In the two years since the Dobbs v. Jackson Women’s Health decision from the Supreme Court, state legislatures and courts have attempted to define the new post-Roe landscape in health care. That effort includes actions by states to enact health data privacy laws or to amend existing privacy laws to protect consumer health data

As promised back in April in an announcement of its plans to modernize compliance program guidance, the Department of Health and Human Services Office of Inspector General (OIG) issued the first of its new guidance documents for the health care industry on November 6, 2023. The first release is a general compliance program guidance (GCPG) designed to serve as a resource to all segments of the health care industry, regardless of the particular items or services offered.

In its newest release, OIG reiterates its view that the GCPG is by its very nature a voluntary guidebook that can act as a roadmap for a compliance program to follow, but that it is not binding on any individual or entity in the health care industry. This updated GCPG includes the following information for health care compliance programs, which we summarize further below: (1) key Federal authorities for entities engaged in health care business; (2) the seven elements of a compliance program; (3) adaptations for small and large entities; (4) other compliance considerations; and (6) OIG processes and resources.

Additional industry specific compliance guidance documents will be forthcoming, according to OIG, with its first updated guidance setting the stage for those to follow.Continue Reading HHS OIG Issues General Guidance as First Step in Effort to Modernize Compliance Guidance

HIPAA enforcement actions in the past year have continued to focus on the patient right to access initiative and large scale data breaches. While most of the recent enforcement actions focused on the patient right to access initiative, two noteworthy settlements stemmed from covered entities disclosing protected health information in response to negative online reviews.

Over the past year, the types, sizes, and locations of the investigated entities varied, and resulted in settlements ranging from $3,500 – $240,000. Department of Health and Human Services Office for Civil Rights (“OCR”) seemed to consistently impose comparatively higher settlements amounts for violations that resulted in large scale data breaches.Continue Reading Patient access and big-ticket data breaches lead OCR enforcement initiatives

The Department of Health and Human Services recently issued a proposed rule that would streamline the federal regulations governing the confidentiality of substance use disorder (SUD) patient records at 42 CFR Part 2 (Part 2) with the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA). Comments on the proposed rule are due to HHS by January 31, 2023

For years, health care providers regulated by both Part 2 and HIPAA and their patients, have wrestled with the inconsistencies across these two privacy frameworks. Part 2, for example, currently imposes different patient consent requirements and disclosure restrictions on Part 2-protected SUD treatment records (Part 2 Records) than HIPAA, even though such records often constitute protected health information (PHI) as well. The inconsistencies (and in some cases, conflicts) between HIPAA and Part 2 requirements have created barriers to information sharing and confusion and compliance challenges for entities regulated under both frameworks, which in turn have unnecessarily impeded treatment access and care coordination.

As noted in the HHS fact sheet and the press release issued by the Substance Abuse and Mental Health Services Administration (SAMHSA), the proposed rule would, if finalized, enhance care coordination, afford patients a formal right of access to their SUD records, and extend HIPAA’s breach notification standards to Part 2-regulated providers and information. The proposed rule would also allow health care providers to align internal privacy compliance programs, the importance of which is underscored by another proposal to impose the same HIPAA civil and criminal penalties on regulated providers for noncompliance with Part 2 regulations. Continue Reading HHS proposes update to Part 2 confidentiality regulations to align with HIPAA

The Department of Health and Human Services (“HHS”) has proposed a rule that updates retail pharmacy standards for electronic transactions adopted under the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  There is a 60-day public comment period for this rule, which closes on January 9, 2023.  This proposed rule, if finalized, would modify the currently adopted National Council for Prescription Drug Programs (“NCPDP”) Telecommunications Standard Implementation Guide (“TSIG”) and its equivalent batch standards. 

Specifically, the proposed rule would adopt TSIG version F6, and its equivalent batch standards NCPDP Batch Standard Implementation Guide, Version 15, and Batch Standard Pharmacy Subrogation Implementation Guide Version 10 (for non-Medicaid health plans).

The new standards will allow retail pharmacies with multiple locations to send one batch mode transaction that meets the F6 standard.  Among the changes from version to version are new data fields, new data segments, and new functionality.Continue Reading HHS Proposes Rule to Update Retail Pharmacy Standards for Electronic Transactions under HIPAA

On June 29, 2022, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) issued two pieces of guidance clarifying the applicability of the Health Insurance Portability and Accountability Act (“HIPAA”) related to privacy of information connected to an individual’s reproductive health. 

