On January 7, 2016, the HHS Office for Civil Rights released guidance on individuals’ right to access health information under the HIPAA Privacy Rule. The guidance clarifies areas of confusion and non-compliance by covered entities and business associates, particularly in light of the proliferation of electronic health records and electronic health information. Areas of emphasis

Our colleagues at Data Law Insights have written about the HHS Office of Civil Rights’ $750,000 settlement with the University of Washington Medicine (“UWM”) announced this week.  This third settlement in as many weeks confirms that the security risk analysis continues to be a linchpin of OCR enforcement under the HIPAA Security Rule.  Indeed, the

Last week, the HHS Office of Civil Rights (OCR) announced a settlement that has far-reaching implications on the importance of complying with the HIPAA Security Rule where medical devices create and maintain electronic protected health information (ePHI).  See Data Law Insights for a post authored by Jodi Daniel, Elliot Golding, and Stephanie Willis for more

Health insurers will be expected to establish security protocols for protecting consumer information from data breaches.  The National Association of Insurance Commissioners recently adopted principles to guide both insurers’ data protection activities and data breach notification policies, and regulatory oversight of those practices.

Click to read more on Crowell & Moring’s Data Law Insights blog

On February 13, the Departments of Health and Human Services (“HHS”), Labor (“DOL”) and Treasury (collectively, the “Departments”) issued Part XXIII of their FAQs about Affordable Care Act implementation. This latest FAQ provides additional guidance regarding “excepted benefits,” i.e., benefits that are exempt from the portability rules under HIPAA as well as various requirements under ERISA (including MHPAEA) and the ACA, including the ACA’s market reforms (such as the prohibition on lifetime and annual limits, etc.). Specifically, the FAQ focuses on a subcategory of excepted benefits known as “supplemental excepted benefits,” which generally are benefits provided under a separate policy, certificate or contract of insurance which are designed to “fill gaps” in primary coverage.

The FAQ notes that, in determining whether insurance coverage sold as a supplement to group health coverage can be considered “similar supplemental coverage” (and hence an excepted benefit), they will continue to apply four criteria previously set forth by the Departments in subregulatory guidance issued in 2007 and 2008:

  1. The policy, certificate, or contract of insurance must be issued by an entity that does not provide the primary coverage under the plan;
  2. The supplemental policy, certificate, or contract of insurance must be specifically designed to fill gaps in primary coverage, such as coinsurance or deductibles;
  3. The cost of the supplemental coverage may not exceed 15 percent of the cost of the primary coverage; and
  4. Supplemental coverage sold in the group insurance market must not differentiate among individuals in eligibility, benefit or premiums based upon any health factor of the individual (or any dependents of the individual)

Continue Reading DOL, HHS & Treasury Issue Additional Guidance Regarding Excepted Benefits

Crowell & Moring’s 2015 Litigation and Regulatory Forecasts provide an in-depth look at the trends in the courts and in the regulatory agencies, both inside the Beltway and beyond, that will impact business in the coming year.

The Litigation Forecast examines the latest litigation developments facing companies in areas ranging from health care and antitrust

New Jersey Senate Bill No. 562 (“SB 562”), signed into law on January 9, 2015, will require health insurance carriers authorized to issue health benefits plans in New Jersey to encrypt personal information. The law applies to personal information maintained in “end user computer systems and computerized records transmitted across public networks” beginning on August 1, 2015. As this law indicates, states are increasingly using consumer protection and unfair trade practice acts to impose and enforce privacy and security requirements. SB 562 therefore provides yet another example of how health care industry stakeholders must always account for state laws when implementing health care data security policies and procedures.

New Jersey is only the second state to explicitly impose encryption requirements, following Massachusetts (see, Mass. Gen. Law ch. 93H and related regulations). Although the Health Insurance Portability and Accountability Act (HIPAA) has long specified that encryption is an “addressable” requirement, the Department of Health and Human Services (HHS) has also increasingly appeared to treat encryption as a strict requirement in recent enforcement actions. Together these new laws and enforcement actions show that the trend toward encryption is growing even stronger.

Three elements of the law bear mentioning. First, SB 562’s definition of “end user computer systems” broadly includes desktops, laptops, tablets or other mobile devices, or removable media. Although SB 562 states that it shall only apply to such end user computer systems and computerized records transmitted across public networks, it is unclear whether the definition of public networks includes those records maintained in cloud storage (particularly private cloud environments).

Second, the encryption requirement broadly applies to combinations of an individual’s first name (or first initial) and last name linked with (1) a Social Security number; (2) driver’s license number or state identification card number; (3) address; and/or (4) individually identifiable health information as defined under 45 C.F.R. § 160.103.

Finally, health insurance carriers who violate the provisions of SB 562 may be subject to enforcement penalties of up to $10,000 for a first offense and $20,000 for all subsequent offenses under the New Jersey Consumer Fraud Act. In addition, the state Attorney General may issue cease and desist orders to violators and demand the award of treble damages and costs to individuals whose data is not encrypted in accordance with SB 562’s requirements.

Continue Reading New Jersey Becomes Second State to Require Encrypting Certain Personal Information

This year Crowell & Moring’s Healthcare Ounce of Prevention Seminar, (HOOPS), will focus on important legal and regulatory developments and their impact on the healthcare industry. Join us on October 27th and October 28th in Washington, DC as our healthcare attorneys and outside speakers share their perspectives on the latest developments in areas of interest

On October 2, 2014, the FDA released a set of comprehensive guidelines governing the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. The guidelines are intended to provide direction for manufacturers of medical devices on how to appropriately safeguard devices from a potential security breach; particularly in light of the sensitive

Continuing to usher in a new wave of EHR technology changes, on September 11, 2014, the Office of the National Coordinator for Health Information Technology (“ONC”) adopted the “2014 Edition Release 2” final rule, which provides alternative criteria and approaches for the voluntary certification of heath information technology. The final rule, effective October 14, 2014[1], introduces regulatory flexibilities and general improvements to the certification processes.

First, the rule adopts a new (albeit smaller) subset of optional EHR Certification Criteria. Of the 57 proposed certification criteria in the February 26, 2014 notice of proposed rulemaking, the final rule adopts only ten optional and two revised EHR Certification Criteria. The Certification Criteria changes include:

Continue Reading ONC Announces New EHR Certification Criteria