HIPAA, Privacy, and Risk Management
- Overview
- Attorneys
- Insights
- News
Garfunkel Wild’s HIPAA, Privacy, and Risk Management Practice Group assists health care providers, insurance plans and their vendors (e.g., Independent Practice Associations, billing and software companies, Health Information Exchanges) in preparing for, and addressing, complex regulatory and operational issues. Our objective is to assist our clients in implementing programs to avoid government interventions, and to support our clients when surveys, investigations, and settlement demands by federal and state regulatory and accreditation agencies occur.
HIPAA and Privacy
Information has become the foundation of providing quality health care, and therefore, a significant focus of health care providers and their vendors. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) establishes – at a national level – the minimum requirements for protecting and ensuring the availability of patient information. Other federal and state laws and regulations, however, add additional requirements for certain types of information and technology. Garfunkel Wild has mastered this ever-changing and complex regulatory landscape and has assisted clients in:
- Assessing and implementing HIPAA privacy and security compliance plans, including model policies/forms and training in a manner that also includes consideration of state requirements and accreditation standards
- Responding to breaches of confidentiality of unsecured patient information including patient, federal and state notifications
- Preparing responses to investigations by the Federal Department of Health and Human Services, Office of Civil Rights (OCR), and similar state agencies;
- Defending entities in governmental investigations/actions and private causes of action for alleged federal and state privacy violations
- Identifying appropriate strategies to allow for sharing of patient information for operational purposes (e.g., quality assurance, value based programs, research)
- Negotiating business associate agreements
- Implementing procedures to avoid allegations of Information Blocking
- Responding to federal and state subpoenas and other discovery requests involving protected health and other patient-identifying information
Our HIPAA and Privacy team can assist in addressing all of the challenges of protecting patient information, while allowing for appropriate use and sharing of such information to improve and develop our clients’ health care services.
Risk Management
Health care providers are faced with a plethora of regulatory and litigation concerns; more so than most industries. Garfunkel Wild has a deep understanding of the risks that our clients face, and assists our clients and their clinical leadership to navigate these regulatory complexities. Our Risk Management team has extensive experience in:
- Preparing plans of correction to address findings identified by the Center for Medicare and Medicaid Services (CMS), state departments of health and the Joint Commission
- Drafting Medical Staff Bylaws
- Preparing admission forms and informed consents for operative procedures, off label use of medications and other unique treatment scenarios
- Providing guidance and counsel to address professional misconduct and abuse reporting situations, as well as internal disciplinary decisions regarding licensed health care professionals
- Implementing quality assurance and performance improvement programs, including consideration of applicable privileges and immunities
- Drafting policies and procedures to address regulatory and accreditation requirements
- Assisting providers across the healthcare spectrum through multifaceted licensure processes (e.g., laboratory permits and CLIA certification, radiology permits, pharmacy licenses, pharmaceutical wholesaler and manufacturing registrations)
- Providing comprehensive review of regulatory compliance for merger and acquisition transactions
Our Risk Management team is standing by to assist our clients in taking the steps necessary to protect against unintended mishaps, and to address incidents if they occur.
Last week, the U.S. Department of Justice (DOJ) and the U.S. Department of Health and Human Services (HHS) released its annual, jointly authored Health Care Fraud and Abuse Control Program Report (the Report) for Fiscal Year 2023.
The U.S. Department of Health and Human Services (HHS), Office of Inspector General (OIG) released its Semiannual Report (SAR) to Congress on December 4, 2024.
This week, the U.S. Department of Health and Human Services (“HHS”), Office of Inspector General (“OIG”) fulfilled its annual statutory obligation by releasing its 2024 Top Management and Performance Challenges Report (the “Report”). Historically, the Report has not attracted widespread interest in the provider community because it largely focuses on HHS operational challenges. Importantly for providers and other stakeholders, however, the Report reveals crucial insights about compliance priorities for the year ahead.
