New technologies in healthcare means new risk to the security and privacy of patient health data. Though most healthcare companies and providers are aware of the need for internal data security, many may not be in compliance when sharing information with third parties. As providers and vendors find new and innovative ways to work together, the need for data sharing will only increase. It is critically important that all parties know when and how protected health information (PHI) is shared, and when patient authorization is required to do so.
The Cures Act is aimed at modernizing and personalizing healthcare by encouraging innovation and streamlining the process for discovery, development, and delivery of new treatments and technologies to those suffering from illness. Importantly, the legislation provides for significant funding to advance these goals, to the tune of $4.8 billion to the National Institutes of Health ("NIH"), $500 million to the Food & Drug Administration ("FDA"), and $1 billion in grants to states for opioid abuse prevention and treatment. This article will provide an overview of key components of the Cures Act and highlight implications for the future of healthcare.
On January 2, 2018, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued a Final Rule, amending 42 C.F.R Part 2 (“Part 2”), creating new changes to the federal rules governing confidentiality and disclosures of patient substance use disorder (“SUD”) records for the first time since 1987. Part 2 protects the confidentiality of SUD records, which are subset of protected health information (PHI). This means that these records are subject to HIPAA, but are also protected by Part 2, which contains additional (and more stringent) federal protections. These overlapping standards can make the storage and disclosure of patient records administratively burdensome for healthcare providers, patients and their families. It is also a challenge for technology companies that store, analyze, and transmit patient records on behalf of providers and patients.
Earlier this year, a federally qualified health center, Metro Community Provider Network (“MCPN”) paid a $400,000 HIPAA breach penalty related to a 2011 phishing attack. In this attack, several MCPN employees had their email accounts hacked by a phisher who was able to gain access to about 3,200 individuals’ PHI.
In this third installment of NLG posts summarizing the new Virginia assisted living regulations, we cover notable changes to requirements for Electronic Records and eSignatures, Incident Reporting, and Reports of Abuse, Neglect, or Exploitation. These regulations are scheduled to take effect February 1, 2018, so keep checking back for THE LATEST from Nixon Law Group!