The Centers for Medicare & Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) have released a final rule establishing “disincentives” (i.e., penalties) for health care providers that participate in certain Medicare payment programs who have engaged in information blocking, as determined by the HHS Office of Inspector General
protected health information
HHS Modifies HIPAA Privacy Rule to Shield Reproductive Health Information from Third Party Access
In a final rule published on April 26, the U.S. Department of Health and Human Services (“HHS”) amends the HIPAA Privacy Rule to bolster protections for individuals’ reproductive health information. This final rule comes almost exactly a year after HHS published its draft rule on the subject.
The rule is part of the Biden administration’s effort to address the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization. Dobbs’ reversal of Roe v. Wade resulted in a patchwork of state laws governing abortion, some of which require or permit health care providers to release personal information about reproductive health care to state authorities for patients who sought an abortion.
The rule is scheduled to take effect on June 25, 2024 and most provisions will be enforceable as of December 23, 2024. Below, we summarize in more detail some of the notable changes to the HIPAA Privacy Rule. Continue Reading HHS Modifies HIPAA Privacy Rule to Shield Reproductive Health Information from Third Party Access
ONC Finalizes Information Sharing and Algorithm Transparency Rule
The Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) has published its first final rule on Health Data, Technology and Interoperability. The rule, known as the HTI-1 rule, takes effect on February 8, and governs updates to the ONC’s Health IT Certification Program, as well as regulations on information blocking.
Among the program criteria that the rule addresses include those related to decision support, electronic case reporting and standards-based application programming interfaces (APIs). To address the question of information blocking, the rule provides refined definitions of statutory terms and identifies practices that cannot constitute information blocking as they are considered by ONC to be “reasonable and necessary.”Continue Reading ONC Finalizes Information Sharing and Algorithm Transparency Rule
Patient access and big-ticket data breaches lead OCR enforcement initiatives
HIPAA enforcement actions in the past year have continued to focus on the patient right to access initiative and large scale data breaches. While most of the recent enforcement actions focused on the patient right to access initiative, two noteworthy settlements stemmed from covered entities disclosing protected health information in response to negative online reviews.
Over the past year, the types, sizes, and locations of the investigated entities varied, and resulted in settlements ranging from $3,500 – $240,000. Department of Health and Human Services Office for Civil Rights (“OCR”) seemed to consistently impose comparatively higher settlements amounts for violations that resulted in large scale data breaches.Continue Reading Patient access and big-ticket data breaches lead OCR enforcement initiatives
Proposed changes to HIPAA highlight increased demands for third party access to reproductive health data
On Monday, April 12, 2023, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) to modify the HIPAA Privacy Rule to address the release of reproductive health care information to third parties for the purposes of civil, administrative, or criminal proceedings for care that is lawfully obtained.
OCR has also released a fact sheet on this NPRM. The NPRM included: (1) the addition of new protections with respect to certain information related to reproductive health care; (2) a new obligation for regulated entities to obtain “attestations” (which are different from HIPAA’s traditional authorization) before responding to requests for certain PHI related to reproductive health care; and (3) the modification of the definition of “person,” and the addition of several new definitions.Continue Reading Proposed changes to HIPAA highlight increased demands for third party access to reproductive health data
Regulators and class action plaintiffs direct attention to health care websites’ and mobile apps’ use of third-party trackers
Health care and health care-adjacent organizations are seeing a steep increase in risk arising from the frequently utilized third-party analytics and advertising services on their websites, mobile applications, patient portals, and other Internet-connected services. Those organizations should pay attention to new regulatory guidance, published settlements with regulators, and an onslaught of class action filings stemming…
HHS proposes update to Part 2 confidentiality regulations to align with HIPAA
The Department of Health and Human Services recently issued a proposed rule that would streamline the federal regulations governing the confidentiality of substance use disorder (SUD) patient records at 42 CFR Part 2 (Part 2) with the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA). Comments on the proposed rule are due to HHS by January 31, 2023
For years, health care providers regulated by both Part 2 and HIPAA and their patients, have wrestled with the inconsistencies across these two privacy frameworks. Part 2, for example, currently imposes different patient consent requirements and disclosure restrictions on Part 2-protected SUD treatment records (Part 2 Records) than HIPAA, even though such records often constitute protected health information (PHI) as well. The inconsistencies (and in some cases, conflicts) between HIPAA and Part 2 requirements have created barriers to information sharing and confusion and compliance challenges for entities regulated under both frameworks, which in turn have unnecessarily impeded treatment access and care coordination.
As noted in the HHS fact sheet and the press release issued by the Substance Abuse and Mental Health Services Administration (SAMHSA), the proposed rule would, if finalized, enhance care coordination, afford patients a formal right of access to their SUD records, and extend HIPAA’s breach notification standards to Part 2-regulated providers and information. The proposed rule would also allow health care providers to align internal privacy compliance programs, the importance of which is underscored by another proposal to impose the same HIPAA civil and criminal penalties on regulated providers for noncompliance with Part 2 regulations. Continue Reading HHS proposes update to Part 2 confidentiality regulations to align with HIPAA
HHS OCR Issues Bulletin on HIPAA Compliance for Tracking Technologies
The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) recently issued a bulletin highlighting the application of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to covered entities and business associates (“Regulated Entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies that collect and analyze information about how internet users interact with websites or mobile applications (“Tracking Technologies”). While the Bulletin emphasizes that Regulated Entities have always been prohibited from impermissible uses and disclosures of protected health information (“PHI”) collected through Tracking Technologies, including disclosing PHI to Tracking Technology vendors without entering into business associate agreements (“BAAs”), OCR has been relatively silent on this issue to date.