The cybersecurity attack on Change Healthcare (“Change”), a subsidiary of the UnitedHealth Group, has caused widespread disruption, impacting health care providers and individuals whose personal data was compromised. This breach has led to numerous class action lawsuits, divided into two main groups: providers affected by the claims processing shutdown and individuals whose data was leaked. In June 2024, approximately 50 lawsuits were centralized into a Multi-District Litigation (MDL) in federal court in Minnesota. On September 17, 2024, the first conference in the matter occurred. As the litigation progresses, motions to dismiss, potential mediation, and class certification are expected to shape the case.
On August 29, 2024, the Federal Department of Health and Human Services (“HHS”) withdrew its appeal of a federal court decision that invalidated certain aspects of HHS guidance regarding the use of tracking technologies (e.g., pixels that collect data on website usage to create directed marketing campaigns).
In a recent ruling, the New Jersey Supreme Court concluded that the “self-critical analysis” privilege under the Patient Safety Act (“PSA”) and its implementing regulations can only be applicable if the information sought was generated for purposes of an independent patient safety committee that is created solely for the purposes of the PSA (i.e., the information […]
The U.S. Department of Health and Human Services, Office of Inspector General (OIG) posted a favorable Advisory Opinion (24-03) permitting a pharmaceutical manufacturer (Manufacturer) to provide financial assistance to qualified patients undergoing its gene therapy treatment for two severe genetic conditions.
The U.S. Department of Health and Human Services (HHS), Office of Inspector General (OIG) released its revamped Semiannual Report (SAR) on June 3, 2024. The SAR’s new format focuses on the oversight work OIG completed during the reporting period, and emphasizes how this work directly addresses the Top Management Challenges Facing HHS.
On May 15, 2024, the New York State Department of Health (DOH) announced a pivotal change in its regulations, as it intends to permit health care providers to use telemedicine to conduct patient evaluations before prescribing controlled substances. Prior to the COVID-19 pandemic, DOH required health care providers to perform an initial in-person physical evaluation of patients before prescribing controlled substances.
The HIPAA Privacy Rule to Support Reproductive Health Care Privacy was recently announced as a final rule that becomes effective on June 25, 2024 (the “Final Rule”).
Garfunkel’s Compliance Webinar Series rolls on with an examination of the 2024 Work Plan published by the New York State Office of Medicaid Inspector General (OMIG).
On Tuesday, April 23, 2024, the Federal Trade Commission (FTC) promulgated a final rule banning most non-compete agreements, in any industry, and is set to become effective 120 days after its publication in the Federal Register (the “Final Rule”).
Join the health care professionals of Garfunkel Wild and Withum as they dive into the technical, legal, and financial steps you will need to take to come into compliance with the new cybersecurity regulations for New York hospitals.
On March 9, 2024, CMS announced it will make available Change Healthcare/Optum Payment Disruption accelerated payments to providers experiencing potentially significant cash-flow problems as a result of the cyberattack on UnitedHealth Group’s subsidiary Change Healthcare/Optum .
The New York State Office of the Medicaid Inspector General (OMIG) recently updated its Self-Disclosure Guidance and Frequently Asked Questions (collectively, “Updates”). These Updates give participating providers and entities additional insight into how to report overpayments involving unresponsive Medicaid Managed Care Organizations (MMCOs) or multiple entities, as well as those that are untimely, have adjusted or voided claims, or lost or damaged records.
The New York State Office of the Medicaid Inspector General (OMIG) released its 2024 work plan in furtherance of its mission to coordinate and conduct activities to prevent, detect and investigate medical assistance program fraud, waste and abuse, and to recover improperly expended Medicaid funds.
Continuing its year-end reporting blitz, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its Semiannual Report (SAR) to Congress on December 1, 2023.
As we have noted in a previous Garfunkel Wild alert, the Department of Health and Human Services (“DHHS”) Office of Civil Rights (‘OCR”) published guidance regarding the use of tracking technologies (i.e., technologies that collect and analyze information about how users interact with websites and mobile applications).
This week, the United States Department of Justice (DOJ) and the United States Department of Health and Human Services (HHS) fulfilled its annual statutory obligation by releasing its jointly-authored Health Care Fraud and Abuse Control Program (HCFAC) Report for Fiscal Year 2022.
In the last few months of 2023, there has been a flurry of legal activity pertaining to the use, disclosure, and protection of health information. Here is a summary of the latest legal initiatives impacting New York providers.
