On June 29, 2022, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) issued two pieces of guidance clarifying the applicability of the Health Insurance Portability and Accountability Act (“HIPAA”) related to privacy of information connected to an individual’s reproductive health. 

Through this guidance, HIPAA addresses both protected health information (“PHI”), which is subject to HIPAA’s rules, as well as general, personal information that is not directly protected by HIPAA.

Continue Reading New Guidance by OCR addresses HIPAA and Disclosures of Information relating to Reproductive Health

According to the Centers for Disease Control and Prevention, firearm injuries are a serious public health problem in the United States. To combat this problem, many states have passed extreme risk protection order (“ERPO”) laws, otherwise known as “red flag laws.”

ERPO laws allow various individuals, including family members, health care providers, and law enforcement

The Office for Civil Rights (OCR) is requesting public input on reforms to Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules to promote care coordination and the health system’s transformation to value-based health care while protecting the privacy and security of individuals’ protected health information (PHI).  Specifically, in a request for information

This month the HHS Office for Civil Rights (OCR) has launched an initiative “to more widely investigate the root causes” of HIPAA breaches affecting fewer than 500 individuals, according to an August 18, 2016 OCR email announcement. While Regional Offices will retain discretion to prioritize investigation of smaller breaches, each office is directed to “increase

Immediately following Sunday’s tragic shooting at a nightclub in Orlando, friends and family frantically gathered at Orlando Regional Medical Center, attempting to get information about their loved ones.  However, hospital officials hesitated to provide specific updates.  Why?  Because the Health Insurance Portability and Accountability Act (HIPAA) and implementing regulations restrict the patient-identifiable health information that “covered entities,” like Orlando Regional Medical Center, are permitted to disclose without proper patient authorization or consent.

Shortly following the massacre, Orlando local news outlets reported that after Orlando Regional’s CEO expressed concern regarding families requesting detailed patient health information at the hospital’s emergency room, Orlando Mayor Buddy Dyer contacted the White House and requested a waiver of the HIPAA regulations.  While the HIPAA Privacy Rule is not automatically suspended during a national or public health emergency, the Secretary of the Department of Health and Human Services (HHS) may waive certain provisions of HIPAA under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.  In order to take advantage of the waiver, the President must declare an emergency or disaster and the Secretary of HHS must declare a public health emergency.

Continue Reading Reexamining HIPAA’s Applicability During Emergencies After the Tragedy in Orlando

On January 6, 2016, HHS published a final rule to modify the HIPAA Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of individuals who are subject to a federal “mental health prohibitor” that disqualifies them from shipping, transporting, possessing, or receiving

The Office of the National Coordinator for Health Information Technology (ONC) has released a revised Guide to Privacy and Security of Electronic Health Information. The guide is intended to help health care providers – especially those from smaller organizations – address federal health information privacy and security requirements in their practices. The new version

Two more health care companies have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of almost $2 million and agreeing to continued oversight by the HHS Office for Civil Rights (OCR). In both instances, the breaches were self-reported and the settlements resulted

HHS has developed a Security Risk Assessment (SRA) tool to help providers comply with a Health Insurance Portability and Accountability Act (HIPAA) requirement that covered entities conduct a risk assessment to ensure compliance with HIPAA’s administrative, physical, and technical safeguards and to determine where electronic protected health information could be at risk. The SRA tool is

On February 6, 2014, the Department of Health & Human Services (HHS) published a final rule making changes to the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations to provide individuals with a greater ability to directly access their laboratory test reports. The rule

On January 7, 2014, HHS published a proposed rule that would modify the HIPAA Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the FBI’s National Instant Criminal Background Check System (NICS) the identities of individuals who are prohibited under federal law from shipping, transporting, possessing, or receiving a firearm for reasons

As reported on our sister blog, http://www.lifescienceslegalupdate.com/, the HHS Office for Civil Rights (OCR) has made a number of recent announcements regarding HIPAA Privacy Rule implementation. First, OCR has issued guidance on how the changes to the HIPAA Privacy Rule’s marketing provisions under the Health Information Technology for Economic and Clinical Health (HITECH) Act

HHS is soliciting comments on whether to amend the HIPAA Privacy Rule to expressly permit covered entities holding information about the identities of individuals who are disqualified from possessing or receiving firearms on mental health grounds to disclose limited information to the National Instant Criminal Background Check System. Comments on the rule will be accepted

This post was also written by Elizabeth D. O’Brien.

On January 25, 2013, the HHS Office for Civil Rights published its long-awaited final rule implementing major changes to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules mandated by the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act). Among other