requires licensed health care professionals in New Jersey (including, but not limited to, physicians, physician assistants and nurse practitioners) that bill health benefits plans issued or delivered in New Jersey (“NJ Health Plans”) to make certain patient disclosures regarding participation in such plans.  Additional patient disclosures are required for... More
  • Diagnostic Imaging Services Must Follow Patient Reporting Obligations Under New PA Law Pennsylvania’s Patient Test Result Information Act, which is set to take effect December 23, 2018, requires diagnostic imaging services providers that identify a “significant abnormality” in their test results to directly notify the patient or his/her designee within 20 days of the completed test, its review and its delivery to the ordering health care practitioner.  The new law defines the circumstances under which a patient notice is mandatory, as well as required information and language that must be included in... More