In this article published in the New York City Pharmacists Society Newsletter, Stacey Gulick highlights some of most significant, and perhaps unexpected, issues that must be addressed by pharmacists in their ongoing HIPAA compliance efforts.
On November 6, 2023, the OIG released its General Compliance Program Guidance, the first in a series of new, non-binding reference guides designed to share information with health care compliance professionals and other health care industry stakeholders
Join Garfunkel Wild’s attorneys as they discuss the OSV process, highlight the areas HRSA reviewers consider, and impart meaningful tips on how FQHCs can be in compliance.
Scammers have perpetuated a telephone fraud scheme attempting to extort money and personal identifiable information from healthcare providers by impersonating Drug Enforcement Administration (“DEA”) agents across the country.
Garfunkel Wild's Health Care Information and Technology Practice Group's Podcast Series "Health Information Technology Podcast- Termination and Transition Periods".
The Department of Health and Human Services, Office of Civil Rights (“OCR”) has published a Bulletin which officially states that incorporating certain tracking technologies into websites and mobile applications may cause HIPAA violations that could result in breach notification obligations as well as penalties. This includes platforms and services provided by companies like Meta (formerly Facebook) and Google.
Earlier today, the United States Health and Human Services Office for Civil Rights (“OCR”) issued an alert concerning fraudulent postcards sent to health care organizations claiming to be official communications from OCR.
Robert Del Giorno will present at the Long Island Health Information Management Association John W. Ruth Annual Membership Conference on April 21, 2021.
Garfunkel Wild’s Terence Russo and Garfunkel Health Advisors will present at the Medical Society of New Jersey (MSNJ) Webinar – Review of 2021 E/M Guideline Changes and Information Blocking New Rules.
The United States Department of Health and Human Services (“HHS”), Office of Inspector General (“OIG”) recently issued an important final rule (the “Final Rule”) that makes significant changes to existing “Safe Harbors” under the Federal Anti-kickback Statue (“AKS”) and that adds new Safe Harbors that provide protection from AKS sanctions for certain types of arrangements.
The Equal Employment Opportunity Commission has issued new guidance for workplaces, dated April 17, 2020, as they start the process of preparing for the impending re-opening of their entities in the face of the Covid-19 pandemic.
Garfunkel Wild Partner/Director Debra A. Silverman and Partners Stacey L. Gulick and Sandra M. Jensen will present the webinar “Implementing and Expanding Telehealth to Address COVID-19” on March 19, 2020.
Garfunkel Wild will present at the 2nd Annual Center for Health Education, Medicine, & Dentistry (CHEMED) Conference on Medicine & Ethics on February 14, 2020.
As most of you are aware, all 2019 HIPAA security breaches affecting less than 500 individuals must be reported by covered entities (e.g., providers and health plans) to the Federal Department of Health and Human Services, Office of Civil Rights (“OCR”) prior to February 28, 2020.
Lara Jean Ancona will present at the Greater New York Hospital Association’s (GNYHA) Webinar – Clinical Trial Agreements on January 15, 2020.
Stacey L. Gulick will present at the Nassau County Bar Association’s Hospital & Health Law Committee Meeting on November 7, 2019.
he New York SHIELD Act has gone into effect today (October 23, 2019) and entities that maintain electronic information regarding New York residents will need to ensure compliance.
Stacey Gulick will present at Monroe County Medical Society Webinar Survival Series: HIPAA Webinar on September 26, 2019.
On October 23, 2019, the Stop Hacks and Improve Electric Data Security (“SHIELD”) Act goes into effect and significantly modifies the existing New York State breach notification requirements, including the addition of new requirements for covered entities (e.g., all health care providers and health plans) to report HIPAA breaches to the New York State Attorney General, as well as the Federal Department of Health and Human Services, Office of Civil Rights (“OCR”).
Barry B. Cepelewicz will present at the Fairfield County Medical Association’s Webinar – Creating a Medical Record that Protects Your Patients, Your Practice & You – March 6, 2019.
