Photo of Michael Sutton

Michael Sutton

Subscribe to Michael Sutton's Posts

Michael Sutton is an associate in the Corporate Practice Group in the firm's Dallas office.

Contact: Read more about Michael Sutton

The Florida Legislature recently amended the Florida Electronic Health Records Exchange Act (the “Act”) to prohibit certain health care providers utilizing certified electronic health record technologies from storing qualified electronic health records[1] outside of the United States, its territories, or Canada.[2] Significantly, the prohibition also extends to qualified electronic health records that are stored through a third-party or subcontracted computing facility or cloud service provider.[3]

Continue Reading Florida Bans Offshoring of Certain Patient Information

Texas is joining a growing number of states in passing comprehensive privacy legislation intended to safeguard consumer personal data.[1] Specifically, the Texas Data Privacy and Security Act (the “Act”) adds protections for consumers[2] and their personal data, which includes any information that is linked or reasonably linkable to an identified or identifiable individual.[3]

Continue Reading Texas is Making Moves on a Comprehensive Consumer Privacy Law

The Centers for Medicare & Medicaid Services (“CMS”), on behalf of the U.S. Department of Health and Human Services (“HHS”), recently issued a proposed rule to adopt standards under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for “health care attachment” transactions (the “Proposed Rule”). The Proposed Rule would implement requirements of HIPAA’s administrative simplification regulations, which are intended to support healthcare claims and prior authorization transactions while also introducing a standard format for electronic signatures to be used in conjunction with health care attachments.

Continue Reading CMS’s Administrative Simplification Rule Aims to Increase Efficiency and Standardization for Health Care Attachments

The once-novel medium of telehealth surged onto the stage as a common sense solution to the COVID-19 pandemic. This surge was facilitated, in part, by certain flexibilities authorized by the Centers for Medicare & Medicaid Services in its response to the public health emergency (“PHE”) declared in March of 2020 and which was repeatedly renewed until now. On January 30, 2023, President Joe Biden announced that the PHE would end on May 11, 2023. As the curtains are drawn on the PHE, there can be no doubt that telehealth is here to stay. In light of that reality, it is essential that participants in the telehealth space understand what flexibilities will remain in play.

Continue Reading Telehealth in a Post-PHE World

Social media’s interplay with healthcare privacy presents a constantly evolving challenge. ICYMI (“in case you missed it”), there is an uptick in enforcement and scrutiny IRL (“in real life”) related to communications through social media and other public platforms by entities subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Continue Reading ICYMI: HIPAA and Social Media IRL

Introduction

On December 29, 2022, President Biden signed the Consolidated Appropriations Act, 2023 (the “Act”). The Act provides for nearly $1.7 trillion in funding across a range of domestic

Continue Reading Key Healthcare Provisions of the Consolidated Appropriations Act, 2023

The U.S. Department of Health and Human Services (“HHS”) has announced proposed changes (the “Proposed Rule”) to 42 C.F.R. Part 2 (“Part 2”). While the Health Insurance Portability and Accountability Act (“HIPAA”) governs the privacy and security of protected health information generally, Part 2 specifically governs the medical records of federally assisted substance use treatment programs (“SUD Records”).

Continue Reading Proposal to Overhaul Privacy Law Governing Substance Use Disorder Treatment Records

As telehealth services surged in response to the COVID-19 pandemic, unique compliance challenges likewise developed in unexpected ways. Recognizing these challenges, the Office of Civil Rights (“OCR”) indicated that it would exercise its enforcement discretion by declining to impose penalties against covered health care providers for instances of good faith noncompliance with the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) in connection with the provision of telehealth services. In effect, a covered health care provider seeking to use audio or video communication technology to provide telehealth services during the public health emergency could do so with greater flexibility.

Continue Reading Office of Civil Rights Publishes Guidance on Use of Audio-Only Telehealth Services