Archive for HHS
Deven McGraw, a well-known health data privacy expert and federal legal advisor, just joined the HHS Office for Civil Rights on June 29. She takes over as deputy director of health information privacy and will head up the agency’s HIPAA policy and enforcement efforts.
OCR announced the appointment earlier in June. McGraw comes to OCR from Manatt, Phelps & Phillips, LLP, where she was a partner and co-chair of the law firm’s privacy and data security practice. The firm has offices in California, New York, Washington, D.C., and Mexico.
McGraw also served as the director of the Health Privacy Project at the Center for Democracy & Technology and the chief operating officer at the National Partnership for Women & Families, both of which are located in Washington, D.C.
The Medicare Fraud Strike Force swept through 10 states and arrested 243 people—46 of them physicians, nurses, and other licensed medical professionals—for allegedly defrauding the government out of $712 million in false Medicare and Medicaid billings, federal officials announced June 18. In addition to targeting instances of false claims and kickbacks, the strike force also uncovered evidence of medical identity theft.
Among the defendants is Mariamma Viju of Garland, Texas, an RN and the co-owner and nursing director for Dallas Home Health, Inc. A federal indictment accuses Viju and a co-conspirator of stealing patient information from Dallas-area hospitals in order to then solicit those patients for her business, as well as submitting false Medicare and Medicaid claims, and paying out cash kickbacks to beneficiaries.
In total, the scheme netted Viju $2.5 million in fraudulently obtained payments between 2008 and 2013. She was arrested June 16 and charged with one count of conspiracy to commit healthcare fraud, five counts of healthcare fraud, and one count of wrongful disclosure of individually identifiable health information.
The 21st Century Cures Act, a new healthcare bill that would relax portions of HIPAA privacy laws to further medical research and penalize health IT vendors that fail to comply with interoperability standards, has passed through the full House Committee on Energy & Commerce.
The bill would inject billions of dollars into medical drug research and innovative treatments, accelerate the entire process and clear away regulatory hurdles on various levels. One provision of the bill, however, requires HHS to revise or clarify provisions of the HIPAA Privacy Rule in regard to use and disclosure of patients’ PHI for the purposes of research.
The Privacy Rule currently allows healthcare providers to use PHI without authorization for treatment, billing and internal healthcare operations. Under the proposed law, however, those covered entities and their business associates would have the same unfettered access to those records to use in researching new drugs and treatments.
A new healthcare bill aimed at accelerating the development of new clinical drugs and innovative treatments would allow federal regulators to relax portions of HIPAA privacy laws in the name of research, as well as penalize electronic health record vendors that fail to comply with standards for interoperability and safe information exchange. The proposed bill also allows penalties for vendors who engage in information blocking.
The 21st Century Cures Act was co-authored by U.S. Reps. Fred Upton (R-Mich.) and Diana DeGette (D-Colo.), who began work on the bill more than a year ago. They, along with three other co-sponsors, unveiled a draft of the bill April 30, which was then amended and presented to the House Committee on Energy and Commerce’s Subcommittee on Health. It passed by voice vote.
Among other things, the bill would allow HHS to revise or clarify provisions of the HIPAA Privacy Rule in regard to use and disclosure of patients’ PHI for the purposes of research.
A recent audit revealed six security vulnerabilities within HHS’ Health Resources and Services Administration (HRSA), according to a report from the Office of the Inspector General (OIG).
The OIG conducted a review of HRSA security controls in effect in December 2013, and release the corresponding report in April 2015. In addition to reviewing and testing controls, the OIG interviewed HRSA’s security and IT professionals and reviewed policies and procedures, according to the report.
The OIG noted in its report that HRSA failed to:
- Effectively track and manage IT inventory
- Effectively implement and monitor patch management controls
- Effectively monitor the antivirus status of its assets
- Consistently review active directory user accounts as outlined in its policies
- Consistently apply encryption policies
- Develop policies and procedures to secure USB port control access