Kimberly Kempton-Serra Quoted In ASC Focus Article Entitled “Set Up A Compliant Patient Transportation Service” October 2019
Garfunkel Wild’s HIPAA, Privacy, and Risk Management Practice Group assists health care providers, insurance plans and their vendors (e.g., Independent Practice Associations, billing and software companies, Health Information Exchanges) in preparing for, and addressing, complex regulatory and operational issues. Our objective is to assist our clients in implementing programs to avoid government interventions, and to support our clients when surveys, investigations, and settlement demands by federal and state regulatory and accreditation agencies occur.
HIPAA and Privacy
Information has become the foundation of providing quality health care, and therefore, a significant focus of health care providers and their vendors. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) establishes – at a national level – the minimum requirements for protecting and ensuring the availability of patient information. Other federal and state laws and regulations, however, add additional requirements for certain types of information and technology. Garfunkel Wild has mastered this ever-changing and complex regulatory landscape and has assisted clients in:
- Assessing and implementing HIPAA privacy and security compliance plans, including model policies/forms and training in a manner that also includes consideration of state requirements and accreditation standards
- Responding to breaches of confidentiality of unsecured patient information including patient, federal and state notifications
- Preparing responses to investigations by the Federal Department of Health and Human Services, Office of Civil Rights (OCR), and similar state agencies;
- Defending entities in governmental investigations/actions and private causes of action for alleged federal and state privacy violations
- Identifying appropriate strategies to allow for sharing of patient information for operational purposes (e.g., quality assurance, value based programs, research)
- Negotiating business associate agreements
- Implementing procedures to avoid allegations of Information Blocking
- Responding to federal and state subpoenas and other discovery requests involving protected health and other patient-identifying information
Our HIPAA and Privacy team can assist in addressing all of the challenges of protecting patient information, while allowing for appropriate use and sharing of such information to improve and develop our clients’ health care services.
Risk Management
Health care providers are faced with a plethora of regulatory and litigation concerns; more so than most industries. Garfunkel Wild has a deep understanding of the risks that our clients face, and assists our clients and their clinical leadership to navigate these regulatory complexities. Our Risk Management team has extensive experience in:
- Preparing plans of correction to address findings identified by the Center for Medicare and Medicaid Services (CMS), state departments of health and the Joint Commission
- Drafting Medical Staff Bylaws
- Preparing admission forms and informed consents for operative procedures, off label use of medications and other unique treatment scenarios
- Providing guidance and counsel to address professional misconduct and abuse reporting situations, as well as internal disciplinary decisions regarding licensed health care professionals
- Implementing quality assurance and performance improvement programs, including consideration of applicable privileges and immunities
- Drafting policies and procedures to address regulatory and accreditation requirements
- Assisting providers across the healthcare spectrum through multifaceted licensure processes (e.g., laboratory permits and CLIA certification, radiology permits, pharmacy licenses, pharmaceutical wholesaler and manufacturing registrations)
- Providing comprehensive review of regulatory compliance for merger and acquisition transactions
Our Risk Management team is standing by to assist our clients in taking the steps necessary to protect against unintended mishaps, and to address incidents if they occur.
Last week, the U.S. Department of Justice (DOJ) and the U.S. Department of Health and Human Services (HHS) released its annual, jointly authored Health Care Fraud and Abuse Control Program Report (the Report) for Fiscal Year 2023.
The U.S. Department of Health and Human Services (HHS), Office of Inspector General (OIG) released its Semiannual Report (SAR) to Congress on December 4, 2024.
This week, the U.S. Department of Health and Human Services (“HHS”), Office of Inspector General (“OIG”) fulfilled its annual statutory obligation by releasing its 2024 Top Management and Performance Challenges Report (the “Report”). Historically, the Report has not attracted widespread interest in the provider community because it largely focuses on HHS operational challenges. Importantly for providers and other stakeholders, however, the Report reveals crucial insights about compliance priorities for the year ahead.
The cybersecurity attack on Change Healthcare (“Change”), a subsidiary of the UnitedHealth Group, has caused widespread disruption, impacting health care providers and individuals whose personal data was compromised. This breach has led to numerous class action lawsuits, divided into two main groups: providers affected by the claims processing shutdown and individuals whose data was leaked. In June 2024, approximately 50 lawsuits were centralized into a Multi-District Litigation (MDL) in federal court in Minnesota. On September 17, 2024, the first conference in the matter occurred. As the litigation progresses, motions to dismiss, potential mediation, and class certification are expected to shape the case.
