The Centers for Medicare & Medicaid Services (“CMS”), on behalf of the U.S. Department of Health and Human Services (“HHS”), recently issued a proposed rule to adopt standards under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for “health care attachment” transactions (the “Proposed Rule”). The Proposed Rule would implement requirements of HIPAA’s administrative simplification regulations, which are intended to support healthcare claims and prior authorization transactions while also introducing a standard format for electronic signatures to be used in conjunction with health care attachments.

Continue Reading CMS’s Administrative Simplification Rule Aims to Increase Efficiency and Standardization for Health Care Attachments

As telehealth services surged in response to the COVID-19 pandemic, unique compliance challenges likewise developed in unexpected ways. Recognizing these challenges, the Office of Civil Rights (“OCR”) indicated that it would exercise its enforcement discretion by declining to impose penalties against covered health care providers for instances of good faith noncompliance with the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) in connection with the provision of telehealth services. In effect, a covered health care provider seeking to use audio or video communication technology to provide telehealth services during the public health emergency could do so with greater flexibility.

Continue Reading Office of Civil Rights Publishes Guidance on Use of Audio-Only Telehealth Services

The digital health sector has seen tremendous growth and innovation over the past few years. This momentum introduces new complexities within the legal and regulatory landscape that is trying to
Continue Reading Top 5 Legal Issues in Digital Health to Watch for in 2022

“The guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records.”[1]

On September 30, 2021, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released guidance (the “Guidance”) entitled, “HIPAA, COVID-19 Vaccination, and the Workplace,” regarding the applicability of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule (“Privacy Rule”) to disclosures and requests for information regarding COVID-19 vaccination status. In a frequently-asked-questions format, the Guidance sets forth a series of workplace-related scenarios involving the confidentiality of an employee’s vaccination status, an employer’s ability to obtain vaccination information from its employees, and the confidentiality of such information.

Continue Reading HIPAA and COVID-19 Vaccination Status: The Office of Civil Rights Issues Workplace Guidance

On May 6, 2021, the comment period for the proposed modification to regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule and Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) closed.  The Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) issued its initial request for information in December 2018, subsequently released the Notice of Proposed Rulemaking (“NPRM”) to the public on December 10, 2020, and published the Proposed Rule in the Federal Register on January 21, 2021 (the “Proposed Rule”).  After a significant degree of public interest in providing input on the proposals, OCR extended the comment period from its original end date of March 22, 2021 to May 6, 2021.
Continue Reading HIPAA Privacy Rule Modification – Removing Barriers and Promoting Coordinated Care at What Cost?

On April 2, 2020, the Office for Civil Rights at the U.S. Department of Health and Human Services (“HHS”) announced a Notification of Enforcement Discretion to allow certain uses and disclosures of Protected Health Information (“PHI”) by HIPAA business associates during the COVID-19 public health emergency.  Understanding that the CDC, CMS and state and local health departments need quick access to COVID-19 related healthcare data in order to fight the pandemic, HHS decided to grant HIPAA business associates greater freedom to cooperate and exchange COVID-19-related information with public health and oversight agencies.
Continue Reading HHS Further Relaxes HIPAA Regulations Governing Use and Disclosure of Protected Health Information During the COVID-19 Public Health Emergency

On Friday, March 27, the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) was enacted.  Organized below are concise summaries of select CARES Act sections that will impact various sectors of the health care industry:
Continue Reading Key Health Care Provisions of the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”)

According to a December 20, 2019 Report by HIPAA Journal, nearly 39 million health care data breaches had been reported to the U.S. Department of Health and Human Services (“DHHS”), Office of Civil Rights (“OCR”) by the end of November 2019. This is a staggering number, especially considering that this is more than double what was reported in all of 2018. This appears to be part of an exponentially growing number of breach reports since, as we reported last year, 2018’s breach reports were already three times greater than what was reported in 2017.

This article explores some of the trends that can be attributed to the growing number of breaches and how the OCR has responded to the difficulties experienced by healthcare entities (“Covered Entities”) covered by the security and confidentiality requirements applicable to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and 45 CFR Parts 160 and 164, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) (collectively referred to hereinafter as “HIPAA”).
Continue Reading 2019 Year in Review: Notable Changes in Law, Policy, and Enforcement of HIPAA

Access to healthcare information (or lack thereof) has always been touted as one of the key factors/necessities to realizing the promise of technology in the delivery of healthcare. Despite various legislative, judicial, patient and industry initiatives, access continues to be a challenge due to a variety of competitive practices and lack of capabilities. Consider the following events and whether they signal real progress:

  1. In a September 9, 2019 Press Release issued by the United States Department of Health & Human Services – Office of Civil Rights (“OCR”), the OCR announced that it had taken action against Bayfront Health St. Petersburg (“Bayfront”), an academic medical center in St. Petersburg, Florida, to enforce the Health Insurance Portability and Accountability Act (“HIPAA”) protections that guarantee every patient the right to receive copies of his/her medical records promptly and without being overcharged. The enforcement action against Bayfront (which includes the assessment of an $85,000 fine against Bayfront and the imposition of a “Resolution Agreement” between OCR and Bayfront) is notable as the OCR’s first enforcement action under the OCR’s “Right of Access Initiative” – a program designed to focus OCR resources on the enforcement of HIPAA’s right of access guarantees.
  2. On February 11, 2019, two offices of the US Department of Health and Human Services (“HHS”) — the Office of the National Coordinator for Health Information Technology (“ONC”) and the Centers for Medicare and Medicaid Services (“CMS”) – each released a proposed rule (ONC Proposed Rule; CMS Proposed Rule) (collectively, the “Proposed Rules”) aimed at enhancing the interoperability of electronic health record (“EHR”) systems and increasing patient access to electronic health information (“EHI”) as required by the 21st Century Cures Act.
  3. On September 23, 2019, seven major healthcare leadership groups, including the American Health Information Management Association (“AHIMA”) and the American Medical Association (AMA), sent a letter to Congress (the “AHIMA Letter”) critiquing the ONC Proposed Rule.

What is the link between the Bayfront case, the Proposed Rules, and the AHIMA letter? The link is commonly referred to as “Information Blocking.”
Continue Reading INFORMATION BLOCKING AND THE RIGHT TO ACCESS INITIATIVE: Why Patients Struggle to Obtain their Medical Records and what the Office of Civil Rights Intends to Do About It

A single, multidisciplinary entity, like a university, may include certain departments that use PHI, and other departments that do not. Such institutions are eligible to (and should) self-identify as “hybrid entities” to better manage HIPAA compliance risk.

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act (collectively, “HIPAA”) mandates privacy and security safeguards for information about an individual’s health status, care, or payment for care. Individuals, organizations, and agencies that meet the definition of a “covered entity” or “business associate” under HIPAA must comply with its requirements.
Continue Reading Are You a “Hybrid Entity” under the Health Insurance Portability and Accountability Act of 1996? The $4,348,000 Question

The Center for Children’s Digestive Health (CCDH), a small, for-profit pediatric subspecialty practice that operates seven clinics in the Chicago area, has paid the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Continue Reading A $31,000 Mistake: Failing To Manage Business Associate Agreements Proves Costly For Providers