Through this guidance, HIPAA addresses both protected health information (“PHI”), which is subject to HIPAA’s rules, as well as general, personal information that is not directly protected by HIPAA.Continue Reading New Guidance by OCR addresses HIPAA and Disclosures of Information relating to Reproductive Health

Over the last decade, members of the medical and public health communities around the world have widely studied and acknowledged the impact of social determinants of health (SDOH)—the conditions in the environments where people live, learn, work, play, and age—on a wide range of health, functioning, and quality-of-life-risks and outcomes.[1]  In the past year

This post was also written by Marquan Robertson, a Reed Smith summer associate. 

In 2019, the Department of Health and Human Services Office of Civil Rights (OCR) announced its Right of Access Initiative. The Right of Access Initiative realizes OCR’s commitment to ensuring the aggressive enforcement of patients’ rights to receive copies of their medical

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the agency that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), is the latest federal agency to jump on the HHS rulemaking bandwagon issuing a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposes pivotal changes

Even amidst the chaos of a global pandemic, this year multiple U.S. Department of Health and Human Services (HHS) agencies have dialed in on promoting and enforcing patients’ rights to access their health information.

In just the past month, HHS’ Office for Civil Rights (OCR), the agency that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), settled five costly investigations with HIPAA-regulated parties for potential violations of the HIPAA right of access provision.  Under HIPAA, individuals have a legal, enforceable right to view and obtain copies, upon request, of the information in their medical and other health records maintained by a HIPAA covered entity, typically a health care provider or health plan, with limited exception.  Individuals generally have a right to access this information for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created, whether the information is maintained in paper or electronic systems onsite, remotely, or is archived, or where the information originated (e.g., whether the covered entity, another provider, or the patient).
Continue Reading Patient access to health information at the forefront of government initiatives and scrutiny

After nearly a full year of public comment consideration, last week, the U.S. Department of Health and Human Services (HHS) Substance Abuse and Mental Health Services Administration (SAMHSA) announced and published a Final Rule and Fact Sheet addressing 42 C.F.R. Part 2 (Part 2). Generally speaking, Part 2 affords privacy protections to patient records pertaining

As technology has advanced over the years, there has been a corresponding push for virtual visits with health care providers.  In fact, many state boards of medicine and other regulatory agencies have sought to amend regulations and guidances to make telehealth a reality for patients across the U.S.  However, despite the technical allowance for telehealth,

As discussed in our client alert, recent legal developments have greatly expanded funding for and access to telehealth services during the COVID-19 crisis.

Among the changes instituted by HHS are expanded Medicare coverage and payment for services, reduced or waived cost-sharing obligations for physicians, and loosening of the HIPAA enforcement policies for covered entities

Shortly after President Trump declared a national emergency related to COVID-19, CMS issued blanket waivers under section 1135 of the Social Security Act that are intended to ensure there are sufficient health care items and services available to meet the increased need, as well as reduce related administrative burdens on health care providers.

Our comprehensive

The Department of Health and Human Services (HHS) has modified HIPAA retail pharmacy transaction requirements to differentiate between partial fill and full refills of opioids and other Schedule II drug prescriptions.  Specifically, HHS has finalized the requirements for use of the National Council for Prescription Drug Programs (NCPDP) Telecommunication Standard Implementation Guide, Version D, Release

The Department of Health and Human Services (HHS) has adopted its proposal to rescind the standard unique health plan identifier (HPID) and the “other entity identifier” (OEID), along with related implementation specifications and requirements for their use.  HHS adopted the HPID and OEID in a September 5, 2012 final rule in order to improve

The U.S. Department of Health and Human Services filed a Notice of Enforcement Decision on Friday, April 26, 2019, announcing a new system of annual penalty limits for HIPAA violations based on an entity’s level of culpability. The agency revised its previous interpretation of the Health Information Technology for Economic and Clinical Health Act (HITECH

The Department of Health and Human Services (HHS) has issued a proposed rule that would modify the current HIPAA transaction standard for retail pharmacy transactions (the August 2007 revision of NCPDP telecommunications standard D.0) with respect to claims and similar transactions for Schedule II drugs.  HHS states that the change would enable covered entities to

The Department of Health and Human Services (HHS) is proposing to rescind the standard unique health plan identifier (HPID) and the other entity identifier (OEID), along with related implementation specifications and requirements for their use.

HHS adopted the HPID and OEID in a September 5, 2012 final rule, but HHS announced a