Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, published on February 21, 2024, a white paper with various proposals to update privacy protections for health data. In Part 1 of this blog series (see here), we discussed the first section of Senator Cassidy’s February 21, 2024, white paper. Specifically, we summarized Senator Cassidy’s proposals on how to update the existing framework of the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”) without disrupting decades of case law and precedent. In this blog post, we discuss the other sections of the white paper, namely proposals to protect other sources of health data not currently covered by HIPAA.

Continue Reading Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 2: Safeguarding Health Data Not Covered by HIPAA 

On February 21, 2024, Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, issued a white paper, “Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era”, which proposes several updates to the privacy protections for health data. This follows Senator Cassidy’s September 2023 request for information from stakeholders about how to enhance health data privacy protections covered by the Health Insurance Portability and Accountability Act (“HIPAA”) framework and to consider privacy protections for other sources of health data not currently covered by HIPAA. The white paper notes that several entities, including trade associations, hospitals, health technology companies, and think tanks, responded to the RFI.

Continue Reading Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 1: Updates to the HIPAA Framework

On February 16, 2024, the U.S. Department of Health and Human Services (“HHS”) published a final rule to amend the Confidentiality of Substance Use Disorder (“SUD”) Patient Records regulations (“Part 2”) to more closely align Part 2 with the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) as required by Section 3221 of the 2020 Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”).  We previously covered the proposed rule (hereinafter, “the NPRM”), which was issued on December 2, 2022.

The final rule, issued through the Office for Civil Rights (“OCR”) and the Substance Abuse and Mental Health Services Administration (“SAMHSA”), increases alignment between certain Part 2 requirements and HIPAA and it clarifies certain existing Part 2 permissions and restrictions to improve the ability of entities to use and disclose Part 2 records. According to HHS, this final rule will decrease burdens on patients and providers, improve coordination of care and access to care and treatment, and protect the confidentiality of treatment records.

Key provisions of the final rule include:

  • Patient Consent: The final rule allows a single Part 2-compliant consent to suffice for all future uses and disclosures for treatment, payment, and health care operations (as defined under HIPAA) (“TPO”). It also permits HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with HIPAA except in legal proceedings against the patient.

The final rule implements other requirements for a patient consent. Among other things, it prohibits combining a patient’s consent for the use and disclosure of Part 2 records for civil, criminal, administrative, or legislative proceedings with consent for any other use or disclosure. The final rule also requires that each disclosure made with patient consent include a copy of the consent or a clear explanation of the scope of the consent.

  • SUD Counseling Notes: The final rule creates a new definition for SUD counseling notes and requires specific consent from an individual to use or disclose these notes. This definition and heightened protection are meant to mirror HIPAA protections for psychotherapy notes.
  • No Requirement to Segregate of Part 2 Data: The final rule adds an express statement that Part 2 programs, covered entities, and business associates that receive patient records based on a single patient consent for TPO are not required to segregate or segment those records.
  • Public Health Disclosures: The final rule permits disclosure to public health authorities without patient consent, provided that the records are first de-identified in accordance with HIPAA.
  • Breach Notification: The final rule aligns the notification requirements for breaches of records by Part 2 programs with the HIPAA Breach Notification Rule.
  • Patient Rights: The final rule provides patients with additional rights similar to those under HIPAA. Specifically, a patient has the rights to (i) file a complaint directly with the Secretary for an alleged violation of Part 2, (ii) obtain an accounting of disclosures, (iii) request certain restrictions of disclosures, and (iv) opt out of receiving fundraising communications.
  • Patient Notice: The final rule modifies Part 2 patient notice requirements to more closely align with those for HIPAA Notice of Privacy Practices.
  • Enforcement: The final rule also replaces the criminal penalties for a violation of Part 2 with the civil and criminal enforcement authorities that apply to HIPAA violations, including civil monetary penalties.

The final rule does not include the CARES Act antidiscrimination provisions that prohibit the use of patients’ Part 2 records against them; HHS will implement these provisions in a separate rulemaking. An upcoming final rule from OCR will finalize certain changes to the HIPAA Privacy Rule to address uses and disclosures of protected health information that is also protected by Part 2. The rule will become effective on April 16, 2024. Compliance with the rule is required by February 16, 2026.

