Over the course of the past few months, the Office of Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC), both of which are divisions of the U.S. Department of Health and Human Services (HHS), have issued a series of new regulations and guidance related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The Upshot

  • OCR issued a final rule that modifies HIPAA to support reproductive health care privacy.
  • OCR issued new guidance which clarifies and revises how the HIPAA rules apply to a Regulated Entity’s use of tracking technologies, although a recent court decision struck down a significant portion of that guidance.
  • OCR published frequently asked questions to address notice and breach procedure questions related to the Change Healthcare cyber attack.
  • ONC issued a final rule that requires Health IT Modules to provide an “internet-based method” for an individual to request a restriction on the use or disclosure of their PHI.

The Bottom Line

Covered entities under HIPAA (including employer-sponsored health benefit plans), as well as their business associates, should be aware of these new rules and guidance in order to maintain compliance with HIPAA. Attorneys in Ballard Spahr’s Health Care Industry Group are continuously tracking the developments and are available for counsel.

In the first half of 2024, OCR and ONC have issued rules and guidance related to HIPAA on four topics of importance to health plans, health care clearinghouses, and health care providers that are subject to HIPAA, as well as their business associates (collectively “Regulated Entities”).

Reproductive Health Care Privacy Final Rule

On April 22, 2024, OCR issued a final rule to modify HIPAA to support reproductive health care privacy. The final rule makes a number of significant changes to the HIPAA regulations. For example, the new rule:

  • Prohibits the use or disclosure of Reproductive Health Care Information (RHI) by Regulated Entities for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it was provided, or to identify any person for such purposes. These prohibited purposes include, but are not limited to, law enforcement investigations, third-party investigations in furtherance of civil proceedings, state licensure proceedings, criminal prosecutions, and family law proceedings.
  • Requires Regulated Entities to obtain a signed attestation that certain requests, including subpoenas, for RHI are not for these prohibited purposes.
  • Requires Regulated Entities to modify their Notice of Privacy Practices to address reproductive health care privacy.
  • Includes a presumption that reproductive care is, for HIPAA purposes, presumed to be legal unless the Regulated Entity has “actual knowledge” that the care was not lawful under the circumstances.

Compliance is required by Dec. 23, 2024, except for required updates to the Notice of Privacy Practices that are required by Feb. 16, 2026.

OCR Guidance Regarding the Use of Tracking Technologies

On March 18, 2024, OCR issued new guidance on how the HIPAA rules apply to a Regulated Entity’s use of third-party tracking technologies, such as cookies and pixels. The new publication updates guidance that OCR originally published on these technologies in December 2022 and includes a number of significant revisions and clarifications. For example, the new guidance:

  • Clarifies that not all data elements collected by website tracking technologies constitute PHI. In order to constitute PHI, the information must be related to an individual’s past, present, or future health, health care, or payment for health care.
  • Suggests an alternative solution for dealing with a technology vendor who will not sign a Business Associate Agreement (BAA): the Regulated Entity can establish a BAA with a Customer Data Platform vendor, who would then de-identify online tracking information that includes PHI. The Customer Data Platform vendor can then only disclose de-identified information to tracking technology vendors.
  • Emphasizes that OCR is going to prioritize compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.

However, on June 20, 2024, the U.S. District Court for the Northern District of Texas vacated a significant portion of OCR’s tracking technology guidance on the grounds that it exceeded OCR’s statutory authority under HIPAA. Specifically, the court stated that metadata from a user’s search of a provider’s public-facing web page does not meet the definition of “individually identifiable health information” under HIPAA. As of now, the tracking technology guidance is still on the HHS website, but HHS has stated that it is evaluating its next steps in light of this recent decision.

OCR Updates and FAQs Regarding the Change Healthcare Cyber Attack

On April 19, 2024, OCR published a webpage with frequently asked questions (FAQs) concerning the Change Healthcare (a unit of UnitedHealth Group (UHG)) cybersecurity incident which occurred in late February 2024. OCR then updated the FAQs on May 31, 2024, to address additional concerns. In summary, the FAQs explain that:

  • OCR has initiated an investigation into the Change Healthcare cybersecurity incident to determine whether a breach of unsecured PHI occurred and into Change Healthcare’s and UHG’s compliance with the HIPAA Rules.
  • OCR’s investigation is not prioritizing the investigation of covered entities and business associates engaged with Change Healthcare and UHG. However, the guidance reminds these other entities of their obligation to have BAAs in place and to make sure that timely breach notifications to HHS and the affected individuals are provided if and when they receive notice from Change Healthcare.
  • If a covered entity receives notice that it has been affected by a breach by Change Healthcare, it may delegate to Change Healthcare the task of providing the required HIPAA breach notifications on its behalf. Only one entity – which could be the covered entity itself, UHG, or Change Healthcare – needs to complete breach notifications to affected individuals and HHS, and a covered entity and Change Healthcare may cooperatively satisfy any breach obligations under HIPAA.

Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing Final Rule

On February 8, 2024, ONC issued a final rule that, in part, supports the HIPAA Privacy Rule. Under the HIPAA Privacy Rule, covered entities are required to allow individuals to request a restriction on the use or disclosure of their PHI for treatment, payment, or health care operations and to have policies in place by which to accept or deny such requests. However, the HIPAA Privacy Rule does not specify a particular process to be used by individuals to make such requests or for the entity to accept or deny the request. In guidance that addresses various technical standards applicable to electronic health information, the ONC sets forth a standard that requires Health IT Modules to support an internet-based method for an individual to request such a restriction.

The authors express their thanks to Summer Associate Sofia E. Reed for her efforts in the preparation of this Briefing.