Archives: HIPAA and Data Privacy

Subscribe to HIPAA and Data Privacy RSS Feed

EDPB adopts recommendations on international data transfers following Schrems II decision

On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”).  These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court … Continue Reading

HHS Announces Multiple HIPAA Settlements Related to Data Breaches and the Right of Access Initiative

Throughout September, the Department of Health and Human Services, Office for Civil Rights (“OCR”), announced eight different settlements to resolve a variety of alleged violations of the Privacy and Security Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Notably, three settlements stem from data breaches in which hackers were able … Continue Reading

California Legislature Adopts CCPA Exemption for Information Deidentified in Accordance with the HIPAA Privacy Rule

In a new post on the Covington Inside Privacy blog, our colleagues discuss the passage of California’s AB 713, a bill that creates a new healthcare-related exemption under the California Consumer Privacy Act of 2018 (“CCPA”) for certain information that has been deidentified in accordance with the Health Insurance Portability and Accountability Act of 1996 … Continue Reading

HHS Launches New “Health Apps” Website to Highlight HIPAA Guidance for Mobile Health Applications

On September 2, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a new “Health Apps” feature on the HHS.gov website.  The new website, which replaces the OCR’s Health App Developer Portal, highlights existing guidance for mobile health (“mHealth”) apps regarding the Health Insurance Portability and Accountability Act (“HIPAA”) … Continue Reading

EHR Interoperability: Public Health Benefits & Privacy Considerations

Public-health researchers, officials and medical professionals rely on data to track outbreaks, advance research, and evaluate prospective treatments. One critical source of patient data comes from electronic health records (EHRs).  EHR data in the U.S. has traditionally been siloed within hospital IT systems, but the federal government and key healthcare stakeholders have recently ramped up … Continue Reading

HHS Relaxes HIPAA Enforcement for Certain Covered Entities and Business Associates Regarding Their Participation in COVID-19 Community-Based Testing Sites

On April 9, 2020, U.S. Department of Health and Human Services (“HHS”) issued a Notification of Enforcement Discretion (the “Notification”) regarding certain covered entities and business associates who choose to participate in the operation of a Community-Based Testing Site (“CBTS”) during the COVID-19 nationwide public health emergency. The Notification relaxes HHS’s enforcement of certain provisions … Continue Reading

OCR Alert Warns Covered Entities and Business Associates of Potential PHI Scam

On April 3, 2020, the Department of Health and Human Services Office for Civil Rights (“OCR”) released an alert warning covered entities and business associates of an individual posing as an OCR Investigator to obtain protected health information. According to the alert, “[t]he individual identifies themselves as an OCR Investigator on the telephone, but does … Continue Reading

HHS Seeks to Facilitate Certain Uses and Disclosures of Health Data to Public Health and Health Oversight Agencies Amidst COVID-19 Nationwide Public Health Emergency

On April 2, 2020, the U.S. Department of Health and Human Services (“HHS”) issued a Notification of Enforcement Discretion (the “Notification”) regarding the disclosure of protected health information (“PHI”) to public health authorities and use of PHI to perform analytics for such authorities.  Designed to “facilitate uses and disclosures for public health and health oversight … Continue Reading

HHS Relaxes Enforcement of Certain HIPAA Provisions Amidst COVID-19 Nationwide Public Health Emergency

This month, the U.S. Department of Health and Human Services (“HHS”) issued guidance waiving enforcement of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) in response to the COVID-19 nationwide public health emergency. Covered Health Care Providers On March 17, 2020, the Department of Health and Human Services Office for Civil Rights … Continue Reading

Commission relaunch of eHealth Stakeholder Group

On 13 August 2019, the European Commission opened a call for expression of interest to relaunch the eHealth Stakeholder Group with a view to supporting the “digital transformation of healthcare in the EU”. The eHealth Stakeholder Group was first launched in 2012 and in its first iteration (between 2012 and 2015), contributed to the development … Continue Reading

Senators Introduce Legislation to Regulate Privacy and Security of Wearable Health Devices and Genetic Testing Kits

Last week, Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) introduced the Protecting Personal Health Data Act (S. 1842), which would provide new privacy and security rules from the Department of Health and Human Services (“HHS”) for technologies that collect personal health data, such as wearable fitness trackers, social-media sites focused on health data or … Continue Reading

