Articles Posted in HIPAA

freestock_1383571985-scaled-e1635348607461Welcome to the third and final post in our three-part HIPAA Breach series! In the first post, HIPAA Breach Primer: Part 1—The Risk Assessment, we provided an overview of HIPAA requirements and how to conduct a Risk Assessment to determine the risk that a HIPAA violation occurred. In the second post, HIPAA Breach Primer: Part 2—Patient Notification, we outlined requirements and considerations when the rules require patient notification.

This post explores the last step—reporting the breach to the U.S. Department of Health and Human Services (HHS).  Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach.  If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@hamillittle.com. You may also learn more about our law firm by visiting www.hamillittle.com.

Timing of Report

If the Risk Assessment revealed that a HIPAA breach likely occurred, the next step is to think about what notice is required.  In addition to notifying impacted patients, the Covered Entity (or, in some circumstances, Business Associate) must report the breach to the Secretary of HHS.  If a breach affects 500 or more individuals, the timing for reporting to HHS is the same as for notifying patients—without unreasonable delay and in no case later than 60 days following a breach.

Continue reading ›

ehrsiner_770-e1634851226990Welcome to the second post in our three-part HIPAA Breach series! In the first post, HIPAA Breach Primer: Part 1—The Risk Assessment, we provided an overview of HIPAA requirements and how to conduct a Risk Assessment to determine the risk that a HIPAA violation occurred. To recap, there are generally three initial steps a practice takes in the face of a potential HIPAA breach.  First, performing a risk assessment to determine whether a breach, in fact, occurred.  Second, if the risk assessment reveals a probability that personal health information (PHI) was likely compromised, then the patients involved must be notified.  Third, the breach must be reported to HHS’s Office of Civil Rights (OCR).

This post explores the second step—notifying patients.  Future posts will discuss the second and third steps required if the risk assessment reveals a breach occurred.  Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach.  If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@hamillittle.com. You may also learn more about our law firm by visiting www.hamillittle.com.

Continue reading ›

data-storage-1-1155466-mWelcome to the first post in our three-part HIPAA Breach series! Our healthcare and business law firm often works with medical practices to determine whether an act involving patient privacy constitutes a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requiring notification and reporting of any breach.  By law, a patient’s health information can only be used and disclosed for specific reasons.  When there is a risk that patient information has been accessed, used, or disclosed in a way that is not permitted, there may be a HIPAA violation.  More information about the HIPAA rules can be found on our website here and the U.S. Department of Health and Human Services’ (HHS) website here.  There are generally three initial steps a practice takes in the face of a potential HIPAA breach.  First, performing a risk assessment to determine whether a breach, in fact, occurred.  Second, if the risk assessment reveals a probability that personal health information (PHI) was likely compromised, then the patients involved must be notified.  Third, the breach must be reported to HHS’s Office of Civil Rights (OCR).

This post is the first of a three-part series on HIPAA breaches.  This post explains the first step—conducting the risk assessment.  Future posts will discuss the second and third steps required if the risk assessment reveals a breach occurred.  Note, this post and series do not address state privacy laws or attendant state notification or reporting requirements upon a breach.  If you have questions regarding this blog post, conducting a HIPAA risk analysis, your reporting and notification requirements under HIPAA, or other privacy-related matters, you may contact us at (404) 685-1662 (Atlanta) or (706) 722-7886 (Augusta), or by email, info@hamillittle.com. You may also learn more about our law firm by visiting www.hamillittle.com.

Continue reading ›

By: Brian Field

6E9A1516-lower-res-e1630337874585

With the ever-changing climate of technology, the Health Insurance Portability and Accountability Act (HIPAA) continues to make patient-centered modifications intended to protect personal health records. Key components to the most recent updates to HIPAA include prohibition of records withholding.

The inspiration for the recent changes come from the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS).  A goal of both entities is to protect the health of all Americans and ensure essential human services. The OCR continues to reinforce a focus on patients regarding health and health records by aiming to eliminate technical barriers and reducing or eliminating cost to patients.

Following HIPAA law changes can be daunting, but if there is one thing to keep in mind, it is that HIPAA prioritizes patients. The information below is a snapshot of what you should know as you navigate health records storage for your patients before, during, and after their care with you has ended:

Continue reading ›

As a healthcare and business law firm, we assist many clinical laboratories in compliance and regulatory matters, and because of COVID-19, Georgia has seen a rise in the number of clinical lab-testing-adobe-stock-300x200laboratories.  A compliance question faced by many of our clients, particularly those who conduct COVID-19 testing, is how to properly maintain and share patient records.  Herein, we note some of the rules around retaining and sharing patient records under Georgia law for clinical laboratories.

