Articles Posted in HIPAA

Published on:

On April 26, 2024, the Department of Health and Human Services (HHS) published a Final Rule introducing compliance changes for reproductive healthcare information under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Titled “HIPAA Privacy Rule to Support Reproductive Health Care Privacy,” the Final Rule prohibits disclosure of protected health information (PHI) related to lawful reproductive healthcare under certain circumstances. HIPAA-covered entities will also be required to update their Notices of Privacy Practices (NPPs), obtain attestations in connection with certain requests for reproductive healthcare information, and update their HIPAA policies and training.

The Final Rule prohibits uses or disclosure of PHI to investigate or impose liability on individuals, healthcare providers, or others who seek, obtain, provide, or facilitate reproductive healthcare that is lawful under the circumstances under which it is provided, or to identify persons for such activities. Notably, the Final Rule includes a presumption, with certain exceptions, that the reproductive healthcare provided by a person other than the covered entity receiving the request was lawful. Covered entities are required to obtain a signed attestation from certain requestors that they do not seek PHI for these prohibited purposes. This requirement applies when PHI is requested for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosure to coroners and medical examiners. The HHS Office for Civil Rights (OCR) has stated that it intends to publish model attestation language. Additionally, covered entities are required to modify their NPPs to support reproductive healthcare privacy.

The Final Rule continues to allow covered healthcare providers to use or disclose PHI for purposes otherwise permitted under the Privacy Rule where the request for the use or disclosure of PHI is not made to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare. The Final Rule will become effective on June 25, 2024, with a compliance date of December 23, 2024, except for certain requirements pertaining to Notices of Privacy Practices. Covered entities must comply with the NPP provisions of the Final Rule by February 16, 2026.

Published on:

The integration of Artificial Intelligence (AI) into healthcare represents a frontier of innovation, offering transformative potential for patient care, diagnostic accuracy, and operational efficiency. However, as healthcare providers and technology companies rapidly adopt AI solutions, navigating the complex landscape of regulatory compliance becomes increasingly crucial. This landscape is defined by focuses on patient safety, data privacy, and ethical standards, making regulatory compliance as critical as the technological advancements themselves.

At the heart of healthcare regulation is the imperative to ensure patient safety and efficacy of care. Regulatory bodies like the U.S. Food and Drug Administration (FDA) have been active in establishing frameworks for the approval and use of AI-driven medical devices and software. While FDA generally has authority to regulate medical devices, there are important limits on its authority. Users of AI tools that assist practitioners in analyzing a patient’s symptomology and rendering a diagnosis may want to explore whether the tool constitutes a Clinical Decision Support tool, which are generally beyond the scope of FDA regulation.

While AI can provide powerful tools to assist licensed healthcare practitioners, there may be significant implications where an AI tool attempts to replace a licensed healthcare practitioner. These implications include both ethical considerations for the licensed practitioner and compliance consideration for the unlicensed user of an AI-driven tool. Every state issues licenses to practice within a certain scope of practice and limits conduct within that scope of practice to holders of a license. For example, generally only licensed medical doctors may practice medicine. A licensed medical practitioner who allows an AI-driven tool to dictate patient care and fails to exercise independent medical judgement may have violated ethical and legal obligations under their applicable license. On the other hand, the unlicensed user of an AI-driven tool may face accusations of authorized practice where the tool is performing activities that are limited only to licensed physicians, nurses, etc.

Published on:

Earlier this month, the Department of Health and Human Services (HHS) released a concept paper that outlines the Department’s cybersecurity strategy for the healthcare sector. The concept paper builds on the Biden Administration’s National Cybersecurity Strategy, specifically focusing on strengthening resilience for hospitals, patients, and communities threatened by cyber-attacks. The paper arrives at a crucial time for healthcare providers since, according to the HHS Office for Civil Rights (OCR), large breach cyber incidents in the healthcare sector have increased 93% from 2018-2022, with a 278% increase in large breaches involving ransomware.

The HHS healthcare cybersecurity strategy is comprised of four concurrent components, with the overarching goal of strengthening cyber resiliency in the healthcare sector. The four components established by HHS are:

  • Establish voluntary cybersecurity performance goals for the healthcare sector;
Published on:

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) recently entered into a first of its kind resolution agreement and corrective action plan to settle potential HIPAA violations arising out of a ransomware attack. The agreement to settle alleged HIPAA violations was entered into with Doctors’ Management Services (DMS), a practice management company acting as a business associate to several covered entities.

