A recent study of the individual health insurance market shows that most of the policies sold fall short of requirements for participation in state Insurance Exchanges.   The Affordable Care Act requires the states to establish health insurance marketplaces by 2014 where individuals can purchase health insurance, if they are not covered under an employer sponsored plan, or if their employer’s plan fails to provide certain minimum benefits at an affordable cost.  The Center for Medicare and Medicaid Services (“CMS”) has issued rules establishing the level of benefits that must be offered by insurers who participate in these state health insurance exchanges. A study supported by The Commonwealth Fund and published online in the Journal of Health Affairs on Wednesday, May 23, 2012, shows that the majority of individual health plans currently available fail to reimburse health care expenses at a level sufficient to qualify for participation in health insurance…       Read More

The IPAB (Independent Payment Advisory Board) has been at the heart of much of the health care reform rhetoric coming from both parties in Congress, and it has featured prominently in the run up to the November presidential election.  The IPAB has been described by the Obama Administration and Democratic supporters as a “backstop” to prevent escalation of federal healthcare costs.   It has been cited by opponents as support for the assertion that the healthcare reform package mandates rationed care or even so-called “death panels”.  Opponents have strongly criticized the lack of accountability for the IPAB, which would be an appointed not elected body.  The IPAB has not had any practical impact at this point, but it looms in the future.  The Congressional Budget Office (“CBO”) has recently projected a $3.1 Billion price tag for the IPAB.   The Administration and the Democratic Congressional leadership has been insisting that the Republicans…       Read More

Additionally, the investigation should include determining the process undertaken in disclosing the information and any security provided by the receiving entities. Any agreements that the entities have in place would be relevant and should be obtained if possible and retained for your records. Of course, securing the information previously disclosed is the most important part of the mitigation process.  The covered entity should be sure to obtain documentation in this regard.  A letter from each recipient would likely suffice, but a better option would be to include a provision within an agreement with the recipients warranting that the information has been returned.  This can be included in the same agreement as referenced in our next mitigating step. OCR recommends that the disclosing entity obtain the recipient’s satisfactory assurances that the information will not be further used or disclosed. This can be accomplished verbally as mentioned above but should also be…       Read More

It is important to remember that, in the event of a use or disclosure in violation of the Privacy Rule, the disclosing covered entity will have the burden of demonstrating that all notifications were made as required by HIPAA or that the use or disclosure did not constitute a breach. Thus, the covered entity will have the burden of demonstrating that no “breach” has occurred as defined under the regulations. Accordingly, the covered entity must document the steps taken so that they can demonstrate, if necessary, that no breach notification was required following an impermissible use or disclosure of PHI. 74 FR 42740, 42746. Prior to performing the risk assessment, though, the covered entity should attempt to mitigate the harm to the individuals.  OCR stated in its guidance that covered entities should take immediate steps to mitigate an impermissible use or disclosure. OCR recognizes that there may be circumstances where…       Read More

At first glance, this seems to require notification for each use or disclosure that is inconsistent with HIPAA.  However, notification is only needed where the breach is of “unsecured” PHI.  This means only the disclosure of PHI that was not encrypted is subject to the notification requirements.  Unfortunately, most smaller providers are not utilizing encryption methodologies in their transmissions of PHI. Therefore, when they have a security incident, they must move on to the next part of the analysis. Additionally, notification is only required when the disclosure meets the definition of a “breach” of PHI.  The Office of Civil Rights (OCR), the enforcement agency that drafted the regulations, recognized that there was no need for notification in every instance of improper use or disclosure.  OCR noted that failing to include a harm threshold would diminish the impact of notifications received by individuals.  If a threshold was not included individuals might…       Read More

Today’s healthcare industry is becoming increasingly more computerized.  With the advent of PDAs, smart phones, and lap tops, the occurrence of security breaches has dramatically increased across all sectors of healthcare. One of the more common issues being faced by large and small covered entities alike is what to do in the event one of these items is lost or stolen. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009 and became effective September 23, 2009.  The HITECH Act includes a breach notification requirement that requires covered entities and their business associates to provide notification to multiple parties following a breach of unsecured protected health information. Whenever any electronic device is lost or stolen, the covered entity likely has a security incident on their hands that may breach their…       Read More

Federal and state regulation of health care providers, suppliers, and other industry participants has become increasingly complex in recent years. On top of this, enforcement tactics of government agencies can be both confusing and intimidating for these organizations. Our Health Care Practice Group focuses on guiding clients through the compliance maze, helping all varieties of care companies understand and manage their approach to patient care within government standards. Lawyers in the Health Care Group of Hall Booth Smith & Slover also have extensive experience in business litigation, administrative hearings, and alternative dispute resolution involving health care companies. Because the implementation of regulations and policy are the direct result of federal and state political processes, the Health Care Group also provides legislative strategy, drafting, and interpretation services to its clients.