October 21, 2019
- Court Confirms Arbitration Award Under FAA’s Strong Presumption in... by: Rachel J. Schwartz
- California’s New Statewide Rent Control – What You Need to Know by: Herman Enayati and David V. Hall
- Telecom Alert - Portal for Public Safety Interference Complaints; FCC... by: C. Douglas Jarrett and Gregory E. Kunkle
- To Stalk or Not to Stalk . . . That Is the Question – Using Social... by: Jacqueline A. Hayduk
- HHS Proposes Sweeping Changes to AKS and Stark Law, Part 2:... by: Karen S. Lovitch and Dianne J. Bourque
- Minnesota Lawmakers Take A Major Step Toward Regulating Police Use Of... by: Clifford G. Maine and Todd A. Dixon
- A Ghoulish Time for Vaping Flavors by: Tori S. Levine
- The DOL Tries to Say Goodbye—And Seriously, We Mean It—to the 80/20... by: Katelynn M. Williams
- Federal Appeals Court Holds Test For Illegal Drugs Is Not An... by: Katherine M. DiCicco
- With Employment Record Requests, Understanding an Employer’s Rights... by: Taylor L. Hunter
- Spanish Translation Guide for Pesticide Labeling by: Heather F. Collins
- Massachusetts Board of Registration in Medicine Adds New Physician... by: Health Law Group Robinson & Cole
- Director Independence and Demand Futility: A Holistic Inquiry of the... by: Josh Gaul and Rich L. Minice
- New York City’s Training Requirements Likely Expanded as it Extends... by: Michael S. Arnold and Brie Kluytenaar
- Why a Machine Readable Computer Instruction is not Abstract by: Steven Lundberg
- Wisconsin Bills That Could Impact Local Governments by: Andrew T. Phillips and Bennett Conard
- Weekly IRS Roundup October 14 – October 18, 2019 by: Tax Practice Group McDermott Will Emery
- Company May Characterize Employee as a Compliance Risk by: Rebecca A. Worthington
- PTO Releases New Guidelines on Subject Matter Eligibility by: Warren Woessner
- Two Important Stragglers Among California’s New Labor Laws by: Anthony J Oncidi and Cole D. Lewis
- New California Law Extends Statute of Limitations to File FEHA Claim... by: Casey M. Curran and Ashley Lynn Hoffman
- Government Contracts Regulatory and Legislative Update for September... by: Jessica C. Abrahams and John G. Horan
- European Commission Adopts Disclosure Templates for EU Securitisation... by: Robert Cannon and David Quirolo
- Lawmaker Calls for FDA to Respond to Report on Toxic Metals in Baby... by: Food and Drug Law at Keller and Heckman
- Do Polish Companies and Corporate Law Enter the Digital Era? –... by: Marcin S. Wnukowski and Karolina Łasowska
- FCA Fines Tullet Prebon Over £15 Million for Breaches of Principles... by: Garon Anthony and Mariyam Harunah
- FDA Warns Consumers to Stop Using THC Vaping Products Amid Ongoing... by: Aaliyah K. Eaves and Ambur C. Smith
- Analysis of Attorney General Regulations to CCPA – Part 4: Special... by: Elana Safner
- SDNY Grants Motion to Dismiss SOX Retaliation Claim by: Steven J Pearlman and Jacob L. Hirsch
- Brexit – What Just Happened? by: Matthew Kirk
October 20, 2019
October 18, 2019
- The AHA Reports Economic Benefits Associated with Increased Hospital... by: Katherine Y. Bai and Melissa R. Gertler
- Stick a Fork in It? IRS Issues Updated Guidance on the Tax Treatment... by: Stephen A. Rutenberg and Thomas H. Wagner
- McDermottPlus Check-Up: October 18, 2019 by: Mara McDermott and Rachel Stauffer
On May 31, 2011, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rulemaking (NPRM) that would allow individuals to obtain an “access report” from HIPAA covered entities reporting virtually every instance of access to their electronic protected health information (ePHI), including all access by individual employees. The proposed access report must reflect the full name of every person or entity that accessed an individual’s ePHI (if maintained in a designated record set) in the prior three years.
An express purpose of this proposal is to allow individuals to identify situations in which a member of a covered entity’s workforce inappropriately accessed their ePHI. Individuals can then file a complaint with the OCR claiming improper employee access to ePHI.
In a recent case, the OCR entered into a $865,000 settlement with the University of California at Los Angeles Health Systems (UCLAHS) after investigating celebrity complaints of potential inappropriate ePHI access by UCLAHS employees. The investigation led to OCR allegations that UCLAHS employees repeatedly accessed ePHI of many patients, including several celebrity patients, when they did not have any job-related need to access the data, and that UCLAHS failed to implement security controls to reduce the risk of impermissible access, failed to provide Security Rule training, and failed to apply appropriate sanctions against workforce members who violated UCLAHS policies and procedures.
In the NPRM, OCR stated that it believes the degree of access logging required in the new access report is currently being captured and stored by covered entities’ electronic information systems because OCR interprets HIPAA’s audit controls standard (45 C.F.R. § 164.312(b)) and information system activity review implementation specification (45 C.F.R. § 164.308(a)(1)(ii)(D)) to require that all such access be logged, including “view” or “read only” access. However, this interpretation of the Security Rule is much broader than many had believed, and the NPRM has already fallen under criticism as a result. If the new rule is implemented as proposed, many covered entities will incur significant unexpected costs related to systems modifications, data storage (access logs must be retained for three years), training, privacy notice revision and redistribution and response to individual requests.
Business associates will have to undertake a similar degree of implementation to provide covered entities with access logs relevant to the access report, and covered entities will need to consider updating their business associate agreements to reflect this requirement. Individual privacy complaints filed with covered entities and OCR may well increase if this new rule is adopted, either because covered entities will fail to completely or timely provide the access report, or because individuals reviewing their access report will find real or (more likely) perceived cases of inappropriate access to their records.
© 2019 Poyner Spruill LLP. All rights reserved.