On November 2, 2023, the American Hospital Association and Texas Hospital Association, in conjunction with the Texas Health Resources and United Regional Health Care System, filed suit against the Secretary of the Department of Health and Human Services (“HHS”) and the Director of the HHS Office for Civil Rights (“OCR”) regarding OCR’s guidance on the use of online tracking technologies by HIPAA entities.[i] This action and its results will impact how healthcare entities must protect and may use certain information collected on their digital sites.Continue Reading Caught in the Web: Hospital Associations Sue OCR on Third-Party Web Tracking Guidance
State Attorneys General Pen Letter to OCR Advocating for Greater Privacy Protection of Reproductive Health Care Information
On June 16, 2023, nearly half of the State Attorneys General[1] penned a letter (the “Letter”) to the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) advocating for broader privacy protections surrounding reproductive health care information. Specifically, the Letter targeted the Notice of Proposed Rulemaking (the “Proposed Rule”) published by OCR in April of 2023, which proposed a number of revisions to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).[2]Continue Reading State Attorneys General Pen Letter to OCR Advocating for Greater Privacy Protection of Reproductive Health Care Information
HHS OCR Delivered Annual Reports to Congress
In February, when the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) delivered two annual reports to Congress for the 2021 calendar year as mandated by the HITECH Act, several notable takeaways were exposed. By providing data on enforcement actions and insight into areas of noncompliance, the reports assist HIPAA entities to mitigate risk, prioritize compliance efforts, and promote industry accountability.Continue Reading HHS OCR Delivered Annual Reports to Congress
OCR Releases Guidance on Use of Tracking Technologies
Most companies operating websites and mobile apps use some form of tracking technologies on these digital properties. While these types of technologies have been used for some time and serve a variety of purposes, the use of them by organizations regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has garnered more recent attention within the past year. In the wake of recent public concerns, the Office of Civil Rights (OCR) at HHS recently released guidance on the use of these tools by HIPAA-regulated entities. OCR’s guidance distinguishes between tracking on authenticated and unauthenticated websites and on mobile apps. We summarize this guidance below.Continue Reading OCR Releases Guidance on Use of Tracking Technologies
HIPAA and COVID-19 Vaccination Status: The Office of Civil Rights Issues Workplace Guidance
“The guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records.”[1]
On September 30, 2021, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released guidance (the “Guidance”) entitled, “HIPAA, COVID-19 Vaccination, and the Workplace,” regarding the applicability of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule (“Privacy Rule”) to disclosures and requests for information regarding COVID-19 vaccination status. In a frequently-asked-questions format, the Guidance sets forth a series of workplace-related scenarios involving the confidentiality of an employee’s vaccination status, an employer’s ability to obtain vaccination information from its employees, and the confidentiality of such information.Continue Reading HIPAA and COVID-19 Vaccination Status: The Office of Civil Rights Issues Workplace Guidance
2019 Year in Review: Notable Changes in Law, Policy, and Enforcement of HIPAA
According to a December 20, 2019 Report by HIPAA Journal, nearly 39 million health care data breaches had been reported to the U.S. Department of Health and Human Services (“DHHS”), Office of Civil Rights (“OCR”) by the end of November 2019. This is a staggering number, especially considering that this is more than double what was reported in all of 2018. This appears to be part of an exponentially growing number of breach reports since, as we reported last year, 2018’s breach reports were already three times greater than what was reported in 2017.
This article explores some of the trends that can be attributed to the growing number of breaches and how the OCR has responded to the difficulties experienced by healthcare entities (“Covered Entities”) covered by the security and confidentiality requirements applicable to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 and 45 CFR Parts 160 and 164, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) (collectively referred to hereinafter as “HIPAA”).
Continue Reading 2019 Year in Review: Notable Changes in Law, Policy, and Enforcement of HIPAA
OCR to Focus More Investigative Resources on Smaller HIPAA Breaches with Less Than 500 Individuals Affected
The Department of Health & Human Services (DHHS) Office of Civil Rights (OCR) recently announced it will devote more resources to investigate smaller HIPAA breaches. Before this announcement, OCR typically opened investigations for HIPAA breaches affecting more than 500 individuals.
Continue Reading OCR to Focus More Investigative Resources on Smaller HIPAA Breaches with Less Than 500 Individuals Affected