Department of Health and Human Services

The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware.

Ransomware is a malicious software

Today we published a post on the Covington eHealth blog regarding a recent report by the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC).  The ONC report highlights “large gaps” in policies and oversight surrounding access to and security and privacy of health information held

A new post over on Covington’s eHealth blog discusses a recent enforcement action taken by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) against Catholic Health Care Services, a business associate under HIPAA, arising out of a stolen iPhone.  This recent enforcement action should put business associates

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has been busy.  In addition to its recent efforts to begin audits of covered entities and business associates, OCR has announced a slew of enforcement actions against covered entities for alleged HIPAA violations.

Continue Reading OCR Steps Up HIPAA Enforcement Following Breaches of Protected Health Information

A new post on the Covington eHealth blog discusses the new web-based interactive tool released by the FTC, in conjunction with HHS and the FDA, to assist mobile health app developers in navigating applicable federal laws and regulations in the areas of advertising and marketing, medical devices, and data security and privacy.  As part of

On Tuesday, February 9, the Substance Abuse and Mental Health Services Administration (SAMHSA) published a proposed rule to update regulations at 42 C.F.R. Part 2 that protect the confidentiality of alcohol and drug abuse patient records.  The regulations were originally promulgated in 1975 and last substantively updated in 1987.  SAMHSA intends for these updates to better align the regulations with advances in the U.S. health care delivery system, such as health information technology.


The regulations at 42 C.F.R. Part 2 (“Part 2 regulations”) protect the confidentiality of patient records that are maintained in connection with the performance of any federally assisted program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research.

The goal of the regulations is to ensure that individuals are not deterred from seeking treatment for substance abuse disorders out of concern about the potential disclosures of these records.  SAMHSA notes that unauthorized disclosure has the potential for significant negative consequences for patients, such as: loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration.

To safeguard substance abuse treatment records, Part 2 regulations require that a patient consent to the disclosure of individually identifiable information related to diagnoses, treatment, or referrals by federally assisted substance abuse programs, except in certain limited circumstances, such as a bona fide medical emergency, for research purposes, for audit and evaluation activities, and pursuant to a court order.

SAMHSA proposes the following changes to the regulations:
Continue Reading SAMHSA Proposes Changes to Confidentiality Rules

On January 6, as part of President Obama’s executive action to combat gun violence, HHS promulgated a final regulation modifying the HIPAA Privacy Rule to allow certain HIPAA covered entities to disclose limited information to the National Instant Criminal Background Check System (NICS).  We previously discussed the proposed rule here.

Background:  The NICS, maintained by the Federal Bureau of Investigation (FBI), is the national database used to conduct background checks on persons who may be disqualified from receiving firearms based on federal or state law.  Federal law identifies several categories of potential disqualifiers, known as “prohibitors” including a federal mental health prohibitor.  By statute, the federal mental health prohibitor applies to individuals who have been committed to a mental institution or adjudicated as a mental defective.  The Department of Justice has promulgated regulations that defines these categories to include the following individuals:

  • individuals committed to a mental institution for reasons such as mental illness or drug use;
  • individuals found incompetent to stand trial or not guilty by reason of insanity, or
  • individuals who have been otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs as a result of marked subnormal intelligence or mental illness, incompetency, condition, or disease.

However, there is currently no federal law that requires state agencies to report data to the NICS, including the identity of individuals who are subject to the mental health prohibitor.  HHS believes that HIPAA poses a potential barrier to such reporting. Under current law, HIPAA only permits covered entities (e.g., state mental health agencies) to disclose such information to the NICS in limited circumstances: when the entity is a “hybrid” entity under HIPAA (and the Privacy Rule does not apply to these functions) or when state law otherwise requires disclosure, and thus disclosure is permitted under HIPAA’s “required by law” category.
Continue Reading HHS Issues Final Rule on HIPAA and Firearm Background Check Reporting

A new post on Covington’s Inside Medical Devices blog discusses a new portal recently launched by HHS seeking questions from mobile health application developers.  The platform allows for individuals to both submit and review questions on the HIPAA implications of these mobile health applications.  To read the post, click here.

On September 8, 2015, sixteen federal agencies published a long-awaited Notice of Proposed Rulemaking (NPRM) to modernize the Federal Policy for the Protection of Human Subjects, known as the “Common Rule.” The proposal, available here, includes a number of changes related to privacy and data security and other changes relevant to entities seeking to conduct secondary research using collected data.
Continue Reading Proposed Rule Would Amend Federal “Common Rule” Requirements