Photo of Vinay Bhupathy

Vinay Bhupathy is a member of the firm’s healthcare practice team and an associate in the Corporate Practice Group in the firm’s Century City office.

On May 6, 2021, the comment period for the proposed modification to regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule and Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) closed.  The Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) issued its initial request for information in December 2018, subsequently released the Notice of Proposed Rulemaking (“NPRM”) to the public on December 10, 2020, and published the Proposed Rule in the Federal Register on January 21, 2021 (the “Proposed Rule”).  After a significant degree of public interest in providing input on the proposals, OCR extended the comment period from its original end date of March 22, 2021 to May 6, 2021.
Continue Reading HIPAA Privacy Rule Modification – Removing Barriers and Promoting Coordinated Care at What Cost?

In an effort to provide additional relief to a health care system strained by the COVID-19 pandemic, the Office of the National Coordinator for Health IT (“ONC”) released an Interim Final Rule with Comment Period (“IFC”) on October 29, 2020 that extends the compliance dates under the 21st Century Cures Act Interoperability, Information Blocking, and ONC Health IT Certification Program Final Rule (the “Final Rule”) and offers some technical corrections and clarifications.
Continue Reading Office of the National Coordinator for Health IT Extends Compliance Deadlines under Interoperability Final Rule

The Supreme Court issued a long-awaited ruling on April 27, 2020, directed at a more than $12 billion challenge related to the temporary risk corridors program established by the Affordable Care Act (the “ACA”).  Challenges were brought under multiple consolidated cases, Maine Community Health Options v. United States, Moda Health Plan v. United States, Land of Lincoln Mutual Health v. United States, and Blue Cross Blue Shield of North Carolina v. United States (the “Consolidated Cases”).  In its decision, the Court reversed the decision of the United States Court of Appeals for the Federal Circuit and remanded the case for further proceedings.
Continue Reading Supreme Court Issues Long Awaited Ruling on Affordable Care Act Risk Corridors Program

On March 9th, the U.S. Department of Health and Human Services (HHS) finalized two rules that are designed to give patients access to their health data and to increase interoperability among health care providers and payers using health information technology.  The two rules, issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), implement interoperability and patient access provisions of the 21st Century Cures Act.  A primary aim of the 21st Century Cures Act was to push the healthcare industry to facilitate interoperability of healthcare data across the spectrum, including amongst health care payers, providers, patients and technology vendors.  For decades, HHS has largely relied on the industry to enable interoperability through a market-driven approach that would, in theory, benefit industry while achieving the interoperability goals established by the regulators. Unfortunately, it has been observed that the theory behind a market-driven approach has not been manifested in reality. In reality, the market-driven approach has allowed industry to monetize data by limiting data sharing and, in turn, impeding the benefits of interoperability which rely upon data sharing to promote improved care coordination, better patient outcomes, and material cost reductions. In order to bend the curve toward interoperability, the new HHS rules are designed to provide for binding and specific steps to “free” health care data and recognize the aforementioned benefits.
Continue Reading CMS Releases Interoperability Rule Designed to Increase Patient Access to Health Information

According to a December 20, 2019 Report by HIPAA Journal, nearly 39 million health care data breaches had been reported to the U.S. Department of Health and Human Services (“DHHS”), Office of Civil Rights (“OCR”) by the end of November 2019. This is a staggering number, especially considering that this is more than double what was reported in all of 2018. This appears to be part of an exponentially growing number of breach reports since, as we reported last year, 2018’s breach reports were already three times greater than what was reported in 2017.

This article explores some of the trends that can be attributed to the growing number of breaches and how the OCR has responded to the difficulties experienced by healthcare entities (“Covered Entities”) covered by the security and confidentiality requirements applicable to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and 45 CFR Parts 160 and 164, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) (collectively referred to hereinafter as “HIPAA”).
Continue Reading 2019 Year in Review: Notable Changes in Law, Policy, and Enforcement of HIPAA

Access to healthcare information (or lack thereof) has always been touted as one of the key factors/necessities to realizing the promise of technology in the delivery of healthcare. Despite various legislative, judicial, patient and industry initiatives, access continues to be a challenge due to a variety of competitive practices and lack of capabilities. Consider the following events and whether they signal real progress:

  1. In a September 9, 2019 Press Release issued by the United States Department of Health & Human Services – Office of Civil Rights (“OCR”), the OCR announced that it had taken action against Bayfront Health St. Petersburg (“Bayfront”), an academic medical center in St. Petersburg, Florida, to enforce the Health Insurance Portability and Accountability Act (“HIPAA”) protections that guarantee every patient the right to receive copies of his/her medical records promptly and without being overcharged. The enforcement action against Bayfront (which includes the assessment of an $85,000 fine against Bayfront and the imposition of a “Resolution Agreement” between OCR and Bayfront) is notable as the OCR’s first enforcement action under the OCR’s “Right of Access Initiative” – a program designed to focus OCR resources on the enforcement of HIPAA’s right of access guarantees.
  2. On February 11, 2019, two offices of the US Department of Health and Human Services (“HHS”) — the Office of the National Coordinator for Health Information Technology (“ONC”) and the Centers for Medicare and Medicaid Services (“CMS”) – each released a proposed rule (ONC Proposed Rule; CMS Proposed Rule) (collectively, the “Proposed Rules”) aimed at enhancing the interoperability of electronic health record (“EHR”) systems and increasing patient access to electronic health information (“EHI”) as required by the 21st Century Cures Act.
  3. On September 23, 2019, seven major healthcare leadership groups, including the American Health Information Management Association (“AHIMA”) and the American Medical Association (AMA), sent a letter to Congress (the “AHIMA Letter”) critiquing the ONC Proposed Rule.