HHS Updates Maximum Annual Penalty Limits for Some HIPAA Violations

On April 30, 2019, the Department of Health and Human Services (HHS) published in the Federal Register a notification of enforcement discretion indicating that it will lower the annual Civil Money Penalty (CMP) limits for three of the four penalty tiers in the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  The … Continue Reading

HHS Clarifies HIPAA Liability for EHR System Developers that Transfer Data to Health Apps

On Friday, April 19, 2019, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) explained in an FAQ the circumstances under which electronic health record (EHR) systems may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) liability for an app’s impermissible use or disclosure … Continue Reading

EESC supports the digital transformation of EU healthcare sector, emphasising data access and ownership as ‘crucial’ to the process

On 6 December 2018, the European Economic and Social Committee (EESC) published an opinion (“Opinion”) addressing the European Commission’s recent Communication on the digital transformation of health and care in the Digital Single Market (issued 25 April 2018). The EESC is an advisory body of the European Union (“EU”) comprising representatives of workers’ and employers’ … Continue Reading

UK Government publishes new policy paper outlining vision for digitizing health care and becoming a global leader in healthtech

On 17 October, the UK Government’s Department of Health and Social Care (DHSC) published a policy paper entitled “The future of healthcare: our vision for digital, data and technology in health and care” (the Policy Paper). The Policy Paper outlines the DHSC’s vision to use technology across the health and care system, from “getting the … Continue Reading

EMA publishes “A Common Data Model for Europe? – Why? Which? How?” Workshop Report

On 8 October, the European Medicines Agency (EMA) published a report (available here) setting out the progress it has made towards applying a common data model (CDM) in Europe. The EMA defines a CDM as “a mechanism by which raw data are standardized to a common structure, format and terminology independently from any particular study … Continue Reading

ICO consults on privacy “regulatory sandbox”

Designing data-driven products and services in compliance with privacy requirements can be a challenging process.  Technological innovation enables novel uses of personal data, and companies designing new data-driven products must navigate new, untested, and sometimes unclear requirements of privacy laws, including the General Data Protection Regulation (GDPR).  These challenges are often particularly acute for companies … Continue Reading

UK Government publishes “Initial code of conduct for data-driven health and care technology” for consultation

On 5 September, in response to the opportunities presented by data-driven innovations, apps, clinician decision support tools, electronic health care records and advances in technology such as artificial intelligence, the UK Government published a draft “Initial code of conduct for data-driven health and care technology” (Code) for consultation.  The Code is designed to be supplementary … Continue Reading

CMS Announces MyHealthEData Initiative to Promote Patient Access to Health Data

On March 6, 2018, CMS announced the MyHealthEData initiative, which aims to give patients easier access to and control over their medical records. Announcing the initiative, CMS Administrator Seema Verma laid out a future where individuals will have access to their health data wherever they go and be able to share data with the push … Continue Reading

Europe Consults on Digital Health

Digital health solution providers, and users of digital health services, should take note of three recently launched EU public consultations in the digital health space, and may wish to make submissions to help shape the future of digital health initiatives in the EU.  The earliest deadline for submissions is 16 August 2017. EU Commission Transformation … Continue Reading

ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law

The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an … Continue Reading

European Cloud in Health Advisory Council Calls For Review of eHealth Rules and Ethics of Medical Data Re-Use

On May 11, 2017, the European Cloud in Health Advisory Council (ECHAC) – a group of healthcare organizations, technology companies and patient representatives  –  launched its second whitepaper focused on use of data to improve health outcomes and delivery of care. ECHAC launched the whitepaper at an eHealth Week 2017 session attended by ECHAC participants and … Continue Reading

Twenty-First Century Cures Act Includes HIPAA Provisions

On December 13, 2016, President Obama signed the 21st Century Cures Act (“Cures Act”), Pub. L. 114-255, which aims to expand medical research and expedite the approvals of drug therapies for patients.  The Cures Act also contains several provisions related to the HIPAA Privacy and Security Rules.  None of these provisions make substantive changes to … Continue Reading

HHS Issues Guidance on HIPAA and Cloud Providers

The Department of Health and Human Services (HHS) recently published guidance on HIPAA requirements governing the use of cloud computing entities, specifically cloud services providers (CSPs). In this guidance, HHS explains that CSPs that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity or business associate are considered business … Continue Reading
LexBlog