On June 16, 2023, nearly half of the State Attorneys General[1] penned a letter (the “Letter”) to the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) advocating for broader privacy protections surrounding reproductive health care information. Specifically, the Letter targeted the Notice of Proposed Rulemaking (the “Proposed Rule”) published by OCR in April of 2023, which proposed a number of revisions to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).[2]

Continue Reading State Attorneys General Pen Letter to OCR Advocating for Greater Privacy Protection of Reproductive Health Care Information

Texas is joining a growing number of states in passing comprehensive privacy legislation intended to safeguard consumer personal data.[1] Specifically, the Texas Data Privacy and Security Act (the “Act”) adds protections for consumers[2] and their personal data, which includes any information that is linked or reasonably linkable to an identified or identifiable individual.[3]

Continue Reading Texas is Making Moves on a Comprehensive Consumer Privacy Law

On April 27, 2023, the state of Washington enacted a landmark privacy law aimed at protecting the privacy of health data not covered by HIPAA. This law, named the “My Health My Data Act,” covers a very wide range of entities, consumers, and data. It also contains a private right of action. Companies should soon begin evaluating the scope of this law and its requirements before it comes into effect March 31, 2024 (for “small businesses,” June 30, 2024).

Continue Reading Washington State Enacts Landmark Privacy Law Aimed at Digital Health Industry

On April 12, 2023, OCR issued a Notice of Proposed Rulemaking (“NPRM”) to strengthen HIPAA’s protections around reproductive health care privacy. The NPRM responds to President Biden’s Executive Order 14076, which directed HHS to consider ways to strengthen privacy protections for reproductive health care services, following the Supreme Court’s rule in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade and ultimately resulting in renewed concern over patient privacy and reproductive healthcare.

Continue Reading OCR Announces Proposed Rulemaking to Strengthen Reproductive Health Privacy

The Centers for Medicare & Medicaid Services (“CMS”), on behalf of the U.S. Department of Health and Human Services (“HHS”), recently issued a proposed rule to adopt standards under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for “health care attachment” transactions (the “Proposed Rule”). The Proposed Rule would implement requirements of HIPAA’s administrative simplification regulations, which are intended to support healthcare claims and prior authorization transactions while also introducing a standard format for electronic signatures to be used in conjunction with health care attachments.

Continue Reading CMS’s Administrative Simplification Rule Aims to Increase Efficiency and Standardization for Health Care Attachments

Social media’s interplay with healthcare privacy presents a constantly evolving challenge. ICYMI (“in case you missed it”), there is an uptick in enforcement and scrutiny IRL (“in real life”) related to communications through social media and other public platforms by entities subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Continue Reading ICYMI: HIPAA and Social Media IRL

Most companies operating websites and mobile apps use some form of tracking technologies on these digital properties. While these types of technologies have been used for some time and serve a variety of purposes, the use of them by organizations regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has garnered more recent attention within the past year. In the wake of recent public concerns, the Office of Civil Rights (OCR) at HHS recently released guidance on the use of these tools by HIPAA-regulated entities. OCR’s guidance distinguishes between tracking on authenticated and unauthenticated websites and on mobile apps. We summarize this guidance below.

Continue Reading OCR Releases Guidance on Use of Tracking Technologies

As telehealth services surged in response to the COVID-19 pandemic, unique compliance challenges likewise developed in unexpected ways. Recognizing these challenges, the Office of Civil Rights (“OCR”) indicated that it would exercise its enforcement discretion by declining to impose penalties against covered health care providers for instances of good faith noncompliance with the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) in connection with the provision of telehealth services. In effect, a covered health care provider seeking to use audio or video communication technology to provide telehealth services during the public health emergency could do so with greater flexibility.

Continue Reading Office of Civil Rights Publishes Guidance on Use of Audio-Only Telehealth Services

The digital health sector has seen tremendous growth and innovation over the past few years. This momentum introduces new complexities within the legal and regulatory landscape that is trying to
Continue Reading Top 5 Legal Issues in Digital Health to Watch for in 2022

“The guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records.”[1]

On September 30, 2021, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released guidance (the “Guidance”) entitled, “HIPAA, COVID-19 Vaccination, and the Workplace,” regarding the applicability of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule (“Privacy Rule”) to disclosures and requests for information regarding COVID-19 vaccination status. In a frequently-asked-questions format, the Guidance sets forth a series of workplace-related scenarios involving the confidentiality of an employee’s vaccination status, an employer’s ability to obtain vaccination information from its employees, and the confidentiality of such information.

Continue Reading HIPAA and COVID-19 Vaccination Status: The Office of Civil Rights Issues Workplace Guidance

On July 1, 2021, the California Department of Public Health (“CDPH”) issued new regulations[1] (the “Regulations”) effective immediately that more narrowly limit the circumstances under which instances of unauthorized access to medical information have to be reported to CDPH.  The new regulations also give CDPH more discretion to adjust penalties for violations.  The Regulations complement Section 1280.15 of the Health and Safety Code (“Section 1280.15”) requiring state-licensed clinics, health facilities, home health agencies, and hospices to prevent any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information, and to report any unauthorized access, use or disclosure to the Department no later than fifteen (15) business days after the breach was detected.

Continue Reading California Issues New Health Facility Breach Reporting Requirements