Photo of Sara Simrall Rorer

Sara's health care law practice includes advising physician and institutional clients regarding Medicare and Medicaid compliance; Medicare appeals; peer review and credentialing; hospital bylaws and regulations development; managed care provider contracting; physician-hospital joint ventures and other contractual arrangements; clinical trials and medical research (including FDA enforcement actions), HIPAA and state patient privacy laws and (including compliance plans and OCR enforcement actions).

Today, April 14, 2015, marks the 12th anniversary of the compliance date for the HIPAA Privacy Rules for most “Covered Entities” – healthcare providers who engage in certain electronic transactions, health plans, and healthcare clearing houses. (Small group health plans had 1 extra year, until April 14, 2004, to come into compliance with the Privacy Rules.)

What’s HIPAA?
The HIPAA Privacy Rules were the first comprehensive federal rules to protect the privacy and confidentiality of an Individual’s health and medical
Continue Reading Happy Birthday, HIPAA!

The recent Anthem breach may potentially affect 80 million people.  Employers who contracted with Anthem as an insurer (or as a third party administrator for their self-insured plans) must now realize that defending their digital perimeter is not enough. Health insurance companies (and their brokers, TPAs, and other insurance support organizations) and large health/hospital systems, who are subject to myriad federal (HIPAA) and state privacy and security laws, are all vulnerable and should prepare now. You should assume that successful
Continue Reading Anthem Lessons: Why You Need a CyberIncident Response Plan for Data Breaches Now

Many employers are wondering what their obligations are in the wake of the Anthem data breach announced on February 5, 2015.  Anthem is a large insurer with customers in 14 states. Anthem stated in its letter that only personal information was accessed during the security breach, but, apparently, no medical information was accessed.  Therefore, Anthem, apparently, has not yet determined whether it believes HIPAA is in play since “only” personally identifiable information was accessed.  (A brief definition/overview of HIPAA is
Continue Reading Employer Notification Obligations in Wake of Anthem Data Breach