On April 17, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a notice of proposed rulemaking that would revise the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to bar certain uses and disclosures of protected health information (“PHI”) related to reproductive health care.  Specifically, the proposed rule (“Rule”) would amend the Privacy Rule to prohibit covered entities or business associates (collectively, “regulated entities”) from using or disclosing PHI for purposes of (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings.

The Rule appears to be designed to further President Biden’s executive order directing HHS to consider actions that would “strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.”  President Biden issued the order in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization

Below, we provide a brief summary of the proposed changes and a timeline for commenting.

Continue Reading HHS Issues Notice of Proposed Rulemaking on HIPAA and the Use and Disclosure of Information Related to Reproductive Health Care

On April 11, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that four Notifications of Enforcement Discretion (“Notifications”) that were issued under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) during the COVID-19 pandemic will expire on May 11, 2023.  In response to the COVID-19 Public Health Emergency, OCR announced it would exercise enforcement discretion with respect to noncompliance with certain provisions of HIPAA.  Now that the public health emergency is set to expire, OCR is rescinding the relevant Notifications.  Below, we summarize the four Notifications that are set to expire:

Continue Reading HHS Issues Notice of Expiration of COVID-19 HIPAA Enforcement Discretion

On March 8, 2023, the United States Department of Health and Human Services (“HHS”), through the Administration for Strategic Preparedness and Response and the Health Sector Coordinating Counsel Joint Cybersecurity Working Group, released an updated version of its Cybersecurity Framework Implementation Guide (the “Guide”) “to help the public and private health care sectors prevent cybersecurity incidents.”  Specifically, the Guide aims to help healthcare organizations leverage the NIST Cybersecurity Framework to “determine their cybersecurity goals, assess their current cybersecurity practices, or lack thereof, and help identify gaps for remediation.”  

Continue Reading HHS Releases Guidance to Help Healthcare Organizations Align with the NIST Cybersecurity Framework

In a new post on the Covington Digital Health blog, our colleagues discuss recently issued proposed rule to implement statutory amendments enacted by Section 3221 of the 2020 Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”).  Specifically, the proposed rule would harmonize certain provisions of the Confidentiality of Substance Use Disorder Patient Records under

On April 30, 2019, the Department of Health and Human Services (HHS) published in the Federal Register a notification of enforcement discretion indicating that it will lower the annual Civil Money Penalty (CMP) limits for three of the four penalty tiers in the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  The HITECH Act categorizes violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in four tiers based on the violators’ level of culpability for the violation: the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision (Tier 1); the violation was due to reasonable cause, and not willful neglect (Tier 2); the violation was due to willful neglect that is timely corrected (Tier 3); and the violation was due to willful neglect that is not timely corrected (Tier 4).

The maximum penalty per violation for all four tiers was previously $1.5 million.  HHS’s new policy states that the annual penalty limit for Tier 1 violations has now been decreased from $1.5 million to $25,000.  The new annual penalty limits for Tier 2 and 3 violations are now $100,000 and $250,000, respectively.  The penalty limit for Tier 4 violations will remain at $1.5 million.
Continue Reading HHS Updates Maximum Annual Penalty Limits for Some HIPAA Violations

On April 19, 2019, the Department of Health and Human Services (HHS) announced a 30-day extension, until June 3, 2019, to the comment period for two rules proposed by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC).

The CMS proposed rule aims to

On Friday, April 19, 2019, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) explained in an FAQ the circumstances under which electronic health record (EHR) systems may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) liability for an app’s impermissible use or disclosure

Hospitals and other health care organizations are attractive targets for cyber-attacks, in part because their databases contain medical records and other sensitive information. Breaches of this information could have very serious implications for patients.  Moreover, electronics connected to a health care facility’s network keep people alive, distribute medicines, and monitor vital signs. As a result, disruption to the operations of health care facilities could pose a very real risk to health and safety.  Such risks are becoming more than theoretical.  For instance, the WannaCry attack disrupted a third of the United Kingdom’s Health Service organizations by cancelling appointments and disturbing operations.

In recognition of the imperative for cybersecurity in the health care sector, in late December 2018 the Department of Health and Human Services (“HHS”) released voluntary cybersecurity guidance, titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” (“HHS Cybersecurity Guidance”).  The HHS Cybersecurity Guidance is intended to shepherd healthcare organizations through the process of planning for and implementing cybersecurity controls. It was authored by the Health Sector Coordinating Council, comprised of more than 150 cybersecurity and healthcare experts from government and industry, and was required by Section 405(d) of the Cybersecurity Act of 2015.

Continue Reading HHS Releases Voluntary Cybersecurity Guidance

The beginning of 2017 has brought a number of HIPAA enforcement actions involving covered entities. These enforcement actions indicate that HHS is continuing recent efforts to step up HIPAA enforcement and levy significant penalties for non-compliance.

  • In January, HHS announced that it had reached a $475,000 settlement with a large health care network for failure to make timely required breach notifications as required by the HIPAA Breach Notification Rule. This is the first settlement HHS has reached based on the untimely reporting or notification of a breach. HHS found that the network failed to notify HHS, the affected individuals, and the media within the required 60-day timeframe. Instead, the network made these notifications over 100 days after discovery of the breach. HHS found that the delay was a result of “miscommunications between . . . workforce members.” Under the regulation, each day on which the network failed to make the required notifications could be penalized as a separate violation of HIPAA.
  • In January, HHS announced a $2.2 million settlement with a health insurance company after the company filed a breach report indicating that a portable USB device, which contained the PHI of over 2,000 individuals, had been stolen. An HHS investigation found that the company had not conducted a risk analysis, as required by the HIPAA Security Rule, and had not implemented appropriate risk management to safeguard electronic PHI. Furthermore, the company lacked adequate encryption on its laptops and removable storage media.


Continue Reading HHS Announces More HIPAA Enforcement Actions