Throughout September, the Department of Health and Human Services, Office for Civil Rights (“OCR”), announced eight different settlements to resolve a variety of alleged violations of the Privacy and Security Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Notably, three settlements stem from data breaches
Continue Reading HHS Announces Multiple HIPAA Settlements Related to Data Breaches and the Right of Access Initiative

Anna D. Kraus
Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and HIPAA privacy and security. Anna is co-chair of the firm’s Health Care Industry practice group.
Anna regularly advises clients on Medicare reimbursement matters, particularly those arising under Part B and the Part D prescription drug benefit. She also has extensive experience with the Medicaid Drug Rebate program. She assists numerous pharmaceutical and device manufacturers, health care providers, pharmacy benefit managers, and other health care industry stakeholders to navigate the challenges and opportunities presented by the Affordable Care Act.
Anna is a trusted adviser on health information privacy, security and breach notification issues, including those arising under the Health Insurance Portability and Accountability Act ("HIPAA") and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Her background in this area dates back to the issuance of the original HIPAA privacy regulations.
Anna's clients depend on her to guide them through compliance with the Anti-Kickback statute, the Stark regulations, and other laws preventing fraud and abuse in the health care industry. Her deep knowledge of these laws has made her an important component of the firm’s representation of pharmaceutical companies and health care organizations under federal investigation or facing allegations under the False Claims Act. In addition, clients contemplating acquisitions in the health care sector rely on her to guide due diligence efforts.
HHS Launches New “Health Apps” Website to Highlight HIPAA Guidance for Mobile Health Applications
On September 2, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a new “Health Apps” feature on the HHS.gov website. The new website, which replaces the OCR’s Health App Developer Portal, highlights existing guidance for mobile health (“mHealth”) apps regarding the Health…
Continue Reading HHS Launches New “Health Apps” Website to Highlight HIPAA Guidance for Mobile Health Applications
SAMHSA Revises Part 2 Regulations for the Confidentiality of SUD Patient Records
On July 13, 2020, the U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (SAMHSA) issued a final rule revising the Confidentiality of Substance Use Disorder Patient Records regulations located at 42 C.F.R. Part 2, commonly referred to as “Part 2.” Under Part 2, federally…
Continue Reading SAMHSA Revises Part 2 Regulations for the Confidentiality of SUD Patient Records
FTC to Consider Changes to the Health Breach Notification Rule
On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”). The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes…
Continue Reading FTC to Consider Changes to the Health Breach Notification Rule
HHS Announces Enforcement Discretion Over the Implementation of Interoperability Final Rules Due to COVID-19 Public Health Emergency
On April 21, 2020, the Department of Health and Human Services (“HHS”) announced that, as a response to the COVID-19 public health emergency, it will exercise enforcement discretion to “permit compliance flexibilities” regarding the implementation of the interoperability final rules issued on March 9th, 2020. This joint announcement was made…
Continue Reading HHS Announces Enforcement Discretion Over the Implementation of Interoperability Final Rules Due to COVID-19 Public Health Emergency
HHS Relaxes HIPAA Enforcement for Certain Covered Entities and Business Associates Regarding Their Participation in COVID-19 Community-Based Testing Sites
On April 9, 2020, U.S. Department of Health and Human Services (“HHS”) issued a Notification of Enforcement Discretion (the “Notification”) regarding certain covered entities and business associates who choose to participate in the operation of a Community-Based Testing Site (“CBTS”) during the COVID-19 nationwide public health emergency. The Notification relaxes…
Continue Reading HHS Relaxes HIPAA Enforcement for Certain Covered Entities and Business Associates Regarding Their Participation in COVID-19 Community-Based Testing Sites
OCR Alert Warns Covered Entities and Business Associates of Potential PHI Scam
On April 3, 2020, the Department of Health and Human Services Office for Civil Rights (“OCR”) released an alert warning covered entities and business associates of an individual posing as an OCR Investigator to obtain protected health information. According to the alert, “[t]he individual identifies themselves as an OCR Investigator…
Continue Reading OCR Alert Warns Covered Entities and Business Associates of Potential PHI Scam
HHS Seeks to Facilitate Certain Uses and Disclosures of Health Data to Public Health and Health Oversight Agencies Amidst COVID-19 Nationwide Public Health Emergency
On April 2, 2020, the U.S. Department of Health and Human Services (“HHS”) issued a Notification of Enforcement Discretion (the “Notification”) regarding the disclosure of protected health information (“PHI”) to public health authorities and use of PHI to perform analytics for such authorities. Designed to “facilitate uses and disclosures for public health and health oversight activities during this nationwide public health emergency,” the Notification relaxes HHS’s enforcement of certain provisions of the Privacy Rule issued under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). More specifically, the Notification announces that, under certain circumstances, HHS will not impose penalties for violations of such provisions against covered health care providers and their business associates for the use and disclosure of PHI “by business associates for public health and health oversight activities” in connection with the COVID-19 nationwide public health emergency.
Continue Reading HHS Seeks to Facilitate Certain Uses and Disclosures of Health Data to Public Health and Health Oversight Agencies Amidst COVID-19 Nationwide Public Health Emergency
HHS Relaxes Enforcement of Certain HIPAA Provisions Amidst COVID-19 Nationwide Public Health Emergency
This month, the U.S. Department of Health and Human Services (“HHS”) issued guidance waiving enforcement of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) in response to the COVID-19 nationwide public health emergency.
Covered Health Care Providers
On March 17, 2020, the Department of Health and Human…
Continue Reading HHS Relaxes Enforcement of Certain HIPAA Provisions Amidst COVID-19 Nationwide Public Health Emergency
HHS Finalizes Interoperability Rules
On March 9, 2020, the Department of Health and Human Services (HHS) issued two final rules aimed at improving patient access to electronic health information (EHI), as well as the standardization of modes of exchange for EHI. The rules, which were issued by the Office of the National Coordinator for…
Continue Reading HHS Finalizes Interoperability Rules