On January 14, 2021, the United States Court of Appeals for the Fifth Circuit vacated a $4.3 million civil monetary penalty that the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) imposed against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”). OCR ordered the penalty in 2017 following an investigation into three data breaches suffered by M.D. Anderson in 2012 and 2013, finding that M.D. Anderson had violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information and Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). The Court, however, held that the penalty was “arbitrary, capricious, and otherwise unlawful,” in part based on its interpretation of the HIPAA Rules.
Continue Reading M.D. Anderson Wins Appeal Over $4.3 Million HIPAA Penalty
HIPAA and Data Privacy
HITECH Amendment Provides Some Protection For Covered Entities and Business Associates that Adopt Recognized Security Standards
On January 5, 2021, an amendment to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act was signed into law. The amendment requires the U.S. Department of Health and Human Services (“HHS”) to “consider certain recognized security practices of covered entities and business associates when making certain determinations” regarding fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). For organizations subject to HIPAA, the amendment provides substantial incentives to establish or improve their cybersecurity programs. While it does not establish a complete safe harbor from HIPAA enforcement, the amendment does offer organizations a chance to mitigate financial penalties and other negative regulatory actions that may result from a data breach.
Continue Reading HITECH Amendment Provides Some Protection For Covered Entities and Business Associates that Adopt Recognized Security Standards
HHS Announces Proposed Changes to HIPAA’s Privacy Rule
On December 10, 2020, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) issued a proposed rule to modify the Standards for the Privacy of Individually Identifiable Health Information (the “Privacy Rule”) promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). According to HHS’s announcement, the proposed rule would amend the Privacy Rule to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.” Public comments on the proposed rule are currently being accepted through February 12, 2021.
The proposed rule is part of HHS’s Regulatory Sprint to Coordinated Care, initiated pursuant to Secretary Alex Azar’s value-based transformation agenda, which seeks to “promote value-based care by examining federal regulations that impede efforts among health care providers and health plans to better coordinate care for patients.” Throughout the Privacy Rule, HHS sought to protect health information while also permitting information sharing for certain beneficial purposes. However, stakeholders have questioned whether the Privacy Rule strikes the appropriate balance in certain situations.
Proposed modifications to the HIPAA Privacy Rule include strengthening individuals’ right to access their protected health information (“PHI”), including electronic PHI; facilitating greater family involvement in care for individuals dealing with health crises or emergencies; and allowing providers more flexibility to disclose PHI when harm to a patient is “serious and reasonably foreseeable,” such as during the opioid crisis or COVID-19 public health emergency. Importantly, multiple provisions of the proposed rule, discussed in greater detail below, address electronic health records (“EHRs”) and personal health applications.Continue Reading HHS Announces Proposed Changes to HIPAA’s Privacy Rule
EDPB adopts recommendations on international data transfers following Schrems II decision
On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”). These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court of Justice (“CJEU”) decision in Case C-311/18 (“Schrems II”). (For a more in-depth summary of the CJEU decision, please see our blog post here and our audiocast here. The EDPB also published on 24 July 2020 FAQs on the Schrems II decision here).
The two recommendations adopted by the EDPB are:
- Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (“Draft Recommendations on Supplementary Measures”); and
- Recommendations 02/2020 on the European Essential Guarantees for surveillance measures (“Recommendations on EEG”).
HHS Announces Multiple HIPAA Settlements Related to Data Breaches and the Right of Access Initiative
Throughout September, the Department of Health and Human Services, Office for Civil Rights (“OCR”), announced eight different settlements to resolve a variety of alleged violations of the Privacy and Security Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Notably, three settlements stem from data breaches…
Continue Reading HHS Announces Multiple HIPAA Settlements Related to Data Breaches and the Right of Access Initiative
California Legislature Adopts CCPA Exemption for Information Deidentified in Accordance with the HIPAA Privacy Rule
In a new post on the Covington Inside Privacy blog, our colleagues discuss the passage of California’s AB 713, a bill that creates a new healthcare-related exemption under the California Consumer Privacy Act of 2018 (“CCPA”) for certain information that has been deidentified in accordance with the Health Insurance…
Continue Reading California Legislature Adopts CCPA Exemption for Information Deidentified in Accordance with the HIPAA Privacy Rule
HHS Launches New “Health Apps” Website to Highlight HIPAA Guidance for Mobile Health Applications
On September 2, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a new “Health Apps” feature on the HHS.gov website. The new website, which replaces the OCR’s Health App Developer Portal, highlights existing guidance for mobile health (“mHealth”) apps regarding the Health…
Continue Reading HHS Launches New “Health Apps” Website to Highlight HIPAA Guidance for Mobile Health Applications
EHR Interoperability: Public Health Benefits & Privacy Considerations
Public-health researchers, officials and medical professionals rely on data to track outbreaks, advance research, and evaluate prospective treatments. One critical source of patient data comes from electronic health records (EHRs). EHR data in the U.S. has traditionally been siloed within hospital IT systems, but the federal government and key healthcare …
Continue Reading EHR Interoperability: Public Health Benefits & Privacy Considerations
HHS Relaxes HIPAA Enforcement for Certain Covered Entities and Business Associates Regarding Their Participation in COVID-19 Community-Based Testing Sites
On April 9, 2020, U.S. Department of Health and Human Services (“HHS”) issued a Notification of Enforcement Discretion (the “Notification”) regarding certain covered entities and business associates who choose to participate in the operation of a Community-Based Testing Site (“CBTS”) during the COVID-19 nationwide public health emergency. The Notification relaxes…
Continue Reading HHS Relaxes HIPAA Enforcement for Certain Covered Entities and Business Associates Regarding Their Participation in COVID-19 Community-Based Testing Sites
OCR Alert Warns Covered Entities and Business Associates of Potential PHI Scam
On April 3, 2020, the Department of Health and Human Services Office for Civil Rights (“OCR”) released an alert warning covered entities and business associates of an individual posing as an OCR Investigator to obtain protected health information. According to the alert, “[t]he individual identifies themselves as an OCR Investigator…
Continue Reading OCR Alert Warns Covered Entities and Business Associates of Potential PHI Scam