Header graphic for print

HealtHITech Law

HIPAA, HITECH and Beyond

Ohio Medicaid to Cover Telemedicine

Posted in Legislation, Rulemaking, Telehealth/Telemedicine

Many thanks once again to our colleague, Sylvia Brown, for her assistance in authoring this post.

Last week, Ohio Governor John R. Kasich signed into law H.B. 123 (Gonzales, Watchmann), a bill to provide Medicaid coverage for telehealth services.  The law requires the state’s Medicaid department to establish standards for covering services that are provided through telehealth. 

The Department of Medicaid released its proposed standards quickly after the bill was signed into law.  The proposed rule, 5160-1-18, defines “telemedicine” as the direct delivery of services to a patient provided through synchronous, interactive and real-time electronic communication that includes both audio and video components.  The proposed rule excludes other means of electronic communication from this definition, such as electronic mail and telephone. 

The proposed rule would require that the physical location of the patient at which the telemedical service is provided (the “originating site”) be limited to one of five types of locations:  (1) the office of a medical doctor, doctor or osteopathic medicine, optometrist, or podiatrist; (2) a federally qualified health center (FQHC), rural health center (RHC), or comprehensive primary clinic; (3) an outpatient hospital; (4) an inpatient hospital; or (5) for services not included in the nursing facility per diem payment, a nursing facility.  The proposed rule prescribes no restrictions on the physicial location of the practitioner (the “distant site”) other than that it be located not less than five miles away from the originating site. 

Notably, only medical doctors, doctors of osteopathic medicine or licensed psychologists will be able to provide and receive reimbursement for providing eligible services if the department’s rule, as proposed, is adopted.  This is much narrower than Medicare  telehealth services, which may be provided by various types of practitioners, including physician assistants, nurse practitioners, and clinical social workers.

The proposed rule also provides that Medicaid will cover only evaluation and management services and psychiatry services provided through telehealth.  Claims for originating fees also may be submitted for payment by originating site providers but only by providers other than inpatient hospitals and nursing facilities.  For providers seeking payment for originating fees, the department will not also reimburse the provider for evaluative or management services provided to the patient on the same day.

The department’s proposed rule is available for public comment until March 4, 2014 and will be reviewed through the administrative rule review process.  If you would like to comment on the proposed rule, we are happy to assist.  We have experience advising providers on telehealth reimbursement, as well as the unique, complex, and evolving scope of practice issues related to telehealth.

New Access Rights to Lab Test Reports

Posted in Access Rights, Rulemaking

In an effort to further eliminate barriers to the exchange of health information and encourage a more active patient role in personal health care decisions, federal regulators have once again expanded HIPAA patient rights provisions. 

Last week, the U.S. Department of Health & Human Services Centers for Medicare & Medicaid Services (“CMS”), Centers for Disease Control and Prevention (“CDC”), and Office for Civil Rights (“OCR”) jointly published a final rule that will give patients or their personal representatives direct access to the patient’s completed laboratory test reports.  The final rule amends both the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) regulations and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule to allow individuals and their personal representatives the right to access test reports directly from laboratories.

Current Access Rights to Lab Test Reports

CLIA regulations permit a CLIA laboratory to disclose laboratory test results to three categories of individuals or entities:  (1) the “authorized person,” (2) the person responsible for using the test results in the treatment context, and (3) the laboratory that initially requested the test.  “Authorized person” is defined as the individual authorized under state law to order or receive test results, or both.  In states that do not allow individuals to access their own test results, the individuals must receive their test results through their health care providers.

The Privacy Rule provides individuals and their personal representatives with a right of access to inspect and obtain a copy of protected health information (“PHI”) about the individual in a designated record set.  Laboratory reports maintained by or for a laboratory are part of the designated record set.  However, while individuals and personal representatives have the right to inspect and obtain a copy of their PHI in a designated record set, the current Privacy Rule includes exceptions related to CLIA.  Specifically, the access rights do not apply to PHI maintained by a covered entity that is (1) subject to CLIA to the extent the provision of access to the individual would be prohibited by law, or (2) exempt from CLIA.  These exceptions apply to test reports and other PHI only at CLIA and CLIA-exempt laboratories.

