On May 6, 2021, the comment period for the proposed modification to regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule and Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) closed.  The Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) issued its initial request for information in December 2018, subsequently released the Notice of Proposed Rulemaking (“NPRM”) to the public on December 10, 2020, and published the Proposed Rule in the Federal Register on January 21, 2021 (the “Proposed Rule”).  After a significant degree of public interest in providing input on the proposals, OCR extended the comment period from its original end date of March 22, 2021 to May 6, 2021.
Continue Reading HIPAA Privacy Rule Modification – Removing Barriers and Promoting Coordinated Care at What Cost?

On April 2, 2020, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) announced a Notification of Enforcement Discretion to allow certain uses and disclosures of Protected Health Information (“PHI”) by HIPAA business associates during the COVID-19 public health emergency.  Understanding that the CDC, CMS and state and local health departments need quick access to COVID-19 related healthcare data in order to fight the pandemic, HHS decided to grant HIPAA business associates greater freedom to cooperate and exchange COVID-19-related information with public health and oversight agencies.
Continue Reading HHS Further Relaxes HIPAA Regulations Governing Use and Disclosure of Protected Health Information During the COVID-19 Public Health Emergency

On Friday, March 27, the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) was enacted.  Organized below are concise summaries of select CARES Act sections that will impact various sectors of the health care industry:
Continue Reading Key Health Care Provisions of the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”)

According to a December 20, 2019 Report by HIPAA Journal, nearly 39 million health care data breaches had been reported to the U.S. Department of Health and Human Services (“DHHS”), Office of Civil Rights (“OCR”) by the end of November 2019. This is a staggering number, especially considering that this is more than double what was reported in all of 2018. This appears to be part of an exponentially growing number of breach reports since, as we reported last year, 2018’s breach reports were already three times greater than what was reported in 2017.

This article explores some of the trends that can be attributed to the growing number of breaches and how the OCR has responded to the difficulties experienced by healthcare entities (“Covered Entities”) covered by the security and confidentiality requirements applicable to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and 45 CFR Parts 160 and 164, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) (collectively referred to hereinafter as “HIPAA”).
Continue Reading 2019 Year in Review: Notable Changes in Law, Policy, and Enforcement of HIPAA

Access to healthcare information (or lack thereof) has always been touted as one of the key factors/necessities to realizing the promise of technology in the delivery of healthcare. Despite various legislative, judicial, patient and industry initiatives, access continues to be a challenge due to a variety of competitive practices and lack of capabilities. Consider the following events and whether they signal real progress:

  1. In a September 9, 2019 Press Release issued by the United States Department of Health & Human Services – Office of Civil Rights (“OCR”), the OCR announced that it had taken action against Bayfront Health St. Petersburg (“Bayfront”), an academic medical center in St. Petersburg, Florida, to enforce the Health Insurance Portability and Accountability Act (“HIPAA”) protections that guarantee every patient the right to receive copies of his/her medical records promptly and without being overcharged. The enforcement action against Bayfront (which includes the assessment of an $85,000 fine against Bayfront and the imposition of a “Resolution Agreement” between OCR and Bayfront) is notable as the OCR’s first enforcement action under the OCR’s “Right of Access Initiative” – a program designed to focus OCR resources on the enforcement of HIPAA’s right of access guarantees.
  2. On February 11, 2019, two offices of the US Department of Health and Human Services (“HHS”) — the Office of the National Coordinator for Health Information Technology (“ONC”) and the Centers for Medicare and Medicaid Services (“CMS”) – each released a proposed rule (ONC Proposed Rule; CMS Proposed Rule) (collectively, the “Proposed Rules”) aimed at enhancing the interoperability of electronic health record (“EHR”) systems and increasing patient access to electronic health information (“EHI”) as required by the 21st Century Cures Act.
  3. On September 23, 2019, seven major healthcare leadership groups, including the American Health Information Management Association (“AHIMA”) and the American Medical Association (AMA), sent a letter to Congress (the “AHIMA Letter”) critiquing the ONC Proposed Rule.

What is the link between the Bayfront case, the Proposed Rules, and the AHIMA letter? The link is commonly referred to as “Information Blocking.”
Continue Reading INFORMATION BLOCKING AND THE RIGHT TO ACCESS INITIATIVE: Why Patients Struggle to Obtain their Medical Records and what the Office of Civil Rights Intends to Do About It

A single, multidisciplinary entity, like a university, may include certain departments that use PHI, and other departments that do not. Such institutions are eligible to (and should) self-identify as “hybrid entities” to better manage HIPAA compliance risk.

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act (collectively, “HIPAA”) mandates privacy and security safeguards for information about an individual’s health status, care, or payment for care. Individuals, organizations, and agencies that meet the definition of a “covered entity” or “business associate” under HIPAA must comply with its requirements.
Continue Reading Are You a “Hybrid Entity” under the Health Insurance Portability and Accountability Act of 1996? The $4,348,000 Question

The Center for Children’s Digestive Health (CCDH), a small, for-profit pediatric subspecialty practice that operates seven clinics in the Chicago area, has paid the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Continue Reading A $31,000 Mistake: Failing To Manage Business Associate Agreements Proves Costly For Providers

Covered entities have a long list of laws and regulations governing their conduct, including their communications with patients, customers, and members.  Specifically, the Health Insurance Portability and Accountability Act (“HIPAA”) permits many such communications, including those about health care products and services, but precludes certain “marketing” communications absent written consent.  Recently, however, healthcare providers and health plans have been subject to a spate of class actions alleging violations of the Telephone Consumer Protection Act (“TCPA”), which generally precludes autodialed (or “robo”) calls to residential and cellular phones.  The TCPA was originally enacted to curtail pesky “telemarketers,” but has recently been used to go after a range of other business.  The penalties under the TCPA can be substantial – at $500 to $1,500 per phone call, the statutory damages can quickly exceed $100 million.
Continue Reading Do Routine Calls by Health Plans to Patients and Health Plan Members Constitute “Telemarketing” Under the Telephone Consumer Protection Act? Not Today!

On July 11, 2013, the U.S. Department of Health and Human Services (HHS) announced that it had reached a $1.7 million dollar resolution agreement with insurer WellPoint Inc., following a security breach that left the personal information of 612,402 individuals exposed and available to unauthorized computer users. Between October 23, 2009, and March 7, 2010, access to protected health information, including the names, dates of birth, addresses, social security numbers, and health information of applicants was made vulnerable after a system upgrade failed to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. WellPoint is an Indianapolis-based managed health care insurer that serves approximately 65.3 million individuals through its subsidiaries.
Continue Reading WellPoint, Inc. Reaches $1.7 Million Dollar HIPAA Settlement Continuing the 2012 Trend of Heavy Fines

By Maureen Corcoran

Sweeping changes to the obligations of providers, health plans and their service providers ("business associates") under HIPAA privacy and security rules were included in the American Recovery and Reinvestment Act of 2009. Previously only health plans and providers were covered under HIPAA and subject to the criminal and civil monetary penalties. Effective February 17, 2010, business associates are now directly covered. These new requirements will require amendments to all business associate agreements. Business associates must also draft policies and procedures to implement their obligations under the privacy and security standards. Immediate steps must be taken to prepare for implementation.


Continue Reading HIPAA Statutory Changes Require Action Now by Providers, Plans and Their Business Associates