On April 17, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a notice of proposed rulemaking that would revise the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to bar certain uses and disclosures of protected health information (“PHI”) related to reproductive health care.  Specifically, the proposed rule (“Rule”) would amend the Privacy Rule to prohibit covered entities or business associates (collectively, “regulated entities”) from using or disclosing PHI for purposes of (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings.

The Rule appears to be designed to further President Biden’s executive order directing HHS to consider actions that would “strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.”  President Biden issued the order in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization

Below, we provide a brief summary of the proposed changes and a timeline for commenting.

Continue Reading HHS Issues Notice of Proposed Rulemaking on HIPAA and the Use and Disclosure of Information Related to Reproductive Health Care

On April 11, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that four Notifications of Enforcement Discretion (“Notifications”) that were issued under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) during the COVID-19 pandemic will expire on May 11, 2023.  In response to the COVID-19 Public Health Emergency, OCR announced it would exercise enforcement discretion with respect to noncompliance with certain provisions of HIPAA.  Now that the public health emergency is set to expire, OCR is rescinding the relevant Notifications.  Below, we summarize the four Notifications that are set to expire:

Continue Reading HHS Issues Notice of Expiration of COVID-19 HIPAA Enforcement Discretion

In a new post on the Covington Digital Health blog, our colleagues discuss recently issued proposed rule to implement statutory amendments enacted by Section 3221 of the 2020 Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”).  Specifically, the proposed rule would harmonize certain provisions of the Confidentiality of Substance Use Disorder Patient Records under 42 C.F.R. Part 2 (“Part 2”) with the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”).   The post highlight specific sections of the proposed rule that would modify Part 2 in accordance with the CARES Act.

In a new post of the Covington Digital Health blog, our colleagues discuss the proposed rule issued by the Office for Civil Rights of the U.S. Department of Health and Human Services to modify the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”).  Proposed modifications to the HIPAA Privacy Rule include strengthening individuals’ right to access their protected health information (“PHI”), including electronic PHI; facilitating greater family involvement in care for individuals dealing with health crises or emergencies; and allowing providers more flexibility to disclose PHI when harm to a patient is “serious and reasonably foreseeable,” such as during the opioid crisis or COVID-19 public health emergency.  Importantly, multiple provisions of the proposed rule, discussed in greater detail in the post, address electronic health records (“EHRs”) and personal health applications.

On September 1, the California legislature passed AB 713, a bill that creates a new healthcare-related exemption under the California Consumer Privacy Act of 2018 (“CCPA”).  All provisions of the bill will take effect immediately to prevent the CCPA from “negatively impact[ing] certain health-related information and research,” except for the required contractual provisions described below.

Under the new exemption, information is not subject to the CCPA’s obligations if it meets both of the following requirements: Continue Reading California Legislature Adopts CCPA Exemption for Information Deidentified in Accordance with the HIPAA Privacy Rule

This month, the U.S. Department of Health and Human Services (“HHS”) issued guidance waiving enforcement of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) in response to the COVID-19 nationwide public health emergency. Continue Reading HHS Relaxes Enforcement of Certain HIPAA Provisions Amidst COVID-19 Nationwide Public Health Emergency

On April 30, 2019, the Department of Health and Human Services (HHS) published in the Federal Register a notification of enforcement discretion indicating that it will lower the annual Civil Money Penalty (CMP) limits for three of the four penalty tiers in the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  The HITECH Act categorizes violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in four tiers based on the violators’ level of culpability for the violation: the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision (Tier 1); the violation was due to reasonable cause, and not willful neglect (Tier 2); the violation was due to willful neglect that is timely corrected (Tier 3); and the violation was due to willful neglect that is not timely corrected (Tier 4).

The maximum penalty per violation for all four tiers was previously $1.5 million.  HHS’s new policy states that the annual penalty limit for Tier 1 violations has now been decreased from $1.5 million to $25,000.  The new annual penalty limits for Tier 2 and 3 violations are now $100,000 and $250,000, respectively.  The penalty limit for Tier 4 violations will remain at $1.5 million. Continue Reading HHS Updates Maximum Annual Penalty Limits for Some HIPAA Violations

On Friday, April 19, 2019, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) explained in an FAQ the circumstances under which electronic health record (EHR) systems may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) liability for an app’s impermissible use or disclosure of electronic protected health information (ePHI).  As long as the app is independent of the covered entity and its EHR system and is instead controlled by the individual patient, the covered entity and its EHR system have no HIPAA liability once ePHI is delivered to the app at the patient’s request.