Expanded Access Provisions

Individuals and their personal representatives now will have the right to access their PHI directly from laboratories subject to HIPAA.  The final rule also removes federal barriers to direct access for laboratories not subject to HIPAA.

With respect to the CLIA regulations, the final rule permits laboratories subject to CLIA, upon the request of a patient or the patient’s personal representative, to provide access to completed test reports belonging to the patient.  The final rule retains the CLIA provision that requires the release of test reports only to “authorized persons,” the persons responsible for using the test reports, and to the laboratory that initially requested the test.  These CLIA modifications take effect April 7, 2014.

The final rule amends the Privacy Rule by removing the exceptions to an individual’s right of access related to CLIA and CLIA-exempt laboratories.  As a result, upon request, laboratories subject to HIPAA will be required to provide an individual or the individual’s personal representative with the individual’s competed test reports, as well as other information maintained in a designated record set, in accordance with the right of access provisions in the Privacy Rule. 

Because this change in an individual’s access rights constitutes a material change to the privacy practices of HIPAA-covered laboratories, these laboratories must promptly revise their notice of privacy practices (“NPPs”).  Thus, by the compliance date of this final rule, HIPAA-covered laboratories must revise their NPPs to inform individuals of this expanded right, include a brief description of how to exercise this right, and remove any statements to the contrary.  In addition, HIPAA-covered laboratories must make their revised NPPs available in accordance with the Privacy Rule.

The compliance date of the final rule is October 4, 2014.



Dermatology Practice Hit With $150,000 HIPAA Penalty

Posted in Breach, Enforcement

2013 ended like it started – with OCR actively monitoring and enforcing health care provider HIPAA compliance.  On December 26, 2013, OCR imposed a $150,000 penalty and a corrective action plan upon a Massachusetts dermatology physician practice arising out of a self-reported HIPAA breach.   See Resolution Agreement.

In October 2011, Adult & Pediatric Dermatology, P.C. of Concord, Massachusetts notified OCR that an unencrypted thumb drive containing the PHI of approximately 2,200 patients was stolen from the vehicle of a staff member.  The thumb drive was never recovered.

OCR’s investigation revealed multiple HIPAA violations by the practice including (1) failure to perform an accurate and thorough risk analysis related to the potential risks and vulnerabilities of its ePHI, (2) failure to implement written HIPAA policies and procedures, and (3) failure to train workforce members on breach notification.

OCR Director Leon Rodriguez remarked: “As we say in health care, an ounce of prevention is worth a pound of cure.  That is what good risk management process is all about – identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information.”

This most recent OCR enforcement action should serve as a reminder to all covered entities to take the following breach prevention precautions:

  • Conduct a thorough and accurate risk analysis that includes all mobile devices and media.
  • Encrypt all mobile devices and media which contain PHI.
  • Implement written HIPAA policies and procedures.
  • Train staff members on HIPAA compliance.


OIG Report Criticizes HIPAA Oversight

Posted in OCR Audits, Security

The HHS Office of Civil Rights (“OCR”) has failed to comply with the HITECH Act’s mandate to audit HIPAA covered entities and business associates, according to a recent report published by the HHS Office of Inspector General (“OIG”). The OIG said that OCR “had not assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits . . . as a result, OCR had limited assurance that covered entities complied with the SecurityRule[.]”  HIPAA compliance audits are here to stay, according to the OIG, whether OCR (and especially covered entities) like it or not.

Pilot Program

We previously reported on the HITECH Audit Program established in 2011.  At the time of that post, 20 audits had been completed, with another 95 covered entities to be audited by the end of 2012.  These 115 audits have been the only HITECH-mandated audits conducted by OCR .  47 health plans, 61 health care providers, and 7 clearinghouses were audited.  Several clear trends emerged from the Pilot Program, notably, that health care providers had greater compliance gaps than health plans and clearing houses, and audits revelaed proportionally more findings of noncompliance at smaller providers.

Although the Pilot Program seems to have been a relative success, its momentum has stalled.  According to OCR, budgetary constraints are to blame.  In its comments to the preliminary OIG report, OCR noted that the funding for the Pilot Program expired in 2012, preventing it from undertaking any more audits.