On August 29, 2024, the Federal Department of Health and Human Services (“HHS”) withdrew its appeal of a federal court decision that invalidated certain aspects of HHS guidance regarding the use of tracking technologies (e.g., pixels that collect data on website usage to create directed marketing campaigns).
In a recent ruling, the New Jersey Supreme Court concluded that the “self-critical analysis” privilege under the Patient Safety Act (“PSA”) and its implementing regulations can only be applicable if the information sought was generated for purposes of an independent patient safety committee that is created solely for the purposes of the PSA (i.e., the information […]
The U.S. Department of Health and Human Services, Office of Inspector General (OIG) posted a favorable Advisory Opinion (24-03) permitting a pharmaceutical manufacturer (Manufacturer) to provide financial assistance to qualified patients undergoing its gene therapy treatment for two severe genetic conditions.
The U.S. Department of Health and Human Services (HHS), Office of Inspector General (OIG) released its revamped Semiannual Report (SAR) on June 3, 2024. The SAR’s new format focuses on the oversight work OIG completed during the reporting period, and emphasizes how this work directly addresses the Top Management Challenges Facing HHS.
On May 15, 2024, the New York State Department of Health (DOH) announced a pivotal change in its regulations, as it intends to permit health care providers to use telemedicine to conduct patient evaluations before prescribing controlled substances. Prior to the COVID-19 pandemic, DOH required health care providers to perform an initial in-person physical evaluation of patients before prescribing controlled substances.
The HIPAA Privacy Rule to Support Reproductive Health Care Privacy was recently announced as a final rule that becomes effective on June 25, 2024 (the “Final Rule”).
Garfunkel’s Compliance Webinar Series rolls on with an examination of the 2024 Work Plan published by the New York State Office of Medicaid Inspector General (OMIG).
On Tuesday, April 23, 2024, the Federal Trade Commission (FTC) promulgated a final rule banning most non-compete agreements, in any industry, and is set to become effective 120 days after its publication in the Federal Register (the “Final Rule”).
Join the health care professionals of Garfunkel Wild and Withum as they dive into the technical, legal, and financial steps you will need to take to come into compliance with the new cybersecurity regulations for New York hospitals.
On March 9, 2024, CMS announced it will make available Change Healthcare/Optum Payment Disruption accelerated payments to providers experiencing potentially significant cash-flow problems as a result of the cyberattack on UnitedHealth Group’s subsidiary Change Healthcare/Optum .
The New York State Office of the Medicaid Inspector General (OMIG) recently updated its Self-Disclosure Guidance and Frequently Asked Questions (collectively, “Updates”). These Updates give participating providers and entities additional insight into how to report overpayments involving unresponsive Medicaid Managed Care Organizations (MMCOs) or multiple entities, as well as those that are untimely, have adjusted or voided claims, or lost or damaged records.
The New York State Office of the Medicaid Inspector General (OMIG) released its 2024 work plan in furtherance of its mission to coordinate and conduct activities to prevent, detect and investigate medical assistance program fraud, waste and abuse, and to recover improperly expended Medicaid funds.
Continuing its year-end reporting blitz, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its Semiannual Report (SAR) to Congress on December 1, 2023.
As we have noted in a previous Garfunkel Wild alert, the Department of Health and Human Services (“DHHS”) Office of Civil Rights (‘OCR”) published guidance regarding the use of tracking technologies (i.e., technologies that collect and analyze information about how users interact with websites and mobile applications).
This week, the United States Department of Justice (DOJ) and the United States Department of Health and Human Services (HHS) fulfilled its annual statutory obligation by releasing its jointly-authored Health Care Fraud and Abuse Control Program (HCFAC) Report for Fiscal Year 2022.
In the last few months of 2023, there has been a flurry of legal activity pertaining to the use, disclosure, and protection of health information. Here is a summary of the latest legal initiatives impacting New York providers.
