HIPAA FAQ Series: Are Covered Entities and Business Associates Required to Encrypt PHI?

The Health Insurance Portability and Accountability Act (HIPAA) mandates that both Covered Entities and Business Associates protect the security of Protected Health Information (PHI) in a variety of ways.  Specifically, HIPAA’s Security Rule sets forth various technical, administrative, and physical safeguards that must be enacted in order to ensure the confidentiality, integrity, and availability of electronic PHI, and to mitigate the risk of improper access to such electronic PHI.  While implementing or updating these safeguards, many Covered Entities and Business Associates ask: does HIPAA mandate the encryption of electronic PHI? Continue reading

Leave a comment

Filed under Health Information Privacy, Health IT, HIPAA, HIPAA FAQ, Privacy and Security

CareFirst Discloses Data Breach

CareFirst, a Blue Cross Blue Shield plan serving the Washington D.C. metro area, became another in a line of health insurers to suffer a data breach as a result of hackers.  CareFirst and the FBI are examining the breach which potentially compromised 1.1 million customers.  The company reports that although the hackers gained access to customer names, email addresses, and birth dates, they did not obtain sensitive financial or medical information, such as member Social Security Numbers, medical claims information or financial information.  Affected customers are being offered two years of free credit monitoring and identity-theft protection services.

Continue reading

Leave a comment

Filed under Health Information Privacy, Health IT, HIPAA, HITECH Act, Privacy and Security, Technology

Senator Grassley Requests Information Related to Potential Medicare Advantage Fraud

Senator Grassley issued letters this week to the Centers for Medicare and Medicaid Services (CMS) and Department of Justice (DOJ) related to potential fraud in the Medicare Advantage program. Citing news articles, DOJ investigations and a recent Government Accountability Office report, Grassley states: “Some insurance companies that offer Medicare Advantage are allegedly engaging in billing abuse by altering patient records in order to claim patients are sicker than they actually are” because reimbursement is higher for sicker patients.

Grassley requested that CMS provide responses to the following questions:

  1. What steps has CMS taken, and is currently taking, to ensure that insurance companies are not fraudulently altering risk scores? Please provide a detailed explanation.
  2. Is CMS working in conjunction with DOJ to investigate risk score fraud? Please explain the relationship. If not, why not?
  3. Since the inception of Medicare Advantage, how many risk score audits has CMS conducted each year? For each year and each audit, what was the value of the overcharge? How much was recovered via settlement or other measures?
  4. How much money per year is allocated by CMS for auditing Medicare Advantage fraud, waste and abuse?

Continue reading

Leave a comment

Filed under Fraud and Abuse, Government Enforcement



Data analytics is not a new concept within the health care industry. However, as data analytics tools become more accessible, government interest in using data analytics to detect health care fraud continues to increase. Government investigators also have been vocal in informing the health care industry that this powerful tool will continue to be used.

For example, the House Ways and Means Subcommittee on Oversight recently held a hearing on the government’s use of data analytics to combat health care fraud. Testifying witnesses included a representative from the Centers for Medicare and Medicaid Services (CMS), who discussed the use of data analytics to identify excluded individuals. A representative from the U.S. Department of Health and Human Services Office of Inspector General (OIG) discussed the use of data analytics by the agency and the Medicare Fraud Strike Force for prospective and investigative purposes.

Continue reading

Leave a comment

Filed under Corporate Compliance

Updated Guide to Privacy and Security of Electronic Information Released by ONC and OCR

The Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the Office for Civil Rights (OCR) recently released its new updated guidance for the privacy and security of electronic information.  The Guide to Privacy and Security of Electronic Health Information (the Guide), last published in 2011, is designed to help healthcare organizations and medical professionals understand how federal privacy and security requirements fit into their practices.  The Guide is useful to a broad range of healthcare organizations, medical professionals, and their business associates by providing a good overview of the HIPAA privacy, security, and breach notification requirements, the Medicare and Medicaid electronic health records (meaningful use) incentive programs, in addition to considerations to take into account when dealing with digital healthcare platforms.

Leave a comment

Filed under Health Care, Health Information Privacy, Health IT, HIPAA, HIPAA FAQ, HIPAA Omnibus Rule, HITECH Act, Uncategorized

Changes to Sunshine Law Included in Proposed 21st Century Cures Legislation

As we recently discussed, a bipartisan group of representatives from the House of Representatives’ Energy and Commerce Committee released a new discussion draft of the 21st Century Cures initiative (Legislation) that seeks to accelerate new medical innovations and improve the way in which these innovations are brought to market. One notable inclusion in the Legislation is draft language that would exclude from federal Sunshine law reporting:

  • “peer-reviewed journals, journal reprints, journal supplements, medical conference reports, and medical textbooks”;
  • indirect payments or transfers of value provided to covered recipients “for speaking at, or preparing educational materials for, an educational event for physicians or other health care professionals that does not commercially promote a covered drug, device, biological, or medical supply”; and
  • payments or transfers of value made for the “sole purpose of providing the covered recipient with medical education, such as by providing the covered recipient with the tuition required to attend an educational event or with materials provided to physicians at an educational event.’’

Continue reading

Leave a comment

Filed under Federal Transparency, Health Reform

CMS’ Annual Open Payments Report to Congress Highlights Some Key Areas to Watch

The Centers for Medicare & Medicaid Services (CMS) must submit an annual report to Congress in connection with the federal Sunshine law.  In addition to summarizing the process and outcome of the 2014 reporting period, the recently released annual report includes a few key takeaways for pharmaceutical and medical device manufacturers and group purchasing organizations (GPOs):

  • CMS intends to continue making enhancements to the Open Payments website so that all website visitors, including “advanced data users” and the general public, can “discover meaningful information.”  This will include providing the data in a dashboard layout and access to additional aggregate views of the data.
  • CMS provided statistics demonstrating the significant amount of attention that the Open Payments database received.  This included over 13,500 downloads of the database, and nearly 1 million visitors to the Open Payments website.  Additionally, during the week of February 8-14, 2015, the Open Payments database received nearly 2.5 million unique page views.
  • CMS confirmed that no civil monetary penalties (CMPs) have been imposed to date. The near-term objective of CMS is to focus on applicable manufacturers and GPOs that failed to register and submit data in the Open Payments system. CMS stated in the report that it is “engaged in an effort to increase submission compliance of specific entities that did not submit data.” CMS further confirmed that it “will launch targeted audits to identify applicable manufacturers and GPOs that should have submitted payment information but did not for 2013.”

Leave a comment

Filed under Federal Transparency