Health and Human Services

On Friday, April 19, 2019, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) explained in an FAQ the circumstances under which electronic health record (EHR) systems may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) liability for an app’s impermissible use or disclosure

The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware.

Ransomware is a malicious software

A small Denver pharmacy agreed to a $125,000 settlement with the U.S. Department of Health and Human Services (HHS) after HHS alleged that the pharmacy failed to dispose of paper records that contained patient information in accordance with HIPAA.

According to the Resolution Agreement, the HHS Office for Civil Rights (OCR) received a report from a local news station that the pharmacy disposed of paper records with protected health information (PHI) in a dumpster that was accessible to the public.  The Resolution Agreement also alleges that the pharmacy failed to implement written policies and procedures to comply with HIPAA, nor did the pharmacy train its workforce as to proper HIPAA protocols and procedures for handling of PHI.
Continue Reading HIPAA Settlement Follows Unsecured Paper Records Disposal

By Randall Friedland

According to a GAO report published September 16th, Healthcare.gov, the health insurance exchange rolled out last October, still has significant privacy weaknesses. Specifically, the report outlined that despite the Centers for Medicare & Medicaid Services’ (CMS) efforts to increase the security and privacy of data that it processes, maintains, and shares with both federal and commercial partners in an effort to support Healthcare.gov, “weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls.”


Continue Reading GAO Report Outlines Healthcare.gov’s Ongoing Privacy Issues

On March 28, HHS released new resources on risk analysis requirements under the HIPAA Security Rule.  The HIPAA Security Rule governs how electronic individually identifiable health information is maintained by covered entities and business associates.  In short, it requires covered entities and business associates to implement certain physical, administrative, and technical safeguards to protect the confidentiality and integrity of electronic protected health information (e-PHI).

A provision of the Security Rule requires covered entities and business associates to conduct a risk assessment, in which they review the safeguards currently in place and identify potential vulnerabilities in security policies, processes, and systems.  To help organizations comply with this sometimes onerous requirement, HHS has released an online template that will walk users step-by-step through the questions that must be asked as part of a required risk assessment.  HHS notes that the tool will help entities document the current state of their security system as well as develop proper risk remediation plans. Continue Reading HHS Releases New Tool to Assist with HIPAA Risk Assessments

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule requires covered entities to add several new provisions to the Notice of Privacy Practices (“NPP”) that they distribute to patients and beneficiaries.  Generally, an NPP describes how the covered entity may use and disclose protected health information (“PHI”), an individual’s rights with respect to PHI (e.g., the right to access PHI and request restrictions on uses and disclosures), and the covered entity’s legal duties with respect to PHI (e.g., the duty to abide by the terms of the NPP).Continue Reading HITECH Update #8: New Requirements for HIPAA Notices of Privacy Practices

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements. 

The HITECH omnibus rule establishes a new standard for determining whether an unauthorized use or disclosure of unsecured protected health information (“PHI”) is a “breach” requiring notification.   Under the current Breach Notification Rule, covered entities are required to notify individuals of a breach involving their unsecured PHI, and business associates have a corresponding obligation to notify covered entities. The current rule states that an unauthorized use or disclosure of PHI is a “breach” if it poses a significant risk of financial, reputational, or other harm to the individuals affected.

The omnibus rule replaces the “risk of harm” test with a default presumption that any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule is a breach unless the covered entity or business associate “demonstrates that there is a low probability that the [PHI] has been compromised based on a risk assessment.”  HHS stated that the omnibus rule establishes a presumption that uses or disclosures of PHI in violation of the Privacy Rule are “breaches” because HHS believes that many covered entities and business associates have construed the existing “risk of harm” standard as setting a higher bar than HHS intended.  Covered entities and business associates now have the burden of proving that there is a “low probability” that PHI has been compromised through a risk assessment that accounts for at least the following factors:

  1.  The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

All of these factors must be considered in combination.  If a covered entity or business associate determines that an unauthorized use or disclosure of PHI is not a breach, it will need to maintain documentation sufficient to overcome the presumption that PHI was compromised.  HHS suggests that these risk assessments allow for a more “objective” evaluation than the current “risk of harm” standard, and plans to provide further guidance on risk assessments that addresses “frequently occurring scenarios.”Continue Reading HITECH Update #3: HHS Revises Breach Notification Rule

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements. 

In addition to finalizing the HIPAA regulations under HITECH, the omnibus rule finalized modifications to the HIPAA Privacy rule required by the Genetic Information Non-Discrimination Act (GINA).  GINA prohibits discrimination in employment and health insurance coverage based on a person’s genetic information.  Specifically, GINA prohibits health plans from using the genetic information of an individual, for example that he or she is predisposed to develop a certain genetic disorder or carries a specific genetic mutation, for underwriting purposes.

GINA directed HHS to make modifications to the HIPAA Privacy Rule.  In October 2009, HHS promulgated proposed rules to:

  • Clarify that genetic information is health information for purposes of PHI;
  • Prohibit health plans from using or disclosing PHI containing genetic information for underwriting purposes;
  • Revise the provisions related to the Notice of Privacy Practices for health plans that perform underwriting; and
  • Make technical corrections to update the definition of “health plan.”

The structure of the final rules issued by HHS track these proposed rules, while making some modifications to the details of the individual proposals.  We discuss each of the major aspects of the proposed rule below.Continue Reading HITECH Update #2: HHS Finalizes Privacy Rules to Protect Genetic Information