HHS Office for Civil Rights

On January 14, 2021, the United States Court of Appeals for the Fifth Circuit vacated a $4.3 million civil monetary penalty that the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) imposed against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”).  OCR ordered the penalty in 2017 following an investigation into three data breaches suffered by M.D. Anderson in 2012 and 2013, finding that M.D. Anderson had violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information and Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”).  The Court, however, held that the penalty was “arbitrary, capricious, and otherwise unlawful,” in part based on its interpretation of the HIPAA Rules.
Continue Reading M.D. Anderson Wins Appeal Over $4.3 Million HIPAA Penalty

On December  10, 2020, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) issued a proposed rule to modify the Standards for the Privacy of Individually Identifiable Health Information (the “Privacy Rule”) promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”).  According to HHS’s announcement, the proposed rule would amend the Privacy Rule to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.”  Public comments on the proposed rule are currently being accepted through February 12, 2021.

The proposed rule is part of HHS’s Regulatory Sprint to Coordinated Care, initiated pursuant to Secretary Alex Azar’s value-based transformation agenda, which seeks to “promote value-based care by examining federal regulations that impede efforts among health care providers and health plans to better coordinate care for patients.”  Throughout the Privacy Rule, HHS sought to protect health information while also permitting information sharing for certain beneficial purposes.  However, stakeholders have questioned whether the Privacy Rule strikes the appropriate balance in certain situations.

Proposed modifications to the HIPAA Privacy Rule include strengthening individuals’ right to access their protected health information (“PHI”), including electronic PHI; facilitating greater family involvement in care for individuals dealing with health crises or emergencies; and allowing providers more flexibility to disclose PHI when harm to a patient is “serious and reasonably foreseeable,” such as during the opioid crisis or COVID-19 public health emergency.  Importantly, multiple provisions of the proposed rule, discussed in greater detail below, address electronic health records (“EHRs”) and personal health applications.

Continue Reading HHS Announces Proposed Changes to HIPAA’s Privacy Rule

Throughout September, the Department of Health and Human Services, Office for Civil Rights (“OCR”), announced eight different settlements to resolve a variety of alleged violations of the Privacy and Security Rules promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Notably, three settlements stem from data breaches in which hackers were able

On April 3, 2020, the Department of Health and Human Services Office for Civil Rights (“OCR”) released an alert warning covered entities and business associates of an individual posing as an OCR Investigator to obtain protected health information. According to the alert, “[t]he individual identifies themselves as an OCR Investigator on the telephone, but does

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently announced a significant settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a business associate under HIPAA, arising from a breach of protected health information (PHI) after the theft of an employee’s iPhone.  The iPhone was not encrypted or password protected and held extensive information on approximately 400 nursing home residents, including Social Security numbers; information regarding diagnosis and treatment, medical procedures, medication; and names of family members and legal guardians.  CHCS agreed to pay financial penalties of $650,000 and adhere to a corrective action plan.

Continue Reading Significant HIPAA Fine Follows Business Associate’s Stolen iPhone

On April 5, the Federal Trade Commission (FTC), in conjunction with the Food and Drug Administration (FDA) and the Department of Health and Human Services (HHS), released a new web-based interactive tool to assist mobile health app developers in navigating applicable federal laws and regulations in the areas of advertising and marketing, medical devices, and data security and privacy.

The interactive tool consists of 10 questions designed to identify whether a particular mobile health app is subject to any of the following federal laws:

  • the privacy, security and breach notification rules issued under the Health Insurance Portability and Accountability Act (HIPAA);
  • the Food, Drug, and Cosmetic Act (FDCA);
  • the Federal Trade Commission (FTC) Act; and
  • the breach notification rules issued by the FTC.

Regardless of whether mobile apps are subject to any of these federal laws, the guidance directs app developers to newly issued FTC best practices for protecting the privacy and security of consumer data.

Continue Reading FTC Releases Online Tool to Help Health App Developers Identify Applicable Laws

 The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently released guidance extending Health Insurance Portability and Accountability Act Privacy Rule protections for family members to same-sex spouses, in light of the 2013 Supreme Court ruling in United States v. Windsor.

The HIPAA Privacy Rule grants consumers certain privacy rights with respect to their health information, including important controls over how their health information is used and disclosed by health plans and health care providers.  The Rule includes provisions allowing covered entities to share patient information with family members in some circumstances and prohibiting health plans from using or disclosing genetic information about family members for underwriting purposes.

OCR’s recent guidance, “HIPAA and Same-sex Marriage:  Understanding Spouse, Family Member, and Marriage in the Privacy Rule,” addresses the Windsor decision’s effect on HIPAA provisions relating to family members.  The guidance clarifies that, for purposes of the Privacy Rule, “spouse” includes both same-sex and opposite-sex individuals who are legally married.  The guidance also notes that the term “marriage” includes same-sex marriages, and “family member” includes dependents of those marriages.  All of these terms apply to all legally married individuals, even if the individual is living or receiving services in a jurisdiction that does not recognize same-sex marriage.
Continue Reading HIPAA Privacy Rule Extended To Same-Sex Spouses