What is the link between the Bayfront case, the Proposed Rules, and the AHIMA letter? The link is commonly referred to as “Information Blocking.”
Continue Reading INFORMATION BLOCKING AND THE RIGHT TO ACCESS INITIATIVE: Why Patients Struggle to Obtain their Medical Records and what the Office of Civil Rights Intends to Do About It

According to a February 12, 2019 Press Release from Protenus, a developer of analytics for patient privacy monitoring and compliance, 15,085,302 patient records were breached in 2018 – a startling number made even more startling by the fact that the number of breached patient records in 2018 is three times greater than the number of records breached in 2017.

As evidenced by the Protenus data and information reported by the U.S. Department of Health and Human Services (“DHHS”), Office of Civil Rights (“OCR”), a growing number of these breaches relate to third-party hacking, ransomware, and related malware incidents (collectively, “Hacking/IT Incidents”). As such, the OCR data shines a bright light on the obvious difficulties that healthcare entities (“Covered Entities”) covered by the security and confidentiality requirements applicable to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and 45 CFR Parts 160 and 164, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) (collectively referred to hereinafter as “HIPAA”).

The following examines representative HIPAA settlements and rulings from 2018, and considers the 2018 breach statistics and the growing security risk associated with Hacking/IT Incidents.
Continue Reading Cybersecurity, Inside Jobs, Outside Jobs, and HIPAA

In our February 13, 2019 blog post, “HIMSS19 Kicks-Off Addressing Leading Topics in Healthcare Information Technology,” we reported on the buzz that emerged from the first two days of the Healthcare Information and Management Systems Society’s (HIMSS) annual global conference that commenced on February 11, 2019. Now that the conference has concluded, it is time to discuss the key takeaways and lessons learned from the conference’s last few days regarding the application of the Internet of Things (IOT) to healthcare.
Continue Reading HIMSS19 Brings Together Thought Leaders on IOT and Telehealth

MedCity News, a media property of Breaking Media (publisher of Law360) hosted the third annual ENGAGE conference Nov. 6-7 in San Diego. The conference highlighted technology tools that increase patient engagement and strategies deployed by health plans and health systems to align patient incentives with promoting wellness and reducing healthcare delivery costs. There is increased interest from the healthcare industry, investment community and patient advocacy groups in fostering programs, technologies and services that focus on empowering patients to be a driving force in healthcare.  As many speakers reinforced at the conference, patient engagement has gone from an afterthought to a driving force in healthcare. The following are key themes:
Continue Reading Connection and Innovation Take Center Stage at the Patient ENGAGE Conference

On Thursday, August 9, 2018, the Centers for Medicare & Medicaid Services (“CMS”) published a Proposed Rule (the “Proposed Rule”)[1] regarding the Medicare Shared Savings Program (“MSSP” ) for Accountable Care Organizations (“ACOs”). The Proposed Rule would require ACOs to accept downside risk or shared losses sooner than under the current MSSP and would promote entities that have shown the greatest cost savings since implementation of the MSSP in 2012. Although not discussed in this article, the Proposed Rule also contains refinements to the methodology concerning ACO benchmarks and a modification to the current approach to risk adjustments, as well as changes to the MSSP’s claims-based assignment methodology and allowing beneficiaries to voluntarily align to ACOs in which their designated primary clinician is an ACO professional.
Continue Reading CMS Proposes Massive Changes to ACO Program – Pushing Providers to Accept Downside Risk

The Office of the National Coordinator for Health Information Technology (ONC) has released a final rule (Final Rule) introducing a new regulatory framework for certified health information technology (Health IT). The use of certified Health IT—specifically, electronic health record (EHR) modules—has played a central role in the EHR Incentive Programs and is intimately linked to the accrual of points in MACRA’s Merit-based Incentive Payment System. A major component of the Final Rule allows for ONC’s direct review of products certified by ONC’s Health IT Certification Program (Program) and identifies the roles of both developers and the ONC in addressing Program-compliance issues.[1] The Final Rule impacts developers of certified Health IT (Health IT Developers), providers that utilize and rely on such certified Health IT, and ancillary developers and service providers whose businesses are linked to EHR technology.
Continue Reading A Stick to Balance the Carrot: ONC Finalizes a New Framework to Address Non-Conformities in Certified Health Information Technology