To highlight the application of HIPAA to Regulated Entities leveraging Tracking Technologies, the Bulletin provides several examples of how Tracking Technologies may collect and share PHI, including on authenticated and unauthenticated webpages, as well as mobile apps. In particular, the Bulletin describes how websites and mobile apps commonly use Tracking Technologies to collect information from users, including identifiers that are unique to users’ mobile devices. This information can then be used by the owner of a website or app, a related vendor, or a third party to gain insights about users’ online activities and to create a unique profile for each user. These insights and information can be used in beneficial ways to help improve care or the patient experience, but they can also be misused to promote misinformation and for other detrimental purposes.
In a nutshell, OCR’s Bulletin stresses that when an individual uses Regulated Entities’ websites or mobile apps, information such as the individual’s medical record number, home or email address, dates of appointments, IP address, geographic location, or medical device ID may constitute PHI subject to HIPAA and should be held by Regulated Entities accordingly. According to OCR, such information generally is PHI, even if the individual does not have an existing relationship with the Regulated Entity and even if the information does not include specific treatment or billing information like dates and types of health care services. Per OCR, this is because the information connects the individual to the Regulated Entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for careContinue Reading HHS OCR Issues Bulletin on HIPAA Compliance for Tracking Technologies
New Guidance by OCR addresses HIPAA and Disclosures of Information relating to Reproductive Health
On June 29, 2022, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) issued two pieces of guidance clarifying the applicability of the Health Insurance Portability and Accountability Act (“HIPAA”) related to privacy of information connected to an individual’s reproductive health.
Through this guidance, HIPAA addresses both protected health information (“PHI”), which is subject to HIPAA’s rules, as well as general, personal information that is not directly protected by HIPAA.Continue Reading New Guidance by OCR addresses HIPAA and Disclosures of Information relating to Reproductive Health
HHS issues Guidance on permitted HIPAA disclosures to prevent gun violence
According to the Centers for Disease Control and Prevention, firearm injuries are a serious public health problem in the United States. To combat this problem, many states have passed extreme risk protection order (“ERPO”) laws, otherwise known as “red flag laws.”
ERPO laws allow various individuals, including family members, health care providers, and law enforcement…
OCR Plans to More Widely Investigate HIPAA Breaches Affecting Fewer than 500 Individuals
This month the HHS Office for Civil Rights (OCR) has launched an initiative “to more widely investigate the root causes” of HIPAA breaches affecting fewer than 500 individuals, according to an August 18, 2016 OCR email announcement. While Regional Offices will retain discretion to prioritize investigation of smaller breaches, each office is directed to “increase…
Energy & Commerce Committee Approves Mental Health System Reform Bill
The House Energy & Commerce Committee has unanimously approved an amended version of H.R. 2646, the Helping Families in Mental Health Crisis Act, which is intended to reform the nation’s mental health care system. Among other things, the bill would: provide grants to increase access to treatment for children with mental disorders and individuals with…
SAMHSA Proposes Revisions to Substance Abuse Records Privacy Protections to Support Delivery Reform
The Substance Abuse and Mental Health Services Administration (SAMHSA) published a proposed rule on February 9, 2016 that is intended to modernize regulations governing the confidentiality of substance abuse records to ensure that patients with substance use disorders have the ability to participate in new integrated health care models that emphasize coordinated care while addressing…
OIG Calls for Stronger HIPAA Compliance Efforts
The OIG has issued two reports calling for stronger ONC oversight of covered entity compliance with HIPAA standards. In the first report, “OCR Should Strengthen Its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards,” the OIG observes that OCR’s Privacy Rule compliance oversight is primarily reactive based on complaints since it…
HHS Releases HIPAA Security Risk Assessment Tool
HHS has developed a Security Risk Assessment (SRA) tool to help providers comply with a Health Insurance Portability and Accountability Act (HIPAA) requirement that covered entities conduct a risk assessment to ensure compliance with HIPAA’s administrative, physical, and technical safeguards and to determine where electronic protected health information could be at risk. The SRA tool is…
The HITECH Final Rule: New Privacy/Security Rules of the Road Finally Here
This post was also written by Elizabeth D. O’Brien.
On January 25, 2013, the HHS Office for Civil Rights published its long-awaited final rule implementing major changes to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules mandated by the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act). Among other…
It’s Here: OCR Releases Long Awaited HIPAA/HITECH Final Rule
The Office for Civil Rights (“OCR”) of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules. The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the “HITECH Final Rule”). Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.
Continue Reading It’s Here: OCR Releases Long Awaited HIPAA/HITECH Final Rule
OIG Recommends Improvements to CMS Response to Health Information Breaches
The OIG has given the CMS mixed reviews regarding the extent to which it meets American Recovery and Reinvestment Act (Recovery Act) requirements to notify affected beneficiaries when the privacy or security of their protected health information is compromised. In the report, “CMS Response to Breaches and Medical Identity Theft,” the OIG assesses…
U.S. District Court Decides Whistleblower Cannot Rely on Stolen Patient Records
Reed Smith’s Life Sciences Legal Update blog discusses a recent decision by the United States District Court for the Southern District of Ohio that may make it much harder for qui tam relators to rely upon stolen medical records or patient information in False Claims Act (“FCA”) whistleblower actions. In the decision, Cabotage v. Ohio…
GAO Examines HHS Action on Privacy and Security of Prescription Drug Data
The GAO has issued a report entitled “Prescription Drug Data: HHS Has Issued Health Privacy and Security Regulations but Needs to Improve Guidance and Oversight.” The report assesses the extent to which HHS has established a framework to ensure the privacy and security of Medicare beneficiaries’ protected health information when data on prescription…