The U.S. Department of Health and Human Services filed a Notice of Enforcement Decision on Friday, April 26, 2019, announcing a new system of annual penalty limits for HIPAA violations based on an entity’s level of culpability. The agency revised its previous interpretation of the Health Information Technology for Economic and Clinical Health Act (HITECH

The Department of Health and Human Services (HHS) has issued a proposed rule that would modify the current HIPAA transaction standard for retail pharmacy transactions (the August 2007 revision of NCPDP telecommunications standard D.0) with respect to claims and similar transactions for Schedule II drugs.  HHS states that the change would enable covered entities to

The Department of Health and Human Services (HHS) is proposing to rescind the standard unique health plan identifier (HPID) and the other entity identifier (OEID), along with related implementation specifications and requirements for their use.

HHS adopted the HPID and OEID in a September 5, 2012 final rule, but HHS announced a

The Office for Civil Rights (OCR) is requesting public input on reforms to Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules to promote care coordination and the health system’s transformation to value-based health care while protecting the privacy and security of individuals’ protected health information (PHI).  Specifically, in a request for information

The Trump Administration has formally withdrawn a number of pending Department of Health and Human Services (HHS) proposals that never reached the final rule stage. This includes:  a controversial Part Medicare B drug payment innovation model; a proposal to protect same sex marriages in certain Medicare and Medicaid facilities (predating a related Supreme Court decision); a proposal to impose more stringent Medicare requirements related to the provision of orthotics and prosthetics; and a proposed rule regarding certification of compliance for health plans.  Each of the rules is withdrawn as of October 4, 2017.  Specifically:
Continue Reading Trump Administration Shelves Additional Obama Medicare/Health Plan Proposals

This month the HHS Office for Civil Rights (OCR) has launched an initiative “to more widely investigate the root causes” of HIPAA breaches affecting fewer than 500 individuals, according to an August 18, 2016 OCR email announcement. While Regional Offices will retain discretion to prioritize investigation of smaller breaches, each office is directed to “increase

Immediately following Sunday’s tragic shooting at a nightclub in Orlando, friends and family frantically gathered at Orlando Regional Medical Center, attempting to get information about their loved ones.  However, hospital officials hesitated to provide specific updates.  Why?  Because the Health Insurance Portability and Accountability Act (HIPAA) and implementing regulations restrict the patient-identifiable health information that “covered entities,” like Orlando Regional Medical Center, are permitted to disclose without proper patient authorization or consent.

Shortly following the massacre, Orlando local news outlets reported that after Orlando Regional’s CEO expressed concern regarding families requesting detailed patient health information at the hospital’s emergency room, Orlando Mayor Buddy Dyer contacted the White House and requested a waiver of the HIPAA regulations.  While the HIPAA Privacy Rule is not automatically suspended during a national or public health emergency, the Secretary of the Department of Health and Human Services (HHS) may waive certain provisions of HIPAA under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.  In order to take advantage of the waiver, the President must declare an emergency or disaster and the Secretary of HHS must declare a public health emergency.Continue Reading Reexamining HIPAA’s Applicability During Emergencies After the Tragedy in Orlando

On January 6, 2016, HHS published a final rule to modify the HIPAA Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of individuals who are subject to a federal “mental health prohibitor” that disqualifies them from shipping, transporting, possessing, or receiving

Today HHS published a request for public comments regarding the health plan identifier (HPID), including the requirements regarding health plan enumeration, and the requirement to use the HPID in electronic health care transactions. Specifically, HHS is seeking information regarding the following:

  • The HPID enumeration structure outlined in the September 5, 2012 HPID final rule,

The Office of the National Coordinator for Health Information Technology (ONC) has released a revised Guide to Privacy and Security of Electronic Health Information. The guide is intended to help health care providers – especially those from smaller organizations – address federal health information privacy and security requirements in their practices. The new version

CMS has announced that it is delaying until further notice enforcement of its regulations pertaining to health plan enumeration and use of the Health Plan Identifier (HPID) in HIPAA transactions, which were adopted in a September 5, 2012 final rule. This enforcement delay, which is effective October 31, 2014, applies to all HIPAA covered

Two more health care companies have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of almost $2 million and agreeing to continued oversight by the HHS Office for Civil Rights (OCR). In both instances, the breaches were self-reported and the settlements resulted

CMS has released additional tools to help health plans, vendors, and providers prepare to demonstrate that they are compliant with Administrative Simplification Transaction Testing standards and operating rules and that they have completed end-to-end testing with their trading partners. Specifically, CMS has released payer, large provider, small provider, vendor-to-provider, and vendor-to-payer checklists to assist these

On February 6, 2014, the Department of Health & Human Services (HHS) published a final rule making changes to the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations to provide individuals with a greater ability to directly access their laboratory test reports. The rule

The OIG has concluded that the HHS Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule. In short, the OIG found that OCR failed to provide for periodic audits, as mandated by HITECH, to ensure that covered entities were in compliance with the Security Rule, and instead continued to

On January 7, 2014, HHS published a proposed rule that would modify the HIPAA Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the FBI’s National Instant Criminal Background Check System (NICS) the identities of individuals who are prohibited under federal law from shipping, transporting, possessing, or receiving a firearm for reasons