Articles Posted in Healthcare Information

freestock_1383571985-scaled-e1635348607461Welcome to the third and final post in our three-part HIPAA Breach series! In the first post, HIPAA Breach Primer: Part 1—The Risk Assessment, we provided an overview of HIPAA requirements and how to conduct a Risk Assessment to determine the risk that a HIPAA violation occurred. In the second post, HIPAA Breach Primer: Part 2—Patient Notification, we outlined requirements and considerations when the rules require patient notification.

This post explores the last step—reporting the breach to the U.S. Department of Health and Human Services (HHS).  Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach.  If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@hamillittle.com. You may also learn more about our law firm by visiting www.hamillittle.com.

Timing of Report

If the Risk Assessment revealed that a HIPAA breach likely occurred, the next step is to think about what notice is required.  In addition to notifying impacted patients, the Covered Entity (or, in some circumstances, Business Associate) must report the breach to the Secretary of HHS.  If a breach affects 500 or more individuals, the timing for reporting to HHS is the same as for notifying patients—without unreasonable delay and in no case later than 60 days following a breach.

Continue reading ›

ehrsiner_770-e1634851226990Welcome to the second post in our three-part HIPAA Breach series! In the first post, HIPAA Breach Primer: Part 1—The Risk Assessment, we provided an overview of HIPAA requirements and how to conduct a Risk Assessment to determine the risk that a HIPAA violation occurred. To recap, there are generally three initial steps a practice takes in the face of a potential HIPAA breach.  First, performing a risk assessment to determine whether a breach, in fact, occurred.  Second, if the risk assessment reveals a probability that personal health information (PHI) was likely compromised, then the patients involved must be notified.  Third, the breach must be reported to HHS’s Office of Civil Rights (OCR).

This post explores the second step—notifying patients.  Future posts will discuss the second and third steps required if the risk assessment reveals a breach occurred.  Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach.  If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@hamillittle.com. You may also learn more about our law firm by visiting www.hamillittle.com.

Continue reading ›

data-storage-1-1155466-mWelcome to the first post in our three-part HIPAA Breach series! Our healthcare and business law firm often works with medical practices to determine whether an act involving patient privacy constitutes a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requiring notification and reporting of any breach.  By law, a patient’s health information can only be used and disclosed for specific reasons.  When there is a risk that patient information has been accessed, used, or disclosed in a way that is not permitted, there may be a HIPAA violation.  More information about the HIPAA rules can be found on our website here and the U.S. Department of Health and Human Services’ (HHS) website here.  There are generally three initial steps a practice takes in the face of a potential HIPAA breach.  First, performing a risk assessment to determine whether a breach, in fact, occurred.  Second, if the risk assessment reveals a probability that personal health information (PHI) was likely compromised, then the patients involved must be notified.  Third, the breach must be reported to HHS’s Office of Civil Rights (OCR).

This post is the first of a three-part series on HIPAA breaches.  This post explains the first step—conducting the risk assessment.  Future posts will discuss the second and third steps required if the risk assessment reveals a breach occurred.  Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach.  If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@hamillittle.com. You may also learn more about our law firm by visiting www.hamillittle.com.

Continue reading ›

MM-0220-Telemedicine-iStock-e1581381176331-1024x814-1-e1631301250783Our healthcare and business law firm frequently receives questions asking about telemedicine rules in Georgia.  This post intends to outline some relevant Georgia rules and regulations relating to telemedicine.  Our next post will consider the rules around prescribing based on a telemedicine consult and how COVID-19’s Public Health Emergency impacts those rules.  If you have questions about telemedicine rules and regulations or would like to discuss this blog post, you may contact our healthcare and business law firm at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@hamillittle.com. You may also learn more about our law firm by visiting www.hamillittle.com.

General Telemedicine Rules and Definitions

The Georgia Composite Medical Board (“Medical Board”) generally requires an in-person exam, but the Medical Board Rules allow telemedicine in certain situations.  To begin, the relevant definition of “telemedicine” is found in Georgia’s insurance code and defines “telemedicine” as:

Continue reading ›

By: Brian Field

6E9A1516-lower-res-e1630337874585

With the ever-changing climate of technology, the Health Insurance Portability and Accountability Act (HIPAA) continues to make patient-centered modifications intended to protect personal health records. Key components to the most recent updates to HIPAA include prohibition of records withholding.

The inspiration for the recent changes come from the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS).  A goal of both entities is to protect the health of all Americans and ensure essential human services. The OCR continues to reinforce a focus on patients regarding health and health records by aiming to eliminate technical barriers and reducing or eliminating cost to patients.

Following HIPAA law changes can be daunting, but if there is one thing to keep in mind, it is that HIPAA prioritizes patients. The information below is a snapshot of what you should know as you navigate health records storage for your patients before, during, and after their care with you has ended:

Continue reading ›

On May 1, 2020, the Centers for Medicare and Medicaid Services (“CMS”) published final rule CMS-9115-F known as the Interoperability and Patient Access final rule.  “This final rule is the first ehrsiner_770-300x200phase of policies centrally focused on advancing interoperability and patient access to health information.”  85 Fed. Reg. 25511.  CMS states that this rule “puts patients first by giving them access to their health information when they need it most, and in a way they can best use it.”  Policies and Technology for Interoperability and Burden Reduction, CMS.gov.  The rule requires coordinated communication between patients, providers, and payers.  These changes largely require the use of improved and updated technology, and CMS provides implementation support here.  Although many of the requirements under the final rule went into effect on January 1, 2021, because of the hardships posed by COVID-19, “CMS will not enforce these requirements until July 1, 2021.”  Id.

Payors carry the brunt of this regulatory change.  Without detailing all requirements under the rule, a few are as follows.  CMS-regulated payors must maintain a secure, standards-based application programming interface (API) that will support the exchange of patient electronic health information (“EHI”).  These payers must also maintain a patient-facing API allowing patients to access their EHI, including information about claims and costs, and make provider directory information publicly available through an API.  Further, payors are required to implement a process for exchanging data, which is not required until January 1, 2022.

Governed hospitals will soon have a duty to send event notifications of a patient’s hospital “admission, discharge, and/or transfer to another healthcare facility or to another community provider or practitioner” to “improve care coordination.”  Interoperability and Patient Access Fact Sheet, CMS.gov (Mar. 9, 2020).  CMS-regulated providers are encouraged to register all interoperability digital contact information through the National Plan and Provider Enumeration System (NPPES).  A list of providers who fail to do so will be publicly available as a way to incentivize compliance.  Landi, H., CMS’ New Interoperability Rule Requires Major Changes for Payers, Hospitals.  Here are 6 Key Elements, Fierce Healthcare (Mar. 9, 2020).

Contact Information