On September 28, the governor of California signed into law AB 2089, which expands the scope of California’s Confidentiality of Medical Information Act (“CMIA”) to cover mental health services that are delivered through digital health solutions and the associated health information generated from these services. Continue Reading California Expands the Scope of the CMIA to Cover Certain Digital Mental Health Services and Information
Tara Carrier
Tara Carrier is an associate in Covington’s Boston office, where she is a member of the Health Care and White Collar Defense and Investigations Practice Groups. Tara focuses her practice on representing clients in the life sciences and health care industries in a variety of regulatory and compliance matters, including fraud and abuse, health information privacy and compliance with HIPAA, promotion and advertising, market access, pricing and reimbursement activities, and other related areas. In addition, Tara has experience representing clients in government investigations and conducting targeted internal investigations covering a broad range of health care compliance issues. She also counsels clients on mitigating compliance risks and implementing and operating under HHS OIG Corporate Integrity Agreements.
Tara is an author of the U.S. chapter of a global treatise on drug pricing and reimbursement.
In addition to her life sciences practice, Tara maintains an active pro bono practice, with a particular focus on reproductive rights.
FTC Adopts Policy Statement on Privacy Breaches by Health Apps and Connected Devices
On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.
The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Under the Rule, vendors of personal health record that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information. 16 C.F.R. §§ 318.3, 318.5. Third-party service providers also are required to notify covered vendors of any breach. 16 C.F.R. § 318.3.Continue Reading FTC Adopts Policy Statement on Privacy Breaches by Health Apps and Connected Devices
M.D. Anderson Wins Appeal Over $4.3 Million HIPAA Penalty
On January 14, 2021, the United States Court of Appeals for the Fifth Circuit vacated a $4.3 million civil monetary penalty that the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) imposed against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”). OCR ordered the penalty in 2017 following an investigation into three data breaches suffered by M.D. Anderson in 2012 and 2013, finding that M.D. Anderson had violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information and Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). The Court, however, held that the penalty was “arbitrary, capricious, and otherwise unlawful,” in part based on its interpretation of the HIPAA Rules.
Continue Reading M.D. Anderson Wins Appeal Over $4.3 Million HIPAA Penalty
HITECH Amendment Provides Some Protection For Covered Entities and Business Associates that Adopt Recognized Security Standards
On January 5, 2021, an amendment to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act was signed into law. The amendment requires the U.S. Department of Health and Human Services (“HHS”) to “consider certain recognized security practices of covered entities and business associates when making certain determinations” regarding fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). For organizations subject to HIPAA, the amendment provides substantial incentives to establish or improve their cybersecurity programs. While it does not establish a complete safe harbor from HIPAA enforcement, the amendment does offer organizations a chance to mitigate financial penalties and other negative regulatory actions that may result from a data breach.
Continue Reading HITECH Amendment Provides Some Protection For Covered Entities and Business Associates that Adopt Recognized Security Standards
HHS Announces Proposed Changes to HIPAA’s Privacy Rule
On December 10, 2020, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) issued a proposed rule to modify the Standards for the Privacy of Individually Identifiable Health Information (the “Privacy Rule”) promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). According to HHS’s announcement, the proposed rule would amend the Privacy Rule to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.” Public comments on the proposed rule are currently being accepted through February 12, 2021.
The proposed rule is part of HHS’s Regulatory Sprint to Coordinated Care, initiated pursuant to Secretary Alex Azar’s value-based transformation agenda, which seeks to “promote value-based care by examining federal regulations that impede efforts among health care providers and health plans to better coordinate care for patients.” Throughout the Privacy Rule, HHS sought to protect health information while also permitting information sharing for certain beneficial purposes. However, stakeholders have questioned whether the Privacy Rule strikes the appropriate balance in certain situations.
Proposed modifications to the HIPAA Privacy Rule include strengthening individuals’ right to access their protected health information (“PHI”), including electronic PHI; facilitating greater family involvement in care for individuals dealing with health crises or emergencies; and allowing providers more flexibility to disclose PHI when harm to a patient is “serious and reasonably foreseeable,” such as during the opioid crisis or COVID-19 public health emergency. Importantly, multiple provisions of the proposed rule, discussed in greater detail below, address electronic health records (“EHRs”) and personal health applications.Continue Reading HHS Announces Proposed Changes to HIPAA’s Privacy Rule
HHS Announces Multiple HIPAA Settlements Related to Data Breaches and the Right of Access Initiative
Throughout September, the Department of Health and Human Services, Office for Civil Rights (“OCR”), announced eight different settlements to resolve a variety of alleged violations of the Privacy and Security Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Notably, three settlements stem from data breaches…
Continue Reading HHS Announces Multiple HIPAA Settlements Related to Data Breaches and the Right of Access Initiative
HHS Launches New “Health Apps” Website to Highlight HIPAA Guidance for Mobile Health Applications
On September 2, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a new “Health Apps” feature on the HHS.gov website. The new website, which replaces the OCR’s Health App Developer Portal, highlights existing guidance for mobile health (“mHealth”) apps regarding the Health…
Continue Reading HHS Launches New “Health Apps” Website to Highlight HIPAA Guidance for Mobile Health Applications
SAMHSA Revises Part 2 Regulations for the Confidentiality of SUD Patient Records
On July 13, 2020, the U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (SAMHSA) issued a final rule revising the Confidentiality of Substance Use Disorder Patient Records regulations located at 42 C.F.R. Part 2, commonly referred to as “Part 2.” Under Part 2, federally…
Continue Reading SAMHSA Revises Part 2 Regulations for the Confidentiality of SUD Patient Records
FTC to Consider Changes to the Health Breach Notification Rule
On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”). The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes…
Continue Reading FTC to Consider Changes to the Health Breach Notification Rule
HHS Announces Enforcement Discretion Over the Implementation of Interoperability Final Rules Due to COVID-19 Public Health Emergency
On April 21, 2020, the Department of Health and Human Services (“HHS”) announced that, as a response to the COVID-19 public health emergency, it will exercise enforcement discretion to “permit compliance flexibilities” regarding the implementation of the interoperability final rules issued on March 9th, 2020. This joint announcement was made…
Continue Reading HHS Announces Enforcement Discretion Over the Implementation of Interoperability Final Rules Due to COVID-19 Public Health Emergency