Photo of Kathrin E. Kudner

Ms. Kudner's practice is devoted to the representation of health care providers, payors and biotechnology and life sciences companies in various corporate and regulatory matters. Ms. Kudner is a member of the Firm's Privacy and Data Security, Biotechnology and Life Sciences, Dental Service Organizations, and Insurance Teams.

Telehealth

On March 17, 2020, OCR issued guidance indicating that it would exercise enforcement discretion and waive penalties for entities that provide services to individuals using “everyday communication technologies.”

On March 20, 2020, OCR provided additional more detailed guidance on telehealth services applicable to all health care providers  covered by HIPAA who provide telehealth services during the COVID -19 public health emergency.

OCR defines “telehealth” as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration” (relying on the definition used by the Health Resources and Service Administration of DHHS). Telehealth may be provided through audio, text messaging, or video conferencing. This guidance does not apply to other covered entities, such as insurance companies, that may pay for telehealth services.
Continue Reading OCR Guidance During the COVID-19 Public Health Emergency

Recent ransomware attacks illustrate the importance of compliance with the HIPAA required and addressable security standards. In its December 2, 2019 Fall 2019 Cybersecurity Newsletter, the Office of Civil Rights (OCR) discussed ransomware attacks and ways to recognize, prevent, mitigate and recover from an attack.

HIPAA requires both covered entities and business associates to conduct a risk analysis of the potential risks and vulnerabilities to the security of electronic Protected Health Information (ePHI) and to implement a corrective action plan to eliminate or reduce those risks and vulnerabilities. According to the OCR, these risk analyses are critical to preventing ransomware attacks because ransomware takes advantage of technical vulnerabilities. HIPAA also requires an effective procedure for information system activity review. This enables the covered entity or business associate to identify unusual activity and quickly identify an attack. The information system review should include procedures, such as audit logs, incident and breach tracking reports, and reports on system access. 
Continue Reading Cybersecurity Attacks: The Importance of Compliance With the Standards

On August 22, 2019, the Substance Abuse and Mental Health Services Administration of the United States Department of Health and Human Services (“SAMHSA”) issued a proposed rule amending the Confidentiality of Substance Use Disorder Patient Records regulations set forth at 24 CFR Part 2.  These regulations were initially implemented to provide heightened protection of patient records covering the treatment of substance use disorder (“SUD”) provided by certain federally funded programs (“Part 2 programs”).

The proposed regulations do not modify the general requirements for the confidentiality of SUD patient records created by Part 2 programs.  Part 2 continues to prohibit the disclosure of SUD records without patient consent except as specifically permitted in situations such as in the case of a bona fide medical emergency, for purposes of scientific research, audit or program evaluation, or with an appropriate court order after showing good cause. 
Continue Reading DHHS Issues Proposed Rule Amending 42 CFR Part 2