The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) will start to enforce compliance later this month with new special protections for individuals’ reproductive health information as required by a recently finalized HIPAA Privacy Rule, as we noted in an earlier blog post. While the incoming Trump Administration may change enforcement priorities or even rescind that rule, a settlement from OCR that pre-dated implementation of that rule indicates that OCR already affords this information protection.

The settlement marks OCR’s first enforcement action and settlement against a health care provider centered around, and specific to, an impermissible disclosure of an individual’s reproductive health information under the existing Privacy Rule standards. In other words, regardless of whether the incoming administration rescinds or revises the new protections for reproductive health information, OCR has demonstrated that it considers reproductive health information as highly sensitive and will take enforcement action accordingly under the HIPAA Privacy Rule as it is today.

Organizations would be well advised to take the remaining time before the December 23 compliance date to update existing policies to define the scope of reproductive health care-related protected health information (PHI) within the organization and set forth standards and procedures for how the organization will implement compliance with the new requirements including, for example, how the organization will assess and respond to third-party requests for reproductive health care-related PHI, including situations in which an attestation is required.Continue Reading OCR Sets Precedent with Settlement Over Impermissible Disclosure of Reproductive Health Information

HIPAA enforcement actions in the past year have continued to focus on the patient right to access initiative and large scale data breaches. While most of the recent enforcement actions focused on the patient right to access initiative, two noteworthy settlements stemmed from covered entities disclosing protected health information in response to negative online reviews.

Over the past year, the types, sizes, and locations of the investigated entities varied, and resulted in settlements ranging from $3,500 – $240,000. Department of Health and Human Services Office for Civil Rights (“OCR”) seemed to consistently impose comparatively higher settlements amounts for violations that resulted in large scale data breaches.Continue Reading Patient access and big-ticket data breaches lead OCR enforcement initiatives

The comment period for the U.S. Department of Health and Human Services Office for Civil Rights (OCR proposed changes to Privacy Rule ended on June 16, 2023, and the first portion of comments have been released to the public. As of June 19, 2023, 25,905 comments were submitted to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), with 65 of those comments being made publicly available for review.

The publicly available comments can be viewed on Regulations.gov under the “Browse Posted Comments” tab. The relevant changes at issue were announced on Monday, April 12, 2023 by the OCR issuing a notice of proposed rulemaking (NPRM) to modify the HIPPA Privacy Rule to address the release of reproductive health care information to third parties for the purposes of civil, administrative, or criminal proceedings for care that is lawfully obtained.Continue Reading HIPAA Privacy Rule commenters express concerns about privacy, health outcomes, LQBTQIA+ rights, and historical health care disparities

On Monday, April 12, 2023, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) to modify the HIPAA Privacy Rule to address the release of reproductive health care information to third parties for the purposes of civil, administrative, or criminal proceedings for care that is lawfully obtained.

OCR has also released a fact sheet on this NPRM. The NPRM included: (1) the addition of new protections with respect to certain information related to reproductive health care; (2) a new obligation for regulated entities to obtain “attestations” (which are different from HIPAA’s traditional authorization) before responding to requests for certain PHI related to reproductive health care; and (3) the modification of the definition of “person,” and the addition of several new definitions.Continue Reading Proposed changes to HIPAA highlight increased demands for third party access to reproductive health data

Starting in 2019, the Department of Health and Human Services Office for Civil Rights (“OCR”) has taken an increased interest in protecting patients’ right of access to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). Over the past twenty months, OCR has announced nineteen settlements under its Right of Access

This post was also written by Marquan Robertson, a Reed Smith summer associate. 

In 2019, the Department of Health and Human Services Office of Civil Rights (OCR) announced its Right of Access Initiative. The Right of Access Initiative realizes OCR’s commitment to ensuring the aggressive enforcement of patients’ rights to receive copies of their medical