Looking Ahead

Notwithstanding the expiration of funds designated for audits, the Report recommends OCR to provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities.  The Pilot Program was a nice start, but it is not enough, according to OIG.  As a result, it seems likely that OCR will be forced to re-prioritize auditing internally, and possibly use this Report as a vehicle to obtain additional funding.  The law requires the audits to be on-going.  As HIPAA covered entities continue to work toward establishing an environment of HIPAA compliance, this Report serves as another reminder that procecting the privacy and security of health information must be a priority.

Legislation Would Permit Hidden Cameras In Nursing Homes

Posted in Legislation

Many thanks to our colleague, Robin Amicon, for submitting the following guest post.

New legislation was introduced in the Ohio House of Representatives that would give nursing home residents the right to install and use electronic monitoring devices in their rooms in order to capture incidents of abuse or neglect.  House Bill 298, introduced on October 16, 2013, would add a provision to Ohio Revised Code Section 3721.13 of the Nursing Home Residents’ Bill of Rights that would specifically permit such practice.  The bill would also revise Section 3721.18 of the Ohio Revised Code to specifically provide that the Attorney General can use hidden cameras in investigating abuse or neglect allegations of nursing homes.

The legislation was introduced by Reps. Mike Duffy and Michael Stinziano following the ordered closure of a Zanesville nursing home earlier this year after authorities used hidden cameras as part of their investigation of the facility.

Proponents of the law say that House Bill 298 will help to ensure that nursing home residents are able to use recording devices to protect themselves.  However, House Bill 298 raises serious concerns about potential privacy violations.  Both state and federal law provide nursing home residents various rights of privacy.  For example, the Nursing Home Residents’ Bill of Rights also mandates the right to privacy during medical examinations and treatment.  Such rights to privacy could be undermined by the presence of hidden surveillance cameras, especially for roommates of residents that will be captured by such cameras that have not or would not consent to such videotaping.

The House Judiciary Committee was set to take its first look at the legislation last week.  We will continue to monitor the legislation and will provide updates as they occur.

Telehealth Legislation Would Provide Financial Incentives for Adoption, Increased Use

Posted in Legislation, Telehealth/Telemedicine

Many thanks to our colleague, Sylvia Brown, for submitting the following guest post.

Healthcare providers will be able to receive financial incentives under Medicare and Medicaid for providing telehealth services to patients if recently proposed federal legislation becomes law.  The Telehealth Enhancement Act of 2013, H.R. 3600, contains financial incentives tied to some of the Medicare and Medicaid programs’ most costly services, such as hospital readmissions and labor and delivery services.

The bi-partisan group sponsoring the legislation includes Reps. Gregg Harper (R-MS), Mike Thompson (D-CA), Devin Nunes (R-CA) and Peter Welch (D-VT).  The sponsors’ stated goal is to reduce unnecessary costs and achieve better health outcomes through promoting and expanding the application of telehealth under both Medicare and Medicaid.

Many of the legislation’s financial incentives are built on existing payment models found in the Medicare and Medicaid programs.

Under the proposed Medicare program changes, certain hospitals will be able to share in the savings produced if the hospital’s readmissions ratio (risk adjusted, expected readmissions in relation to its actual readmissions) is positive.  In addition, Medicare accountable care organizations will be permitted to cover telehealth and remote patient monitoring services as supplemental health care benefits to the same extent as a Medicare Advantage plan.  Telehealth and remote patient services also will be added to the list of applicable services available through the Bundled Payments for Care Improvement initiative, the Affordable Care Act’s national pilot program on payment bundling.

Changes to the Medicaid program would include permitting states to change their existing programs to include payments to health care professionals that operate as a “birthing network.”  Payments to “birthing networks” that provide medical assistance for maternal-fetal and neonatal care can be made up of bundled payments, performance incentives and shared savings.

If the bill is enacted, these new financial incentives will make it easier for Medicare and Medicaid telehealth providers to create innovative service delivery lines for existing and new patients.  The ability to secure these federal incentives will be critical to furthering the growth in the remote delivery of healthcare services.

We will continue to monitor the legislation, and provide any updates as they occur.

