On July 13, the Department of Health and Human Services’ Substance Abuse and Mental Health Services (“SAMHSA”) announced final revisions to the Confidentiality of Substance Use Disorder Patient Records regulation codified at 42 CFR Part 2 (so-called “Part 2” regulations). These regulations—which apply to certain information relating to patients being treated for substance use disorders (“SUDs”)—impose restrictions above and beyond those in the Health Insurance Portability and Accountability Act (“HIPAA”). While the final rule does not fundamentally change the basic requirements of the Part 2 regulations, it relaxes some of the restrictions the regulations impose on holders of Part 2 information, in particular, to facilitate care coordination.
Since COVID-19 was declared a pandemic, the U.S. Department of Health and Human Services (“HHS”) and its Office for Civil Rights (“OCR”) have taken a variety of steps to relax HIPAA restrictions particularly pertinent to the COVID-19 response.
First, as covered in an earlier posting, HHS took action to waive penalties and assure companies that it would exercise enforcement discretion with respect to the Privacy Rule’s application to telehealth services and certain limited communication activities related to COVID-19 treatment efforts. (more…)
This week the U.S. Department of Health and Human Services (HHS) took action to waive penalties and refrain from enforcing certain federal health information privacy restrictions under the Health Insurance Portability and Accountability Act (HIPAA) in response to COVID-19.
In an effort to reduce barriers to coordination of care, the U.S. Department of Health and Human Services (“HHS”) is considering changes to Federal restrictions on the sharing of substance use disorder (“SUD”) records. The proposed changes would modify 42 C.F.R. Part 2 (“Part 2”) regulations that place restrictive conditions on the disclosure of SUD patient records—limitations that go above and beyond Health Insurance Portability and Accountability Act (“HIPAA”) restrictions.
The barriers imposed by these rules—which have been in place since the 1970s—have become the focus of particular attention in light of the opioid crisis, as members of Congress and other stakeholders have raised concerns about how the Part 2 statute and implementing regulations may inhibit efforts to respond and coordinate care. Members of Congress have called for reform, but have been unsuccessful at seeking legislative fixes thus far.
New Annual HIPAA Penalty Tiers
Six months after imposing the largest ever HIPAA fine ($16 million) following a HIPAA data breach, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) has announced that it is exercising its enforcement discretion to lower maximum annual HIPAA penalties.
On January 28, 2019, the Healthcare and Public Health Sector Coordinating Council released the “Medical Device and Health IT Joint Security Plan” (“JSP” or “Plan”)—cybersecurity recommendations for medical device manufacturers, healthcare information technology vendors, and healthcare providers. U.S. Government entities, including the FDA, participated in the development of the Plan. The JSP comes close on the heels of the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” a similar effort by a public-private partnership to provide cybersecurity guidance to healthcare industry stakeholders. (more…)
On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released a four-volume cybersecurity guidance document for healthcare organizations. The publication, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP), is the result of a government and industry collaboration mandated by the Cybersecurity Act of 2015. The HICP is not limited to individually identifiable health information but instead covers organizations’ enterprise-level information security more generally. HHS describes the publication as “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes.” Notwithstanding their voluntary nature, these HHS-backed cybersecurity recommendations are likely to serve as an important reference point for the industry. (more…)
On December 14, 2018, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published in the Federal Register a request for information (RFI) titled “Modifying HIPAA Rules to Improve Coordinated Care.” The RFI seeks public input on a broad range of potential reforms to Health Insurance Portability and Accountability Act (HIPAA) regulations with a focus on enhancing care coordination. Though only a preliminary step on the path to potential regulatory reform, the RFI’s scope is significant, as is the opportunity it affords stakeholders interested in sharing early input as HHS considers reforms to key health information privacy requirements. (more…)
The Administration is preparing to release a Request for Information (“RFI”) on potential modifications to Health Insurance Portability and Accountability Act (HIPAA) rules. The draft RFI was recently submitted by the Department of Health and Human Services (“HHS”) to the White House’s Office of Management and Budget (“OMB”) for pre-release review.
Three Boston-area hospitals collectively paid just under $1 million to settle allegations that they violated HIPAA by improperly disclosing patients’ identities and other protected health information during onsite filming of a television network documentary. According to the Department of Health and Human Services Office for Civil Rights (OCR)’s September 20, 2018 press release, the three hospitals – Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) – permitted film crews to film an ABC television network documentary series on premises without first obtaining authorizations from patients. Collectively, the three hospitals paid $999,000 to settle potential violations of the HIPAA Privacy Rule, with BMC paying $100,000, BWH paying $384,000, and MGH paying $515,000.