In its FAQ, HHS specified that if, at the request of a patient, a HIPAA covered entity’s EHR system transfers ePHI to an app that is not developed by or specifically provided to the covered entity by the EHR system, neither the covered entity nor the EHR system developer would face HIPAA liability for the app’s subsequent impermissible use or disclosure of the information.  But if an EHR system transfers patient data from a covered entity to an app that the EHR system provides “through, or on behalf of, the covered entity (directly or through another business associate)” and either owns the app or has a business relationship with the app developer, the EHR system developer may be subject to HIPAA liability for subsequent impermissible use or disclosure of the ePHI.

This attempt to clarify the boundaries of HIPAA liability will likely be welcomed by a wide range of covered entities, EHR systems, and developers of apps that process ePHI, including apps that connect patients with doctors, pharmacy apps, and apps that focus on fertility, mental health, smoking cessation, and more.  Patients, on the other hand, should be aware that the information being collected by an app (which can be substantial and sensitive, depending on the nature of the app) has no protection under HIPAA unless the app was offered to them by a covered entity as part of its overall EHR system.

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that 2018 was an all-time record year for Health Insurance Portability and Accountability Act (“HIPAA”) enforcement activity.   Enforcement actions in 2018 resulted in the assessment of  $28.7 million in civil money penalties.  Enforcement activity focused primarily on breaches of electronic protected health information (ePHI).

Under 45 C.F.R. 164.308, a covered entity must conduct “accurate and thorough assessment[s] of the potential risks and vulnerabilities . . . of [ePHI].”  The final settlement of the year occurred in December 2018. In that settlement, Cottage Health agreed to pay $3 million to OCR and agreed to adopt a corrective action plan to remedy violations of the HIPAA Rules. The alleged violations pertained to December 2013 and December 2015 compromises of unsecured ePHI that implicated data of over 62, 500 individuals. The ePHI breached included patient names, addresses, dates of birth, Social Security numbers, diagnoses, conditions, lab results, and other treatment information.  OCR concluded that Cottage Health failed to conduct risk assessments and failed to implement security measures to reduce vulnerabilities.  In September 2018, OCR settled with Advanced Care Hospitals (ACH), a contractor physician group, for $500,000 after ACH reported that ACH patient information was viewable on a medical billing services’ website.  The OCR investigation revealed that ACH lacked the required business associate agreement with the billing service provider, that it had not conducted a risk assessment, and that it had not implemented security measures or HIPAA policies or procedures before 2014.  And, in October 2018, Anthem, Inc. paid $16 million (the largest HIPAA penalty ever assessed by OCR) after the largest health data breach in history.  Anthem discovered that malicious actors accessed its network through undetected, continuous and targeted attacks to extract data and had infiltrated the system through spear phishing emails.

Another enforcement theme in 2018 focused on physical theft of PHI or devices containing ePHI.  In January 2018, OCR settled with a medical records maintenance, storage, and delivery services provider, Filefax, Inc., after finding that Filefax left PHI in an unlocked truck in the Filefax parking lot and granted permission to unauthorized individuals to remove PHI.   Additionally, in June 2018, an Administrative Law Judge ruled in favor of OCR and required the University of Texas MD Anderson Cancer Center to pay $4.3 million in civil penalties for HIPAA violations after a theft of an unencrypted laptop from the residence of an employee and the loss of two USB thumb drives.

OCR’s record-breaking enforcement activities in 2018 serve as a reminder to covered entities and business associates to conduct frequent and meaningful assessment of the security of any PHI they hold, to swiftly remediate any vulnerabilities discovered, and to carefully document the assessment, remediation, and general HIPAA policies and procedures.

This blog post is part of our ongoing coverage of HIPAA issues, which includes, among others:

The beginning of 2017 has brought a number of HIPAA enforcement actions involving covered entities. These enforcement actions indicate that HHS is continuing recent efforts to step up HIPAA enforcement and levy significant penalties for non-compliance.

  • In January, HHS announced that it had reached a $475,000 settlement with a large health care network for failure to make timely required breach notifications as required by the HIPAA Breach Notification Rule. This is the first settlement HHS has reached based on the untimely reporting or notification of a breach. HHS found that the network failed to notify HHS, the affected individuals, and the media within the required 60-day timeframe. Instead, the network made these notifications over 100 days after discovery of the breach. HHS found that the delay was a result of “miscommunications between . . . workforce members.” Under the regulation, each day on which the network failed to make the required notifications could be penalized as a separate violation of HIPAA.
  • In January, HHS announced a $2.2 million settlement with a health insurance company after the company filed a breach report indicating that a portable USB device, which contained the PHI of over 2,000 individuals, had been stolen. An HHS investigation found that the company had not conducted a risk analysis, as required by the HIPAA Security Rule, and had not implemented appropriate risk management to safeguard electronic PHI. Furthermore, the company lacked adequate encryption on its laptops and removable storage media.

Continue Reading HHS Announces More HIPAA Enforcement Actions