Photo of Catherine David

HIPAA enforcement actions in the past year have continued to focus on the patient right to access initiative and large scale data breaches. While most of the recent enforcement actions focused on the patient right to access initiative, two noteworthy settlements stemmed from covered entities disclosing protected health information in response to negative online reviews.

Over the past year, the types, sizes, and locations of the investigated entities varied, and resulted in settlements ranging from $3,500 – $240,000. Department of Health and Human Services Office for Civil Rights (“OCR”) seemed to consistently impose comparatively higher settlements amounts for violations that resulted in large scale data breaches.Continue Reading Patient access and big-ticket data breaches lead OCR enforcement initiatives

The comment period for the U.S. Department of Health and Human Services Office for Civil Rights (OCR proposed changes to Privacy Rule ended on June 16, 2023, and the first portion of comments have been released to the public. As of June 19, 2023, 25,905 comments were submitted to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), with 65 of those comments being made publicly available for review.

The publicly available comments can be viewed on Regulations.gov under the “Browse Posted Comments” tab. The relevant changes at issue were announced on Monday, April 12, 2023 by the OCR issuing a notice of proposed rulemaking (NPRM) to modify the HIPPA Privacy Rule to address the release of reproductive health care information to third parties for the purposes of civil, administrative, or criminal proceedings for care that is lawfully obtained.Continue Reading HIPAA Privacy Rule commenters express concerns about privacy, health outcomes, LQBTQIA+ rights, and historical health care disparities

On Monday, April 12, 2023, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) to modify the HIPAA Privacy Rule to address the release of reproductive health care information to third parties for the purposes of civil, administrative, or criminal proceedings for care that is lawfully obtained.

OCR has also released a fact sheet on this NPRM. The NPRM included: (1) the addition of new protections with respect to certain information related to reproductive health care; (2) a new obligation for regulated entities to obtain “attestations” (which are different from HIPAA’s traditional authorization) before responding to requests for certain PHI related to reproductive health care; and (3) the modification of the definition of “person,” and the addition of several new definitions.Continue Reading Proposed changes to HIPAA highlight increased demands for third party access to reproductive health data

According to the Centers for Disease Control and Prevention, firearm injuries are a serious public health problem in the United States. To combat this problem, many states have passed extreme risk protection order (“ERPO”) laws, otherwise known as “red flag laws.”

ERPO laws allow various individuals, including family members, health care providers, and law enforcement

In an increasingly digital and interconnected world, the privacy and security of personal information is a significant concern. Applications and connected devices collect a bevy of personal information from consumers, including sensitive information about consumers’ health. Because of the sensitivity of health information, the United States has developed a variety of legal protections and enforcement

Starting in 2019, the Department of Health and Human Services Office for Civil Rights (“OCR”) has taken an increased interest in protecting patients’ right of access to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). Over the past twenty months, OCR has announced nineteen settlements under its Right of Access

On June 9, 2021, the Office of Civil Rights (OCR) shared a cyber-alert containing important updates on how companies can protect their operations from ransomware attacks. The guidance comes from the White House and Cybersecurity and Infrastructure Security Agency. The memo, entitled “What We Urge You To Do To Protect Against The Threat of

On May 18, 2021, in a statement issued by the U.S. Department of Health and Human Services’ (HHS) Office of Inspector General, Acting U.S. Attorney for the Eastern District of California, Phillip Talbert, and California Attorney General, Rob Bonta (the Statement), the health care industry was reminded of the prohibition against charging individuals for COVID-19

After nearly a full year of public comment consideration, last week, the U.S. Department of Health and Human Services (HHS) Substance Abuse and Mental Health Services Administration (SAMHSA) announced and published a Final Rule and Fact Sheet addressing 42 C.F.R. Part 2 (Part 2). Generally speaking, Part 2 affords privacy protections to patient records pertaining