Photo of Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

On December  10, 2020, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) issued a proposed rule to modify the Standards for the Privacy of Individually Identifiable Health Information (the “Privacy Rule”) promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”).  According to HHS’s announcement, the proposed rule would amend the Privacy Rule to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.”  Public comments on the proposed rule are currently being accepted through February 12, 2021.

The proposed rule is part of HHS’s Regulatory Sprint to Coordinated Care, initiated pursuant to Secretary Alex Azar’s value-based transformation agenda, which seeks to “promote value-based care by examining federal regulations that impede efforts among health care providers and health plans to better coordinate care for patients.”  Throughout the Privacy Rule, HHS sought to protect health information while also permitting information sharing for certain beneficial purposes.  However, stakeholders have questioned whether the Privacy Rule strikes the appropriate balance in certain situations.

Proposed modifications to the HIPAA Privacy Rule include strengthening individuals’ right to access their protected health information (“PHI”), including electronic PHI; facilitating greater family involvement in care for individuals dealing with health crises or emergencies; and allowing providers more flexibility to disclose PHI when harm to a patient is “serious and reasonably foreseeable,” such as during the opioid crisis or COVID-19 public health emergency.  Importantly, multiple provisions of the proposed rule, discussed in greater detail below, address electronic health records (“EHRs”) and personal health applications.

Continue Reading HHS Announces Proposed Changes to HIPAA’s Privacy Rule

California Attorney General Xavier Becerra (“AG”) announced in September a settlement against Glow, Inc., resolving allegations that the fertility app had “expose[d] millions of women’s personal and medical information.”  In the complaint, the AG alleged violations of certain state consumer protection and privacy laws, stemming from privacy and security “failures” in Glow’s mobile application

Throughout September, the Department of Health and Human Services, Office for Civil Rights (“OCR”), announced eight different settlements to resolve a variety of alleged violations of the Privacy and Security Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Notably, three settlements stem from data breaches in which hackers were able

On September 2, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a new “Health Apps” feature on the HHS.gov website.  The new website, which replaces the OCR’s Health App Developer Portal, highlights existing guidance for mobile health (“mHealth”) apps regarding the Health Insurance Portability and Accountability Act

On July 13, 2020, the U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (SAMHSA) issued a final rule revising the Confidentiality of Substance Use Disorder Patient Records regulations located at 42 C.F.R. Part 2, commonly referred to as “Part 2.”  Under Part 2, federally assisted substance use disorder (SUD)

On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”).  The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and

On April 21, 2020, the Department of Health and Human Services (“HHS”) announced that, as a response to the COVID-19 public health emergency, it will exercise enforcement discretion to “permit compliance flexibilities” regarding the implementation of the interoperability final rules issued on March 9th, 2020.  This joint announcement was made by the Office of the

On April 9, 2020, U.S. Department of Health and Human Services (“HHS”) issued a Notification of Enforcement Discretion (the “Notification”) regarding certain covered entities and business associates who choose to participate in the operation of a Community-Based Testing Site (“CBTS”) during the COVID-19 nationwide public health emergency. The Notification relaxes HHS’s enforcement of certain provisions

On April 3, 2020, the Department of Health and Human Services Office for Civil Rights (“OCR”) released an alert warning covered entities and business associates of an individual posing as an OCR Investigator to obtain protected health information. According to the alert, “[t]he individual identifies themselves as an OCR Investigator on the telephone, but does

On April 2, 2020, the U.S. Department of Health and Human Services (“HHS”) issued a Notification of Enforcement Discretion (the “Notification”) regarding the disclosure of protected health information (“PHI”) to public health authorities and use of PHI to perform analytics for such authorities.  Designed to “facilitate uses and disclosures for public health and health oversight activities during this nationwide public health emergency,” the Notification relaxes HHS’s enforcement of certain provisions of the Privacy Rule issued  under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  More specifically, the Notification announces that, under certain circumstances, HHS will not impose penalties for violations of such provisions against covered health care providers and their business associates for the use and disclosure of PHI “by business associates for public health and health oversight activities” in connection with the COVID-19 nationwide public health emergency.
Continue Reading HHS Seeks to Facilitate Certain Uses and Disclosures of Health Data to Public Health and Health Oversight Agencies Amidst COVID-19 Nationwide Public Health Emergency