HIPAA

On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (“HHS OCR”) updated its “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” guidance addressing how regulated entities may use tracking technologies on their websites and mobile applications in a manner compliant with the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”).  The guidance, originally published in December 2022, states that HIPAA-regulated entities are not permitted to leverage tracking technologies in ways that would result in an impermissible disclosure of protected health information (“PHI”) or other violation of HIPAA.  The guidance also emphasizes the importance of safeguarding PHI and notes that regulated entities may not share PHI with tracking technology vendors (e.g., third-party advertisers) absent a business associate agreement (“BAA”) with the vendor or pursuant to a patient authorization. Continue Reading HHS OCR Updates Tracking Technologies Guidance

On February 21, 2024, Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, issued a white paper, “Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era”, which proposes several updates to the privacy protections for health data. This follows Senator Cassidy’s September 2023 request for information from stakeholders about how to enhance health data privacy protections covered by the Health Insurance Portability and Accountability Act (“HIPAA”) framework and to consider privacy protections for other sources of health data not currently covered by HIPAA. The white paper notes that several entities, including trade associations, hospitals, health technology companies, and think tanks, responded to the RFI.Continue Reading Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 1: Updates to the HIPAA Framework

On February 16, 2024, the U.S. Department of Health and Human Services (“HHS”) published a final rule to amend the Confidentiality of Substance Use Disorder (“SUD”) Patient Records regulations (“Part 2”) to more closely align Part 2 with the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”)

On February 12, the U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”), published a notice requesting comment on an upcoming information request.  Specifically, OCR invites comments regarding its burden estimate for a “HIPAA Audit Review Survey.”  The Survey consists of “39 online survey questions” and will be sent to “207

On February 6, the U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”), announced that it had settled a cybersecurity investigation with Montefiore Medical Center (“Montefiore”), a non-profit hospital system based in New York City, for $4.75 million.  As brief background, OCR is responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”).  Among other things, HIPAA requires that regulated entities take steps to protect the privacy and security of patients’ protected health information (“PHI”).Continue Reading HHS Settles Malicious Insider Cybersecurity Investigation for $4.75 Million

On September 15, the Federal Trade Commission (“FTC”) and U.S. Department of Health and Human Services (“HHS”) announced an updated joint publication describing the privacy and security laws and rules that impact consumer health data.  Specifically, the “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule” guidance provides an overview of the Health Insurance Portability and Accountability Act, as amended, and the implementing regulations issued by HHS (collectively “HIPAA”); the FTC Act; and the FTC’s Health Breach Notification Rule (“HBNR”) and how they may apply to businesses.  This joint guidance follows a recent surge of FTC enforcement in the health privacy space.  We offer below a high-level summary of the requirements flagged by the guidance.Continue Reading FTC and HHS Announce Updated Health Privacy Publication

On April 17, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) published a notice of proposed rulemaking that would revise the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to bar certain uses and disclosures of protected health information (“PHI”) related to reproductive health care.  Specifically, the proposed rule (“Rule”) would amend the Privacy Rule to prohibit covered entities or business associates (collectively, “regulated entities”) from using or disclosing PHI for purposes of (1) criminal, civil, or administrative investigations into or proceedings against any person in connection with seeking, obtaining, providing, or facilitating lawful reproductive health care, or (2) the identification of any person for the purpose of initiating such investigations or proceedings.

The Rule appears to be designed to further President Biden’s executive order directing HHS to consider actions that would “strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.”  President Biden issued the order in the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization

Below, we provide a brief summary of the proposed changes and a timeline for commenting.Continue Reading HHS Issues Notice of Proposed Rulemaking on HIPAA and the Use and Disclosure of Information Related to Reproductive Health Care

On April 11, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that four Notifications of Enforcement Discretion (“Notifications”) that were issued under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) during the COVID-19 pandemic will expire on May 11, 2023.  In response to the COVID-19 Public Health Emergency, OCR announced it would exercise enforcement discretion with respect to noncompliance with certain provisions of HIPAA.  Now that the public health emergency is set to expire, OCR is rescinding the relevant Notifications.  Below, we summarize the four Notifications that are set to expire:Continue Reading HHS Issues Notice of Expiration of COVID-19 HIPAA Enforcement Discretion

In a new post on the Covington Digital Health blog, our colleagues discuss recently issued proposed rule to implement statutory amendments enacted by Section 3221 of the 2020 Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”).  Specifically, the proposed rule would harmonize certain provisions of the Confidentiality of Substance Use Disorder Patient Records under

On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.

The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Under the Rule, vendors of personal health records that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information.  Third-party service providers also are required to notify covered vendors of any breach.
Continue Reading FTC Adopts Policy Statement on Privacy Breaches by Health Apps and Connected Devices