On February 12, the U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”), published a notice requesting comment on an upcoming information request.  Specifically, OCR invites comments regarding its burden estimate for a “HIPAA Audit Review Survey.”  The Survey consists of “39 online survey questions” and will be sent to “207 covered entities and business associates that participated in the 2016-2017 OCR HIPAA Audits.”  The Survey aims to help OCR determine the 2016-2017 HIPAA Audits efficacy in assessing HIPAA compliance efforts of covered entities.  Specifically, the Survey will:

  • Measure the effect of the 2016-2017 HIPAA Audits on covered entities’ and business associates’ subsequent actions to comply with the HIPAA;
  • Give entities an opportunity to provide feedback on the Audit, including whether the Audit helped improve HIPAA compliance;
  • Provide OCR with information on the burden imposed on entities to collect audit-related documents and to respond to audit-related questions; and
  • Seek feedback on the effect of the HIPAA Audit program on entities day-to-day business operations.

The information collected in response to the Survey will “be used to improve future OCR HIPAA audits.”  Comments on the HIPAA Audit Review Survey must be received by April 12, 2024.  This information request may be an indication that OCR is planning to reinvigorate its program to conduct periodic audits of covered entities and business associates to assess their level of HIPAA compliance.

On April 17, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a notice of proposed rulemaking that would revise the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to bar certain uses and disclosures of protected health information (“PHI”) related to reproductive health care.  Specifically, the proposed rule (“Rule”) would amend the Privacy Rule to prohibit covered entities or business associates (collectively, “regulated entities”) from using or disclosing PHI for purposes of (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings.

The Rule appears to be designed to further President Biden’s executive order directing HHS to consider actions that would “strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.”  President Biden issued the order in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization

Below, we provide a brief summary of the proposed changes and a timeline for commenting.

Continue Reading HHS Issues Notice of Proposed Rulemaking on HIPAA and the Use and Disclosure of Information Related to Reproductive Health Care

On April 11, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that four Notifications of Enforcement Discretion (“Notifications”) that were issued under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) during the COVID-19 pandemic will expire on May 11, 2023.  In response to the COVID-19 Public Health Emergency, OCR announced it would exercise enforcement discretion with respect to noncompliance with certain provisions of HIPAA.  Now that the public health emergency is set to expire, OCR is rescinding the relevant Notifications.  Below, we summarize the four Notifications that are set to expire:

Continue Reading HHS Issues Notice of Expiration of COVID-19 HIPAA Enforcement Discretion

In a new post on the Covington Digital Health blog, our colleagues discuss recently issued proposed rule to implement statutory amendments enacted by Section 3221 of the 2020 Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”).  Specifically, the proposed rule would harmonize certain provisions of the Confidentiality of Substance Use Disorder Patient Records under 42 C.F.R. Part 2 (“Part 2”) with the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”).   The post highlight specific sections of the proposed rule that would modify Part 2 in accordance with the CARES Act.

In a new post of the Covington Digital Health blog, our colleagues discuss the proposed rule issued by the Office for Civil Rights of the U.S. Department of Health and Human Services to modify the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”).  Proposed modifications to the HIPAA Privacy Rule include strengthening individuals’ right to access their protected health information (“PHI”), including electronic PHI; facilitating greater family involvement in care for individuals dealing with health crises or emergencies; and allowing providers more flexibility to disclose PHI when harm to a patient is “serious and reasonably foreseeable,” such as during the opioid crisis or COVID-19 public health emergency.  Importantly, multiple provisions of the proposed rule, discussed in greater detail in the post, address electronic health records (“EHRs”) and personal health applications.

On September 1, the California legislature passed AB 713, a bill that creates a new healthcare-related exemption under the California Consumer Privacy Act of 2018 (“CCPA”).  All provisions of the bill will take effect immediately to prevent the CCPA from “negatively impact[ing] certain health-related information and research,” except for the required contractual provisions described below.

Under the new exemption, information is not subject to the CCPA’s obligations if it meets both of the following requirements: Continue Reading California Legislature Adopts CCPA Exemption for Information Deidentified in Accordance with the HIPAA Privacy Rule

This month, the U.S. Department of Health and Human Services (“HHS”) issued guidance waiving enforcement of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) in response to the COVID-19 nationwide public health emergency. Continue Reading HHS Relaxes Enforcement of Certain HIPAA Provisions Amidst COVID-19 Nationwide Public Health Emergency