Americans hear about cybersecurity incidents on a frequent basis. As the adage goes, it is not a matter of “if” a breach or security hack occurs; it is a matter of “when.”  At no time was that more evident earlier this year when the healthcare industry was hit with the widespread ransomware attack on Change Healthcare, a subsidiary of the United Health Group. Because of the nature of the Change Healthcare shutdown and its impact across the industry, the U.S. Department of Health & Human Services (HHS) and its HIPAA enforcement arm, the Office for Civil Rights (OCR), conducted investigations and issued FAQ responses for those impacted by the cybersecurity event.
Continue Reading HIPAA Gets a Potential Counterpart in HISAA

It’s Bigger. But is it Better?

They say everything is bigger in Texas which includes big privacy protection.  After the Texas Senate approved HB 4 — the Texas Data Privacy and Security Act (“TDPSA”), on June 18, 2023, Texas became the eleventh state to enact comprehensive privacy legislation.[1]

Like many state consumer data privacy laws enacted this year, TDPSA is largely modeled after the Virginia Consumer Data Protection Act.[2] However, the law contains several unique differences and drew significant pieces from recently enacted consumer data privacy laws in Colorado and Connecticut, which generally include “stronger” provisions than the more “business-friendly” laws passed in states like Utah and Iowa.
Continue Reading On July 1, 2024, Texas May Have the Strongest Consumer Data Privacy Law in the United States

By March 2, 2022, HIPAA covered entities (healthcare providers, health plans, and healthcare clearinghouses) must report all 2021 breaches of unsecured PHI that affected fewer than 500 individuals to the Office for Civil Right for the U.S. Department of Health & Human Services (OCR).  Covered entities must submit these reports through the HHS web portal,

On Tuesday, December 15, Matthias Kleinsasser presented at the Austin Bar Association’s Health Law Section meeting. His presentation, titled “The Basics of the False Claims Act, STARK, and Anti-Kickback Statute and Recent Regulatory Developments,” provided a litigator’s perspective on the basics of the False Claims Act, STARK, and the Anti-Kickback Statute, along with a

There’s no such thing as a free lunch….  This adage is over 50 years old, and the Office of Inspector General for Health & Human Services (OIG) wants to remind doctors that it remains true.

The pharmaceutical and medical device industry continues to woo doctors with invitations to educational speaker programs in high-end restaurants, with golf excursions, or at sporting venues.  On Monday, November 16, the OIG issued a new Special Fraud Alert to remind doctors that speaker programs sponsored by pharmaceutical and medical device companies must serve a legitimate educational purpose and must be appropriately tailored to meet a need in the medical community.

The Open Payments Act requires pharmaceutical and medical device companies to report their spending on entertainment.  According to Open Payments data, cumulative doctor payments in the three years from 2017-2019 exceeded $2 billion, and the OIG emphasized that this high amount of spending, and its potential to influence the prescribing or ordering habits of targeted physicians, was one of the reasons for this new alert.Continue Reading There’s No Such Thing as a Free Lunch

Background

The U.S. Department of Health and Human Services (HHS) recently finalized transformative rules that will give patients unprecedented safe, secure access to their health data. The rules are issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) to implement interoperability and patient access provisions of the bipartisan 21st Century Cures Act (Cures Act).  These final rules mark the most extensive healthcare data sharing policies the federal government has implemented, requiring both public and private entities to share health information between patients and other parties while keeping that information private and secure. These final rules became effective as of June 30, 2020. NOTE: Due to the COVID-19 public health emergency, HHS has delayed enforcement until future dates.
Continue Reading How HHS Information Blocking Regulations Apply to Healthcare Providers

Startup? Organized in Delaware? Then you likely received a notice from the Secretary of State of Delaware saying you owe thousands (maybe even tens of thousands) in franchise taxes and have to file an Annual Report by March 1, 2020. DON’T PANIC!! There are two ways to calculate franchise taxes, and Delaware defaults to the

In a long-anticipated move, the United States Food and Drug Administration (FDA), on September 26, 2019, published six guidance documents clarifying its scope of authority and enforcement discretion policies with regards to Digital Health Content in light of the questions raised by the 21st Century Cures Act (Cures Act).

In this article, we take a look at the FDA’s draft guidance that proposes a framework of regulating Clinical Decision Support (CDS) Software, including software containing machine-learning algorithms (ML).
Continue Reading FDA Guidance Clarifies Clinical Decision Support, Machine-Learning, and Other Digital Health Content