On February 12, the U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”), published a notice requesting comment on an upcoming information request. Specifically, OCR invites comments regarding its burden estimate for a “HIPAA Audit Review Survey.” The Survey consists of “39 online survey questions” and
Continue Reading HHS OCR Requests Comments on HIPAA Audit Review Survey
Anna D. Kraus
Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and HIPAA privacy and security. Anna is co-chair of the firm’s Health Care Industry practice group.
Anna regularly advises clients on Medicare reimbursement matters, particularly those arising under Part B and the Part D prescription drug benefit. She also has extensive experience with the Medicaid Drug Rebate program. She assists numerous pharmaceutical and device manufacturers, health care providers, pharmacy benefit managers, and other health care industry stakeholders to navigate the challenges and opportunities presented by the Affordable Care Act.
Anna is a trusted adviser on health information privacy, security and breach notification issues, including those arising under the Health Insurance Portability and Accountability Act ("HIPAA") and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Her background in this area dates back to the issuance of the original HIPAA privacy regulations.
Anna's clients depend on her to guide them through compliance with the Anti-Kickback statute, the Stark regulations, and other laws preventing fraud and abuse in the health care industry. Her deep knowledge of these laws has made her an important component of the firm’s representation of pharmaceutical companies and health care organizations under federal investigation or facing allegations under the False Claims Act. In addition, clients contemplating acquisitions in the health care sector rely on her to guide due diligence efforts.
HHS Settles Malicious Insider Cybersecurity Investigation for $4.75 Million
On February 6, the U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”), announced that it had settled a cybersecurity investigation with Montefiore Medical Center (“Montefiore”), a non-profit hospital system based in New York City, for $4.75 million. As brief background, OCR is responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”). Among other things, HIPAA requires that regulated entities take steps to protect the privacy and security of patients’ protected health information (“PHI”).Continue Reading HHS Settles Malicious Insider Cybersecurity Investigation for $4.75 Million
California Enacts Amendments to the CMIA
In a new post on the Covington Digital Health blog, our colleagues discuss recent amendments to California’s Confidentiality of Medical Information Act (“CMIA”) that (i) expand the scope of the law to cover reproductive or sexual reproductive or sexual health services that are delivered through digital health solutions and the…
Continue Reading California Enacts Amendments to the CMIAFTC and HHS Announce Updated Health Privacy Publication
On September 15, the Federal Trade Commission (“FTC”) and U.S. Department of Health and Human Services (“HHS”) announced an updated joint publication describing the privacy and security laws and rules that impact consumer health data. Specifically, the “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule” guidance provides an overview of the Health Insurance Portability and Accountability Act, as amended, and the implementing regulations issued by HHS (collectively “HIPAA”); the FTC Act; and the FTC’s Health Breach Notification Rule (“HBNR”) and how they may apply to businesses. This joint guidance follows a recent surge of FTC enforcement in the health privacy space. We offer below a high-level summary of the requirements flagged by the guidance.Continue Reading FTC and HHS Announce Updated Health Privacy Publication
FTC Announces a Notice of Proposed Rulemaking to Expand Scope of the Health Breach Notification Rule
On May 18, 2023, the Federal Trade Commission (“FTC”) announced a notice of proposed rulemaking (the “proposed rule”) to “strengthen and modernize” the Health Breach Notification Rule (“HBNR”). The proposed rule builds on the FTC’s September 2021 “Statement of the Commission on Breaches by Health Apps and Other Connected Devices” (“Policy Statement”), which took a broad approach to when health apps and connected devices are covered by the HBNR and when there is a “breach” for purposes of the HBNR. The proposed rule primarily would (i) amend many definitions that are central to the scope of the HBNR (e.g., “breach of security,” “health care provider,” and “personal health record”), and (ii) authorize expanded means for providing notice to consumers of a breach and require additional notice content. According to the FTC, these changes to the HBNR would ensure the HBNR “remains relevant in the face of changing business practices and technological developments.” Below, we provide a brief summary of the history of the HBNR leading up to this proposed rule, a brief summary of the proposed rule, and a timeline for commenting.Continue Reading FTC Announces a Notice of Proposed Rulemaking to Expand Scope of the Health Breach Notification Rule
