The New Jersey Data Privacy Act (NJDPA) was enacted on January 16, 2024. Although PHI collected by a HIPAA CE or BA is excluded from the NJDPA HIPAA CEs and BAs are NOT wholly excluded from compliance with the NJDPA. Also, HHS’ recent problematic interpretation that IP addresses collected by a healthcare provider’s website may be PHI adds even more complexity in interpreting the NJDPA.
CMS Releases Hospital COP Event Notification FAQs; Interpretive Guidance
On May 1, modifications to the Medicare Conditions of Participation (“CoPs”) went into effect, requiring certain electronic event notifications for admissions, discharges and transfers (“ADTs”) to and from hospitals, critical access hospitals and psychiatric hospitals. To provide guidance to hospitals and state surveyors, CMS released several FAQs as well as interpretive guidance last week to be published in the State Operations Manual.
Hospitals are required to make a “reasonable effort” to ensure that notifications are sent to post-acute care services providers and suppliers, and other practitioners and entities, which need such notifications for treatment, care coordination or quality improvement. Under the new CoP, ADT notifications must be sent for all emergency department and inpatient patients where the hospital, critical access hospital or psychiatric hospital maintains an electronic medical record or administrative system.
Fifth Circuit Vacates $4.3M MD Anderson Penalty
The Court of Appeals for the Fifth Circuit vacated the $4.3M penalty imposed on M.D. Anderson as arbitrary, capricious and contrary to law.
CMS Extends Publication Deadline for Stark Law Changes
At the last hour, CMS extended the deadline for publishing much anticipated changes to the Stark Law. Originally expected for publication this past August, CMS extended the deadline to August 2021, noting that “… we are still working through the complexity of the issues raised by comments received on the proposed rule and therefore we are not able to meet the announced publication target date.” Together with the OIG’s counterpart rule, the proposed rules contain the potential for significant modernization of the Stark Law and Anti-kickback Statute as part of the “Regulatory Spring to Coordinated Care” as well as increased alignment and coordination between the two sets of laws.
Reminder: Hospital Hardship Applications Due September 1 for Medicare Promoting Interoperability Program
The extended deadline for hospitals to submit their hardship applications for the Medicare Promoting Interoperability Program is approaching. Hospitals have until September 1 to file for a hardship for the 2019 reporting period and avoid negative payment adjustments in 2021.
Moving Forward after Privacy Shield’s Invalidation
On July 16, the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield, one of the primary mechanisms used by companies to lawfully transfer personal data outside of the European Union under the GDPR. Despite a prior adequacy determination in 2016, the CJEU found that shortcomings in the Privacy Shield, particularly U.S. security and surveillance laws and an ineffective Ombudsperson program, resulted in a failure to provide essentially equivalent protections to those afforded to individuals within the European Union.
Mind your Breach Insurance and Vendor Contracts
A preliminary class action data breach settlement involving UnityPoint Health should prompt health care organizations to take a second look at their breach insurance coverage as well as their contracts with vendors who process data on their behalf. Adequate cyber and breach insurance coverage is paramount and should be commensurate with the health care organization’s size, operations. Additionally, health care organizations should pay close attention to their vendor contracts, particularly limitation of liability clauses, hold harmless provisions and indemnification provisions in health IT and other contracts.
CMS Issues Telehealth Encounter Guidance for Quality Reporting Programs
New telehealth encounter guidance is available for the Promoting Interoperability Programs and Quality Payment Program. There are 42 telehealth codes eligible for inclusion within the eligible professional/eligible clinician eCQMs for the 2020 performance period. For the 2021 performance period, 39 telehealth codes would be eligible, however, there are also additional eCQMs identified as not eligible for telehealth encounters.
FDA issues COVID-19 Guidance for IRB Review of Expanded Access Requests; Updated Clinical Trial Conduct Considerations
The FDA has issued guidance for IRB review of individual patient expanded access requests, as well as updated guidance for managing clinical trials during the COVID-19 public health emergency. Originally issued in March, the FDA’s updated “Guidance on Conduct of Clinical Trials of Medical Products...
Bill Aimed at Regulating COVID-19 Notification Apps Introduced in the Senate
The Exposure Notification Privacy Act (“ENPA”) was introduced in the Senate on June 1 in an effort to regulate the growth of contact tracing applications and similar automated notification tracking. The ENPA aims to regulate websites, apps and similar services...
Changes on the Horizon for Part 2 Confidentiality Regulations
As part of its comprehensive COVID-19 response, Congress quietly passed through changes to the federal drug and alcohol confidentiality framework known as “Part 2” under the CARES Act, enacted on March 27. One of the more underreported components of the CARES Act, the changes do not completely overhaul the Part 2 regulations, however, they relax several restrictions that health care providers have struggled with, particularly in the electronic exchange and electronic health records (“EHR”) context (the “CARES Act Changes”).
CMS Continues COVID-19 Assistance for the Promoting Interoperability and Quality Payment Programs
As hospitals and providers continue to struggle in response to the COVID-19 pandemic, CMS has announced several efforts to provide assistance under the Promoting Interoperability Programs and Quality Payment Program.
For the Quality Payment Program, CMS had previously extended the deadline for MIPS eligible clinicians to submit data and reopened the application period for MIPS eligible clinicians to file for a hardship exception for the 2019 payment year. Additionally, CMS announced that any individual MIPS eligible clinician who did not submit data or which submitted data for only one performance category for the 2019 payment year by April 30 will automatically receive a neutral payment instead of a negative payment adjustment (this “extreme and uncontrollable circumstances” policy is not available to groups/virtual groups). If a MIPS eligible clinician is able to submit data, CMS noted that the data submission would override the automatic “extreme and uncontrollable circumstances” policy and the clinician could be eligible for negative, neutral or positive payment adjustments based on the data submission.
HHS Publishes Ransomware Guidance
HHS Publishes Ransomware Guidance HHS has published guidance for hospitals and other covered entities in light of recent prominent ransom attacks on hospital data. The Q&As address Security Rule safeguards which can prevent ransomware and other malware, and also assist in identifying,...
Moving Forward with Meaningful Use Stage 3 and MACRA
Moving Forward with Meaningful Use Stage 3 and MACRA A little over a month ago, CMS Acting Administrator Andy Slavitt delivered some unexpected news. Now that we effectively have technology into virtually every place care is provided, we are now in the process of ending Meaningful Use...
Terms and Conditions May Apply: Consequences of Email-Provider Email Scanning
Terms and Conditions May Apply: Consequences of Email-Provider Email Scanning This guest blog post was written by Van Zimmerman, Esq. Van is currently the Privacy and Security Officer at Jersey Health Connect, a New Jersey health information exchange network. Van has over 18 years experience in...