In this article published in the New York City Pharmacists Society Newsletter, Stacey Gulick highlights some of most significant, and perhaps unexpected, issues that must be addressed by pharmacists in their ongoing HIPAA compliance efforts.
On November 6, 2023, the OIG released its General Compliance Program Guidance, the first in a series of new, non-binding reference guides designed to share information with health care compliance professionals and other health care industry stakeholders
Join Garfunkel Wild’s attorneys as they discuss the OSV process, highlight the areas HRSA reviewers consider, and impart meaningful tips on how FQHCs can be in compliance.
Scammers have perpetuated a telephone fraud scheme attempting to extort money and personal identifiable information from healthcare providers by impersonating Drug Enforcement Administration (“DEA”) agents across the country.
Garfunkel Wild's Health Care Information and Technology Practice Group's Podcast Series "Health Information Technology Podcast- Termination and Transition Periods".
The Department of Health and Human Services, Office of Civil Rights (“OCR”) has published a Bulletin which officially states that incorporating certain tracking technologies into websites and mobile applications may cause HIPAA violations that could result in breach notification obligations as well as penalties. This includes platforms and services provided by companies like Meta (formerly Facebook) and Google.
Earlier today, the United States Health and Human Services Office for Civil Rights (“OCR”) issued an alert concerning fraudulent postcards sent to health care organizations claiming to be official communications from OCR.
Robert Del Giorno will present at the Long Island Health Information Management Association John W. Ruth Annual Membership Conference on April 21, 2021.
Garfunkel Wild’s Terence Russo and Garfunkel Health Advisors will present at the Medical Society of New Jersey (MSNJ) Webinar – Review of 2021 E/M Guideline Changes and Information Blocking New Rules.
The United States Department of Health and Human Services (“HHS”), Office of Inspector General (“OIG”) recently issued an important final rule (the “Final Rule”) that makes significant changes to existing “Safe Harbors” under the Federal Anti-kickback Statue (“AKS”) and that adds new Safe Harbors that provide protection from AKS sanctions for certain types of arrangements.
The Equal Employment Opportunity Commission has issued new guidance for workplaces, dated April 17, 2020, as they start the process of preparing for the impending re-opening of their entities in the face of the Covid-19 pandemic.
Garfunkel Wild Partner/Director Debra A. Silverman and Partners Stacey L. Gulick and Sandra M. Jensen will present the webinar “Implementing and Expanding Telehealth to Address COVID-19” on March 19, 2020.
Garfunkel Wild will present at the 2nd Annual Center for Health Education, Medicine, & Dentistry (CHEMED) Conference on Medicine & Ethics on February 14, 2020.
As most of you are aware, all 2019 HIPAA security breaches affecting less than 500 individuals must be reported by covered entities (e.g., providers and health plans) to the Federal Department of Health and Human Services, Office of Civil Rights (“OCR”) prior to February 28, 2020.
Lara Jean Ancona will present at the Greater New York Hospital Association’s (GNYHA) Webinar – Clinical Trial Agreements on January 15, 2020.
Stacey L. Gulick will present at the Nassau County Bar Association’s Hospital & Health Law Committee Meeting on November 7, 2019.
he New York SHIELD Act has gone into effect today (October 23, 2019) and entities that maintain electronic information regarding New York residents will need to ensure compliance.
Stacey Gulick will present at Monroe County Medical Society Webinar Survival Series: HIPAA Webinar on September 26, 2019.
On October 23, 2019, the Stop Hacks and Improve Electric Data Security (“SHIELD”) Act goes into effect and significantly modifies the existing New York State breach notification requirements, including the addition of new requirements for covered entities (e.g., all health care providers and health plans) to report HIPAA breaches to the New York State Attorney General, as well as the Federal Department of Health and Human Services, Office of Civil Rights (“OCR”).
Barry B. Cepelewicz will present at the Fairfield County Medical Association’s Webinar – Creating a Medical Record that Protects Your Patients, Your Practice & You – March 6, 2019.
Kimberly Kempton-Serra Quoted In ASC Focus Article Entitled “Set Up A Compliant Patient Transportation Service” October 2019