Employee Sentenced to 3 Years for Violating HIPAA

Posted in Enforcement

A nursing assistant at a Florida assisted living facility was sentenced last week to 37 months in prison for violating HIPAA’s prohibition on the wrongful disclosure of patient health information.  The employee negotiated the sale of Social Security numbers with an undercover Tampa police detective.  According to the criminal complaint, the employee obtained information from the assisted living facility patient records.

Since the enactment of HITECH in 2009, the vast majority of HIPAA enforcement has been initiated by the Department of Health and Human Services Office of Civil Rights, resulting in civil penalties and corrective action plans.  This prosecution serves as a reminder that HIPAA contains severe criminal penalties as well.  A person who knowingly uses, obtains, or discloses individually identfiable health ifnormation with the intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm shall be fined not more than $250,000 and/or imprisoned for up to 10 years.  42 USC 1320d-6.

You can read the entire article from the Tampa Bay Times here.

HIPAA Security Risk Analysis: Fact or Fiction?

Posted in Meaningful Use, Security

Leading up to the recent compliance date for the Final HIPAA Rule, much was made about the need for providers to perform a security risk analysis.  Quite a bit of dialogue around the increased security compliance obligations centered on the security risk analysis as a foundational requirement of HIPAA.   Although this is not a new requirement, heightened HIPAA enforcement and increased penalties, movement toward EHRs, and Meaningful Use requirements have forced providers to focus more resources on assessing their security risks.

To assist providers in performing their risk analyses, we thought it would be helpful to share some recent guidance from the Office of the National Coordinator for Health Information Technology (“ONCHIT”) which helps clarify some misperceptions surrounding this HIPAA security compliance requirement.  Set forth below are the ONCHIT’s “Top Ten” myths of security risk analysis.

Continue Reading

OCR Issues Guidance on Refill Reminder Exception to HIPAA Marketing Rule

Posted in Enforcement, Rulemaking

Prompted by litigation filed by Adheris[1] as well as concerns raised by consumer advocates and health care stakeholders regarding the viability of prescription refill reminder programs under HIPAA’s stricter marketing prohibitions, on September 19, 2013, OCR issued additional guidance regarding the scope of HIPAA’s refill reminder exception.  Notably, OCR also delayed enforcement on this issue until November 7, 2013.

The Final Omnibus HIPAA Rule finalized HITECH’s limitations on the use and disclosure of PHI for marketing purposes.  With limited exceptions, HIPAA requires an individual’s written authorization before his or her PHI can be used or disclosed for marketing.  HIPAA defines marketing to mean communications that are paid for by the manufacturer of the product or service being promoted in the communication.  45 C.F.R. § 164.501.

Refill reminders, which were expressly excluded from HIPAA’s definition of “marketing,” have been defined as reminders or other communications about a drug or biologic that is currently being prescribed for the individual, provided that financial remuneration received by the covered entity in exchange for making the communication, if any, is reasonably related to the covered entity’s cost of making the communication.  See 45 CFR 164.501.   Financial remuneration means payment to a covered entity (or business associate, if applicable) from or on behalf of a third party whose product or service is being described.  Financial remuneration does not include non-financial or in-kind benefits. 78 Federal Register at 5596.

Thus, there is a two-step analysis in determining whether a communication falls within the refill reminder exception to marketing:

  • Is the communication about a currently prescribed drug or biologic
  • Does the communication involve financial remuneration, and if so, is the financial remuneration “reasonably related” to the cost of making the communication?

Notwithstanding this refill reminder exception to HIPAA’s marketing definition, concerns arose following issuance of the Final Omnibus HIPAA Rule in January 2013 that HHS commentary on the refill reminder exception had construed it too narrowly, and thus would render refill reminder programs financially untenable to the detriment of patients.  In its commentary, HHS had stated that any financial remuneration received by a covered entity for conducting a refill reminder program that covered anything other than the cost of “drafting, printing and mailing refill reminders” could trigger HIPAA’s authorization requirement.  78 Federal Register at 5597.

