This month, the U.S. Department of Health and Human Services (“HHS”) issued guidance waiving enforcement of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) in response to the COVID-19 nationwide public health emergency.

Covered Health Care Providers

On March 17, 2020, the Department of Health and Human Services Office for Civil Rights

Last week, Senators Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) introduced the Protecting Personal Health Data Act (S. 1842), which would provide new privacy and security rules from the Department of Health and Human Services (“HHS”) for technologies that collect personal health data, such as wearable fitness trackers, social-media sites focused on health

On Friday, April 19, 2019, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) explained in an FAQ the circumstances under which electronic health record (EHR) systems may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) liability for an app’s impermissible use or disclosure

On December 13, 2016, President Obama signed the 21st Century Cures Act (“Cures Act”), Pub. L. 114-255, which aims to expand medical research and expedite the approvals of drug therapies for patients.  The Cures Act also contains several provisions related to the HIPAA Privacy and Security Rules.  None of these provisions make substantive changes to the HIPAA regulations at this time; in several instances, they direct the Secretary of Health and Human Services (“HHS”) to study whether the HIPAA regulations should be revised or clarified to remove any potential barriers to optimal patient care and communication or to the availability of patient information for medical research.

Continue Reading Twenty-First Century Cures Act Includes HIPAA Provisions

The Department of Health and Human Services (HHS) recently published guidance on HIPAA requirements governing the use of cloud computing entities, specifically cloud services providers (CSPs).

In this guidance, HHS explains that CSPs that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity or business associate are considered business

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently announced a significant settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a business associate under HIPAA, arising from a breach of protected health information (PHI) after the theft of an employee’s iPhone.  The iPhone was not encrypted or password protected and held extensive information on approximately 400 nursing home residents, including Social Security numbers; information regarding diagnosis and treatment, medical procedures, medication; and names of family members and legal guardians.  CHCS agreed to pay financial penalties of $650,000 and adhere to a corrective action plan.

Continue Reading Significant HIPAA Fine Follows Business Associate’s Stolen iPhone

While Americans continue the trend towards replacing the traditional phone call with email and texts, health care providers have yet to catch on when interacting with their patients. A recent survey by Nielsen Strategic Health Perspectives found that less than a third of Americans have access to digital communications with their physicians:

The survey found

Last week, the chairmen and ranking members of the Senate Committee on Health, Education, Labor, and Pensions and the Senate Committee on Finance sent a letter to Andy Slavitt, Acting Administrator for the Centers for Medicare & Medicaid Services (“CMS”), and Jocelyn Samuels, Director of the Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), requesting information on how HHS “is working to support and protect victims of medical identity theft” in order to “assess the adequacy of current efforts.”
Continue Reading Senators Request Information from HHS About Medical Identity Theft Efforts