Record Retention

Georgia Code, Title 31, Chapter 22 provides rules for Clinical Laboratories.  For entities that meet the definition of “clinical laboratory,” section 31-22-4(f) provides that “[r]ecords involving clinical laboratory services and copies of reports of laboratory tests shall be kept for the period of time and in the manner prescribed by the department.”  The department refers to the Georgia Department of Community Health (“DCH”).  DCH’s rules require reports of “all clinical laboratory services, including records of laboratory test requests and reports” to be retained for at least two (2) years for general laboratory records and quality control records, at least five (5) years for records of immunohematology and cytology, and at least ten (10) years for surgical pathology records.  Rule 111-8-10-.26.

Welcome to the third of our business and healthcare law firm’s holiday-themed blog posts. This week’s post is inspired by my favorite holiday movie, A Christmas Story, and the eloquent words websiteshowart15167-300x300Ralphie wrote: “A Red Ryder BB gun with a compass in the stock, and this thing which tells time.” Analyzing Ralphie’s literary genius, he gave Miss Shields three enticing facts: the main description, a vital component, and an interesting addition. Following suit, I will provide three enticing facts of CMS’ new proposed rule.

First, the shortened name of the rule is: “Reducing Provider and Patient Burden by Improving Prior Authorization Processes and Promoting Patients’ Electronic Access to Health Information.”  According to CMS, the purpose of the proposed rule is “[t]o drive interoperability, improve care coordination, reduce burden on providers and payers, and empower patients.” The ingenuity of the proposed rule stems from the fact that it is not only designed to grant patients better access to their records; it is designed to grant all vital parties’ necessary access to records—meaning patients, payors, and providers.

Second, the new rule requires each payer to use an Application Programming Interface (“API”) that allows each payer’s system to communicate with other payers. The new rule also does not require patients to request the transfer of claims data.  As such, a patient’s new payer will have access to all of his or her claims data almost immediately upon enrollment. Importantly, on the new API, payers can send “patient claims, encounter data, and clinical data directly to providers[].” Verma, Seema, Reducing Provider and Patient Burden and Promoting Patients’ Electronic Access to Health Information, CMS.gov (Dec. 10, 2020). 

AOA WebinarOn April 6, 2020, Lee Hamil Little co-presented with Brian Tuttle, Navigating HIPPAA and Telemedicine during COVID19.

The United States Office for Civil Rights (OCR) has issued new COVID-19 guidance on various aspects of its jurisdiction under both HIPAA and the federal civil rights laws.  Many of these changes were directly relating to telemedicine and relaxing some of the HIPAA Security and Privacy regulations.  However, this DOES NOT mean we can just use any technology we want to, there are still guidelines.  This in-depth 60-minute webinar discussed the do’s and don’ts relating to telemedicine during this national emergency caused by COVID19.

device-digital-pen-6336-e1540845862509On October 16, the FDA’s Center for Devices and Radiological Health and Homeland Security’s Office of Cybersecurity and Communications announced a partnership to address cybersecurity issues related to the utilization of medical devices. As healthcare professionals continue to rely on computer-based systems to monitor and treat patients effectively, cybersecurity threatens providers and hospital systems. Confusion regarding the role of the FDA in medical device security, and questioning the accountability of manufacturers in terms of security issues, are two of the key factors concerning health IT professionals. The possibility of potential threats continues to grow alongside the need for data management for network security. The FDA and HHS memorandum of agreement renews the agencies commitment to coordinate, identify, and address cybersecurity risks that pertain to patient safety by agreeing to communicate and share information about data being stored on medical devices.

Continue reading ›

1238683_untitledIn July 2017, Georgia passed House Bill 249, transitioning the state’s Prescription Drug Monitoring Program (PDMP) from the Drug and Narcotic Agency to the Department of Public Health. “The goal of the Georgia PDMP is to reduce the misuse of controlled substances and to promote proper use of medications used to treat pain, as well as to help diminish duplicative prescribing and overprescribing of controlled substances,” said Georgia Department of Public Health Commissioner Patrick O’Neal, MD. The new mandates call for providers to utilize the PDMP system for prescriptions of opioid and benzodiazepine medications. Now, prescribers of CII medications are required to review a patient’s PDMP information every 90 days, unless the patient meets specific criteria. Pharmacy Monitoring Systems are regulated by individual states, each imposing its own unique requirements for reporting.

Continue reading ›

dna-1-1444488-300x300Genetic testing companies, such as 23andMe, have become a craze in the United States within the last 10 to 15 years. 23andMe was formed with the purpose of informing its customers of their genetic health risks, carrier status, and ancestry information.  After collecting DNA from saliva, the DNA is sent off to research labs that perform qualitative genotyping­–the process of discovering variants in DNA.  The genetic tests that 23andMe runs analyze the donor’s DNA, RNA, chromosomes, proteins, and metabolites to determine mutations and changes in chromosome structure. This genotyping allows the labs to discover the customer’s genetic information and background.

Many citizens remain wary of using such resources due to a fear that employers and health insurance companies will use the genetic information for discriminatory purposes. In 2008, the Genetic Information Nondiscrimination Act (GINA) was passed to combat this potential discrimination and protect those employees or insured persons.   Continue reading ›

Contact Information