FTC Announces Second Enforcement Action Under Health Breach Notification Rule Against Fertility App Developer Easy Healthcare
On May 17, the Federal Trade Commission (“FTC”) announced an enforcement action against Easy Healthcare Corporation (“Easy Healthcare”) alleging that it shared users’ sensitive personal information and health information with third parties contrary to its representations and without users’ affirmative express consent, in violation of Section 5 of the FTC Act. It also alleges that Easy Healthcare failed to notify consumers of these unauthorized disclosures, in violation of the Health Breach Notification Rule (“HBNR”). According to the proposed order, Easy Healthcare will pay a $100,000 civil penalty for violating the HBNR and, among other requirements, will be permanently prohibited from sharing users’ personal health data with third parties for advertising purposes. The FTC also noted that Easy Healthcare will pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon for violating their laws.Continue Reading FTC Announces Second Enforcement Action Under Health Breach Notification Rule Against Fertility App Developer Easy Healthcare
HHS Issues Notice of Proposed Rulemaking on HIPAA and the Use and Disclosure of Information Related to Reproductive Health Care
On April 17, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a notice of proposed rulemaking that would revise the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to bar certain uses and disclosures of protected health information (“PHI”) related to reproductive health care. Specifically, the proposed rule (“Rule”) would amend the Privacy Rule to prohibit covered entities or business associates (collectively, “regulated entities”) from using or disclosing PHI for purposes of (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings.
The Rule appears to be designed to further President Biden’s executive order directing HHS to consider actions that would “strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.” President Biden issued the order in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.
Below, we provide a brief summary of the proposed changes and a timeline for commenting.Continue Reading HHS Issues Notice of Proposed Rulemaking on HIPAA and the Use and Disclosure of Information Related to Reproductive Health Care
HHS Issues Notice of Expiration of COVID-19 HIPAA Enforcement Discretion
On April 11, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that four Notifications of Enforcement Discretion (“Notifications”) that were issued under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) during the COVID-19 pandemic will expire on May 11, 2023. In response to the COVID-19 Public Health Emergency, OCR announced it would exercise enforcement discretion with respect to noncompliance with certain provisions of HIPAA. Now that the public health emergency is set to expire, OCR is rescinding the relevant Notifications. Below, we summarize the four Notifications that are set to expire:Continue Reading HHS Issues Notice of Expiration of COVID-19 HIPAA Enforcement Discretion
Washington’s My Health My Data Act Passes State Senate
Washington’s My Health My Data Act (“HB 1155” or the “Act”), which would expand privacy protections for the health data of Washington consumers, recently passed the state Senate after advancing through the state House of Representatives. Provided that the House approves the Senate’s amendments, the Act could head to the governor’s desk for signature in the coming days and become law. The Act was introduced in response to the United States Supreme Court’s Dobbs decision overturning Roe v. Wade. If enacted, the Act could dramatically affect how companies treat the health data of Washington residents.
This blog post summarizes a few key takeaways in the statute.Continue Reading Washington’s My Health My Data Act Passes State Senate
HHS Releases Guidance to Help Healthcare Organizations Align with the NIST Cybersecurity Framework
On March 8, 2023, the United States Department of Health and Human Services (“HHS”), through the Administration for Strategic Preparedness and Response and the Health Sector Coordinating Counsel Joint Cybersecurity Working Group, released an updated version of its Cybersecurity Framework Implementation Guide (the “Guide”) “to help the public and private health care sectors prevent cybersecurity incidents.” Specifically, the Guide aims to help healthcare organizations leverage the NIST Cybersecurity Framework to “determine their cybersecurity goals, assess their current cybersecurity practices, or lack thereof, and help identify gaps for remediation.” Continue Reading HHS Releases Guidance to Help Healthcare Organizations Align with the NIST Cybersecurity Framework