The guidance issued by OCR on September 19, 2013, however, expands and clarifies the scope of the refill reminder exception, and specifically authorizes covered entities to outsource their prescription refill reminder and medication adherence programs to third parties, and to pay them for these services.  Below is a summary of the guidance which OCR has issued related to each of these aspects of the exception:

1.         Is the Communication about a Currently Prescribed Drug or Biologic?


  • Refill reminders.
  • Communications about generic equivalents of a drug being prescribed.
  •  Communications about a recently lapsed prescription (one that has lapsed within the last 90 calendar days).
  • Adherence communications encouraging individuals to take prescribed medicines as directed.
  • Where an individual is prescribed a self-administered drug, communications regarding all aspects of a drug delivery system.


  • Communications about specific new formulations of a currently prescribed medicine.
  •  Communications about specific adjunctive drugs related to the currently prescribed medicine.
  • Communications encouraging an individual to switch from a prescribed medicine to an alternative medicine.

2.         Does the Communication Involve Financial Remuneration, and If So, Is It Reasonable?


  • Communication does not involve remuneration.
  • Communication involves only non-financial or in-kind remuneration, such as supplies, computers, or other materials.
  • Communication involves only payment from a party other than the third party (or other than on behalf of the third party) whose product or service is being described in the communication, such as payment from a health plan.
  • Remuneration involves payments to the covered entity by a pharmaceutical manufacturer or other third party whose product is being described that cover the reasonable direct and indirect costs related to the refill reminder or medication adherence program, or other excepted communications, including labor, materials, and supplies, as well as capital and overhead costs.
  • Remuneration involves payments to a business associate assisting a covered entity in carrying out a refill reminder or medication adherence program, or to make other excepted communications, up to the fair market value of the business associate’s services.  The payments may be made by a third party whose product is being described directly to the business associate or through the covered entity to the business associate.


  • Communication involves financial remuneration other than as described above.

In addition to this framework, HHS also provided specific examples of permitted communications and thoughtful answers to a list of “Frequently Asked Questions.”  This guidance (as well as the delayed enforcement date) should put the refill reminder exception concerns to rest, as well as ensure that these programs – many which have a very positive impact on patient care – will continue.


[1]In Adheris, Inc. v Kathleen Sebelius et al., filed in the United States District Court for the District of Columbia on September 6, 2013, Adheris, a provider of prescription adherence and refill communications, had sought a preliminary injunction against the enforcement of the HIPAA Omnibus Final Rule’s refill reminder exception to HIPAA’s marketing rule.  Adheris claimed that OCR’s regulations limiting remuneration to “reasonably related costs” of making such communication violated its First Amendment rights and misconstrued provisions of the HITECH Act.


One Month and Counting: HIPAA’s Compliance Date is September 23, 2013

Posted in Enforcement

We are in the home stretch in the race to the September 23 compliance deadline.  With only one month to go, whether you are a covered entity or a business associate, you should be nearly finished with your HIPAA compliance checklists.  These checklists should look something like this:

To Do

  • Perform or update a risk analysis to assess the potential risks and vulnerabilities of electronic PHI.  This is a foundational requirement that is the basis for implementing safeguards and policies that comply with the HIPAA Security Rule.
  • Review and update your HIPAA policies and procedures, including encryption policies, portable electronic device policies, texting policies, BYOD policies, social media policies and telecommuting policies.
  • Update your Notice of Privacy Practices.
  • Train (and re-train) all employees regularly to comply with your HIPAA policies and procedures.
  • Encrypt, encrypt, encrypt.
  • Develop a breach response plan to ensure a uniform and effective response to any data incident.
  •  In the event of an incident involving the unauthorized access or disclosure of PHI, timely correct the issue, document every step of your investigation into the incident, and critically analyze and document your decision whether or not the incident has a low probable  risk of harm based upon HIPAA’s  four factor risk assessment.
  • Clearly define breach notification obligations (i.e. reporting, notification, monitoring, indemnification) in all business associate relationships.
  • Update all new business associate agreements (in place after January 26, 2013) before the September 23, 2013 deadline.
  • Update all existing business associate agreements (in place prior to January 26, 2013) before the September 23, 2014 extended deadline.
  •  Purchase data breach insurance and include data breach insurance obligations in your business associate agreements.

If you are well underway, finish strong!  If you have not started, get started!  Making a reasonable effort to comply will go a long way with OCR; burying your head in the sand will not.