Regulations under Section 1557 of the Affordable Care Act and HIPAA will require health plans and health care providers to take action in the coming months to meet new requirements. Health plan sponsors and providers that have not started to prepare for these new requirements should begin to take measures now. Section 1557. Final regulations under the [&hellip… Continue Reading »
Over the course of the past few months, the Office of Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC), both of which are divisions of the U.S. Department of Health and Human Services (HHS), have issued a series of new regulations and guidance related to the Health Insurance [&hellip… Continue Reading »
Summary Newly effective regulations governing confidentiality of Substance Use Disorder (SUD) records now more closely mirror regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other federal law. The new measures ease the administrative burden on programs by aligning regulations governing the privacy of Part 2 SUD records with the regulatory [&hellip… Continue Reading »
Summary Providing notice of a vendor’s HIPAA breach is often difficult, but it can be particularly hard when information is delayed. Sometimes an investigation takes months to complete, and the HIPAA deadline for providing notice may have passed before a health plan or health care provider even knows who was affected by the breach and [&hellip… Continue Reading »
As we discussed in a recent webcast, there has been a surge in litigation focused on companies’ use of Meta Pixel, which is tracking code that enables the sharing of user online activity with Facebook. Recent litigation has alleged that use of Meta Pixel with online videos violates the Video Privacy Protection Act (VPPA). An even [&hellip… Continue Reading »
The U.S. Department of Health and Human Services (HHS) has released guidance to address how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to various entities’ requests for information related to an individual’s COVID-19 vaccination status. HHS emphasized that the Privacy Rule applies only to covered entities, including health plans and most [&hellip… Continue Reading »
The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has continued its enforcement of the privacy and security rules included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), announcing a number of settlements of alleged violations in the first seven months of 2021. This settlement [&hellip… Continue Reading »
The new year began with an unusual amount of activity related to the Health Insurance Portability and Accountability Act (HIPAA). Health care providers, health plans, health care clearinghouses, and business associates subject to HIPAA will need to consider three significant developments—one regulatory, one legislative, and one judicial—relating to the Privacy and Security Rules under HIPAA [&hellip… Continue Reading »
Following a very quiet start in HIPAA settlement activity in 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has recently announced eight settlements with covered entities and business associates. The most recent of these announcements involves the second-largest HIPAA settlement amount in OCR’s history, amounting to $6.85 million. [&hellip… Continue Reading »
The Office of Civil Rights of the U.S. Department of Health and Human Services has issued guidance clarifying how HIPAA’s Privacy Rule permits covered entities (in particular, health care providers and health plans) or their business associates to contact former COVID-19 patients about plasma donation to treat or potentially treat patients. The guidance follows the FDA’s approval of blood [&hellip… Continue Reading »
The Department of Health and Human Services has issued guidance confirming that the public health emergency brought on by the COVID-19 pandemic does not alter the restrictions that HIPAA’s Privacy Rule places on hospitals, nursing homes, and other health care providers with regard to the disclosures they may make to the media. The guidance breaks no new [&hellip… Continue Reading »
On March 20, 2020, the Office for Civil Rights (OCR) issued guidance in furtherance of its Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency. OCR issued the guidance as frequently asked questions (FAQs) published by the Department of Health and Human Services (HHS). This guidance further explains how OCR will exercise [&hellip… Continue Reading »
Telehealth Remote Communication Technology On March 17, 2020, the federal Department of Health and Human Services (HHS) announced that the Office for Civil Rights (OCR) will suspend enforcement activities and waive penalties related to certain HIPAA Security Rule provisions “during the COVID-19 nationwide public health emergency.” Specifically, OCR will waive penalties for using “everyday communications technologies” in [&hellip… Continue Reading »
The Office of Civil Rights, U.S. Department of Health and Human Services, issued an update to its February bulletin, which outlined how the HIPAA privacy rules apply in a state of emergency. The March bulletin largely reiterates the February bulletin and also sets forth a limited waiver of sanctions and penalties against covered hospitals that do not comply [&hellip… Continue Reading »
Health care providers, health plans, and others who are subject to HIPAA are sure to have questions about when they may disclose information about individuals who have contracted, or been exposed to, Coronavirus (COVID-19). To address these questions, the Office of Civil Rights, U.S. Department of Health and Human Services, issued a bulletin, reminding us [&hellip… Continue Reading »
The U.S. Department of Health and Human Services Office of Civil Rights (OCR) imposed $2,154,000 in civil monetary penalties against Jackson Health System in Florida for failing to meet HIPAA privacy and security requirements. The OCR announcement and accompanying information detail violations that include: The unauthorized access by an employee to the records of more [&hellip… Continue Reading »
With all of the attention on Health Insurance Portability and Accountability Act (HIPAA) requirements to safeguard the privacy and security of a patient’s health information, covered entities sometimes overlook the HIPAA provisions that give patients rights to their information. This includes a patient’s right to access his or her medical and billing records from providers and [&hellip… Continue Reading »
On May 6, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced an agreement with Touchstone Medical Imaging, LLC (Touchstone), settling allegations that Touchstone violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by allowing uncontrolled public access to patients’ protected health information (PHI). Touchstone provides [&hellip… Continue Reading »
The Department of Health and Human Services has announced that it is lowering the maximum amount it will assess for most types of HIPAA violations. Although the change is couched as an exercise of discretion, HHS states that it is basing the modifications on a change in its interpretation of the penalty provisions set forth in [&hellip… Continue Reading »
After announcing that its HIPAA enforcement collections had reached a new high-water mark of $28.7 million in 2018, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services has started this year quietly. Through the first few months of 2019, the OCR has published no resolution agreements and it is [&hellip… Continue Reading »
A relatively quiet year for HIPAA enforcement is ending with a small flourish. The Office of Civil Rights of the Department of Health and Human Services (HHS) has announced two settlements with covered entities within the span of eight days. The first settlement involved Advanced Care Hospitalists (ACH), a company that provides internal medicine physicians to [&hellip… Continue Reading »
(The following is excerpted from Ballard Spahr’s CyberAdviser blog.) The Departmental Appeals Board of the U.S. Department of Health and Human Services has granted summary judgment against the University of Texas MD Anderson Cancer Center upholding $4.3 million in penalties against the Center for violations of HIPAA’s privacy and security rules. In this case, the [&hellip… Continue Reading »
Cloud service providers that process electronic protected health information (ePHI) are business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), even if the PHI is encrypted and the cloud service provider is not able to view it. This unequivocal determination, made in recent guidance by the U.S. Department of Health and [&hellip… Continue Reading »
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced an agreement with Catholic Health Services of the Archdiocese of Philadelphia (CHCS), settling allegations that CHCS violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by failing to protect electronic protected health information (ePHI). This is the first enforcement [&hellip… Continue Reading »