HIPAA Violation Costs Rite Aid $1 Million

Posted on July 27, 2010 by Erin McAlpin Eiselein

How much does it cost to violate HIPAA?  For drug store chain Rite Aid Corporation, the answer is $1 Million.  Today, HHS announced that Rite Aid will pay a $1 million fine, implement a corrective action program, and sign a consent order with the Federal Trade Commission to resolve this coordinated investigation that was triggered by television media outlets capturing images of prescription bottles containing protected health information improperly disposed in trash containers accessible to the public.  Even after Rite Aid pays the fine, it will feel the effects of its non-compliance for a long time to come as the FTC consent order will remain in place for 20 years.       

Tags: , , , ,

HHS issues final regulations on "meaningful use"

Posted on July 13, 2010 by Wallis S. Stromberg

Final regulations on "meaningful use" of electronic health records were released today by HHS. The 863-page rule specifies the initial criteria that hospitals and physicians hoping to obtain incentive support payments under the ARRA for their use of EHRs must meet.  The regulations will be published in the Federal Register on July 28, 2010.

Tags: , ,

New OCR Rule Strengthens HIPAA Requirements

Posted on July 9, 2010 by Lisa Rothrock

Yesterday the Office for Civil Rights (“OCR”) released a Proposed Rule modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requirements. OCR issued this Proposed Rule pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The Proposed Rule will not be published in the Federal Register until July 14, 2010, and there will be 60 days from that date to comment.

More specifically, this Proposed Rule modifies and strengthens the HIPAA Privacy Rule, Security Rule, and Enforcement Rule as well as the penalties and investigation provisions. The most notable changes include the following:

  • The requirements of the Privacy Rule and Security Rule will apply to business associates in the same manner they currently apply to covered entities.
  • Subcontractors of business associates will be considered business associates, and the business associate must obtain “satisfactory assurances” through a contract or other arrangement that the subcontractor will comply with the applicable privacy and security requirements. 
  • There will be new limitations on the use and disclosure of protected health information (“PHI”) in marketing and fundraising, including a requirement that individuals be given opportunities to opt out of receiving marketing or fundraising materials without any impact on their future treatment.
  • Covered entities and business associates will be prohibited from selling an individual’s PHI without that individual’s authorization, and covered entities will not be allowed to coerce patients into authorization by conditioning treatment, payment, enrollment, or eligibility for benefits on authorization.
  • The Proposed Rule expands patients’ rights by allowing patients to request that a covered entity restrict uses or disclosures of their PHI, and by giving patients greater access to copies of their electronic health records.
  • Covered entities’ Notice of Privacy Practices given to patients must include additional information, such as the authorization requirements described above.
  • Penalties for violations of HIPAA privacy and security requirements will be increased to $1.5 million per calendar year for violations of the same requirement or prohibition.
  • The Proposed Rule defines the terms “reasonable cause,” “reasonable diligence,” and "willful neglect,” which provide the basis for the various categories of liability under the Enforcement Rule.
  • Covered entities will have certain identified responsibilities during complaint investigations and compliance reviews.
Tags: , , , , , ,

HHS Launches New Website - HealthCare.gov

Posted on July 6, 2010 by Erin McAlpin Eiselein

There is a brand new resource for navigating health care reform - a website managed by HHS called HealthCare.gov.  According to the website, it is "designed to help you take control over your health care and make the choices that are right for you."  Currently, the content is focused on four primary areas:  finding health insurance options, learning about preventative health care, comparing hospital quality, and learning more about the Affordable Care Act.  Admittedly a work in progress, HHS welcomes user comments to improve the site and make it more useful for the public.  This coming October, look for the website to include private health insurance pricing information. 

Tags: ,

Red Flags Rule Enforcement Postponed until Court Ruling

Posted on July 2, 2010 by Lisa Rothrock

The Federal Trade Commission (“FTC”) and several medical associations have agreed to a joint stipulation that the FTC would not enforce its Red Flags Rule with respect to physician members of various associations until the DC Circuit rules on the American Bar Association’s pending action challenging the Red Flags Rule. Although the FTC has already announced that it will again delay the deadline for compliance with the Red Flags Rule until December 31, 2010, this stipulation may extend further the compliance deadline for physicians in the medical associations and state medical societies referred to in the case.

Tags: , , , , ,