On December 10, 2020, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released a proposed rule (the Proposed Rule) that would make a number of key changes to the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009 (collectively, HIPAA). HHS stated that the Proposed Rule is intended to reduce burdens that may limit or discourage care coordination and case management communications among individuals and HIPAA-covered entities while continuing to protect the privacy of individuals. The proposed changes are designed to lead to increased data access, sharing, and portability and to further HHS’s emphasis on patients’ right of information access, which has been highlighted through a series of enforcement actions in 2020. If enacted as proposed, the amendments would require healthcare providers and electronic health records (EHR) vendors to update policies and disclosures related to information access and perhaps even to redesign certain EHR processes. Comments are due 60 days after publication in the Federal Register.
In almost the first three quarters of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) has settled three cases related to alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”), totaling $1,165,000. These settlements underscore OCR’s continued focus on enforcement of the HIPAA Security Rule.
New Annual HIPAA Penalty Tiers
Six months after imposing the largest ever HIPAA fine ($16 million) following a HIPAA data breach, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) has announced that it is exercising its enforcement discretion to lower maximum annual HIPAA penalties.
On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released a four-volume cybersecurity guidance document for healthcare organizations. The publication, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP), is the result of a government and industry collaboration mandated by the Cybersecurity Act of 2015. The HICP is not limited to individually identifiable health information but instead covers organizations’ enterprise-level information security more generally. HHS describes the publication as “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes.” Notwithstanding their voluntary nature, these HHS-backed cybersecurity recommendations are likely to serve as an important reference point for the industry. (more…)
On December 14, 2018, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published in the Federal Register a request for information (RFI) titled “Modifying HIPAA Rules to Improve Coordinated Care.” The RFI seeks public input on a broad range of potential reforms to Health Insurance Portability and Accountability Act (HIPAA) regulations with a focus on enhancing care coordination. Though only a preliminary step on the path to potential regulatory reform, the RFI’s scope is significant, as is the opportunity it affords stakeholders interested in sharing early input as HHS considers reforms to key health information privacy requirements. (more…)
The Administration is preparing to release a Request for Information (“RFI”) on potential modifications to Health Insurance Portability and Accountability Act (HIPAA) rules. The draft RFI was recently submitted by the Department of Health and Human Services (“HHS”) to the White House’s Office of Management and Budget (“OMB”) for pre-release review.
In a recent speech outlining the Trump Administration’s healthcare regulatory reform efforts, Secretary of Health and Human Services (HHS) Alex Azar announced that the Administration will soon begin considering changes to federal health privacy regulations. (more…)
On Thursday, August 4, 2016, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that Advocate Health Care Center (Advocate Health) agreed to pay $5.55 million to settle multiple violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is the largest HIPAA settlement to date against a single entity, and according to OCR, is due to the severity of the HIPAA violations and the length of time that those violations were allowed to persist. OCR alleged that in some instances, the purported violations date back to the effective date of the HIPAA Security Rule.
On June 24, 2016, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”) entered into a resolution agreement with the Department of Health and Human Services Office for Civil Rights (“OCR”) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule after the theft of a CHCS mobile device compromised the protected health information (“PHI”) of 412 nursing home residents. This is OCR’s first settlement with a HIPAA business associate. As part of the settlement, CHCS agreed to enter into a two-year corrective action plan (“CAP”) and pay a monetary penalty of $650,000.