With technology rapidly evolving and jurisdictions appearing blurred, it is increasingly important to be mindful of data flow and use. This is particularly true where patient data is being accessed by offshore subcontractors.Continue Reading Do You Catch Our Drift? Navigating the Waters of Offshoring and Patient Data
HIPAA Web Tracking Guidance Vacated
This week, in a significant win for the American Hospital Association plaintiff, the U.S. District Court for the Northern District of Texas issued an opinion vacating the Department of Health and Human Services’ (“HHS”) guidance on the use of online tracking technologies under HIPAA. At the heart of the dispute was the guidance released by HHS in December of 2022 and then updated again in March of 2024 (collectively, the “Guidance”), which suggested that information collected from unauthenticated website visitors could be considered protected health information (“PHI”) under HIPAA. The Guidance was challenged by hospitals and healthcare providers who argued it exceeded HHS’ statutory authority under HIPAA and imposed unreasonable compliance burdens.Continue Reading HIPAA Web Tracking Guidance Vacated
HHS Announces 42 Part 2 Final Rule to Align with HIPAA
The U.S. Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA) recently released the long anticipated Final Rule to revise the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 C.F.R. Part 2 (Part 2).Continue Reading HHS Announces 42 Part 2 Final Rule to Align with HIPAA
State Attorneys General Pen Letter to OCR Advocating for Greater Privacy Protection of Reproductive Health Care Information
On June 16, 2023, nearly half of the State Attorneys General[1] penned a letter (the “Letter”) to the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) advocating for broader privacy protections surrounding reproductive health care information. Specifically, the Letter targeted the Notice of Proposed Rulemaking (the “Proposed Rule”) published by OCR in April of 2023, which proposed a number of revisions to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).[2]Continue Reading State Attorneys General Pen Letter to OCR Advocating for Greater Privacy Protection of Reproductive Health Care Information
Texas is Making Moves on a Comprehensive Consumer Privacy Law
Texas is joining a growing number of states in passing comprehensive privacy legislation intended to safeguard consumer personal data.[1] Specifically, the Texas Data Privacy and Security Act (the “Act”) adds protections for consumers[2] and their personal data, which includes any information that is linked or reasonably linkable to an identified or identifiable individual.[3]Continue Reading Texas is Making Moves on a Comprehensive Consumer Privacy Law
Washington State Enacts Landmark Privacy Law Aimed at Digital Health Industry
On April 27, 2023, the state of Washington enacted a landmark privacy law aimed at protecting the privacy of health data not covered by HIPAA. This law, named the “My Health My Data Act,” covers a very wide range of entities, consumers, and data. It also contains a private right of action. Companies should soon begin evaluating the scope of this law and its requirements before it comes into effect March 31, 2024 (for “small businesses,” June 30, 2024).Continue Reading Washington State Enacts Landmark Privacy Law Aimed at Digital Health Industry
OCR Announces Proposed Rulemaking to Strengthen Reproductive Health Privacy
On April 12, 2023, OCR issued a Notice of Proposed Rulemaking (“NPRM”) to strengthen HIPAA’s protections around reproductive health care privacy. The NPRM responds to President Biden’s Executive Order 14076, which directed HHS to consider ways to strengthen privacy protections for reproductive health care services, following the Supreme Court’s rule in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade and ultimately resulting in renewed concern over patient privacy and reproductive healthcare.Continue Reading OCR Announces Proposed Rulemaking to Strengthen Reproductive Health Privacy
CMS’s Administrative Simplification Rule Aims to Increase Efficiency and Standardization for Health Care Attachments
The Centers for Medicare & Medicaid Services (“CMS”), on behalf of the U.S. Department of Health and Human Services (“HHS”), recently issued a proposed rule to adopt standards under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for “health care attachment” transactions (the “Proposed Rule”). The Proposed Rule would implement requirements of HIPAA’s administrative simplification regulations, which are intended to support healthcare claims and prior authorization transactions while also introducing a standard format for electronic signatures to be used in conjunction with health care attachments.Continue Reading CMS’s Administrative Simplification Rule Aims to Increase Efficiency and Standardization for Health Care Attachments
ICYMI: HIPAA and Social Media IRL
Social media’s interplay with healthcare privacy presents a constantly evolving challenge. ICYMI (“in case you missed it”), there is an uptick in enforcement and scrutiny IRL (“in real life”) related to communications through social media and other public platforms by entities subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).Continue Reading ICYMI: HIPAA and Social Media IRL
OCR Releases Guidance on Use of Tracking Technologies
Most companies operating websites and mobile apps use some form of tracking technologies on these digital properties. While these types of technologies have been used for some time and serve a variety of purposes, the use of them by organizations regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has garnered more recent attention within the past year. In the wake of recent public concerns, the Office of Civil Rights (OCR) at HHS recently released guidance on the use of these tools by HIPAA-regulated entities. OCR’s guidance distinguishes between tracking on authenticated and unauthenticated websites and on mobile apps. We summarize this guidance below.Continue Reading OCR Releases Guidance on Use of Tracking Technologies
Office of Civil Rights Publishes Guidance on Use of Audio-Only Telehealth Services
As telehealth services surged in response to the COVID-19 pandemic, unique compliance challenges likewise developed in unexpected ways. Recognizing these challenges, the Office of Civil Rights (“OCR”) indicated that it would exercise its enforcement discretion by declining to impose penalties against covered health care providers for instances of good faith noncompliance with the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) in connection with the provision of telehealth services. In effect, a covered health care provider seeking to use audio or video communication technology to provide telehealth services during the public health emergency could do so with greater flexibility.Continue Reading Office of Civil Rights Publishes Guidance on Use of Audio-Only Telehealth Services