By way of background, in April 2019, OCR opened an investigation based on a breach report from DMS. The report stated that approximately 206,695 individuals were affected when the DMS network server was infected with ransomware. The initial unauthorized access to the network occurred several years prior. However, DMS did not detect the intrusion until late 2018 after ransomware was used to encrypt their files. Based on its investigation, OCR alleged that:

  • DMS failed to conduct an accurate and thorough risk analysis that assessed technical, physical, and environmental risks and vulnerabilities associated with handling electronic patient health information (ePHI);
Published on:

The U.S. Department of Health and Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS) recently issued a proposed rule to implement requirements of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Specifically, this proposed rule would adopt standards for “healthcare attachments” transactions, which would support both healthcare claims and prior authorization transactions, and a standard for electronic signatures to be used in conjunction with healthcare attachments transactions. CMS has stated that it believes the proposed rule would result in significant cost savings and a reduction in administrative paperwork, allowing healthcare providers to allocate more time on direct patient care.

The HIPAA Administrative Simplification rule is designed to ensure consistent electronic communication across healthcare systems and promote efficient transfer of administrative data between health plans, healthcare providers, and clearinghouses. This regulation requires HIPAA-covered entities to adopt standards for transactions involving the electronic exchange of healthcare data and specifies standards to be used in all HIPAA-covered transactions.

Healthcare attachments are documents that provide additional information to aid in the healthcare payment decision-making process. This information typically includes patient or case-related information, patient test results, and medical records. The proposed rule would mandate a standard format for the transmission of healthcare attachments between HIPAA-regulated entities to support electronic healthcare claims and prior authorization transactions, which currently lack an efficient and uniform method of sending attachments.

Published on:

The use of telemedicine has exploded over the last few years. The COVID-19 pandemic spurred a shift from in-person services to services provided by telemedicine. As healthcare providers and patients experience the added convenience of telemedicine in some circumstances, some of the large-scale shifts to telemedicine will likely become permanent. However, with increased use comes increased scrutiny from regulators. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) and the Department of Justice (DOJ) recently released guidance regarding the provision of telehealth services to individuals with disabilities or with limited English proficiency.

Collectively, several federal laws generally prohibit discrimination on the basis of disability, race, color, and national origin, among other bases. Federal regulations also generally require covered health programs or activities provided by covered entities through electronic or information technology to be accessible to individuals with disabilities unless doing so would result in undue financial and administrative burdens or fundamental alteration of the health program. According to the joint guidance, “A health care provider’s failure to take appropriate action to ensure that care provided through telehealth is accessible can result in unlawful discrimination.”

HHS and DOJ’s guidance generally directs providers to make exceptions to their telemedicine policies or to make special accommodations to individuals with disabilities or limited English proficiency, such as allowing extra time for familiarization with the telemedicine platform or for communication with the provider, allowing caregivers or others to be present during a telemedicine visit, adding additional capabilities or support for functions like real-time captioning or screen reader software, and use of language assistance services. A provider’s obligation to accommodate disabilities over telemedicine is generally the same as when providing in-person services.

Published on:

On September 10, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of its twentieth investigation under its HIPAA Right of Access Initiative. In early 2019, OCR stated that they would create an initiative to enforce patients’ right of access to their own health information in a timely and reasonable manner. This concept is not novel to OCR as it has already been outlined as a stated goal of HIPAA within the Privacy Rule. This aspect of HIPAA has been enforced at various times in the past, however it has never been enforced with any regularity until the OCR initiative was established. To date, OCR has remained dedicated to ensuring that every patient is afforded access to their health information that HIPAA has long stated such patients deserve.

In OCR’s latest settlement, a hospital and medical center located in Omaha, Nebraska agreed to take corrective actions and pay $80,000 to settle a potential violation of the HIPAA Privacy Rule. The alleged violation stems from a May 2020 complaint filed by a parent alleging that the hospital had failed to provide her with timely access to her minor daughter’s medical records. The hospital provided some records, but did not provide all of the requested records to the parent’s multiple follow-up requests. OCR alleged that the hospital failed to provide timely access to the requested medical records and thus potentially violated the HIPAA right of access standard. That standard generally requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days if an extension is applicable). As a result of OCR’s investigation, the parent did in fact receive all of the requested records.

Healthcare providers often afford heightened focus to preventing unauthorized access or sharing of health information, which sometimes means that less focus is given to providing quick and affordable health records to patients. In light of OCR’s initiative and dedication to enforce patients’ right of access under the Privacy Rule, healthcare providers should take care to be knowledgeable about this aspect of their operations.

Published on:

On September 30, 2021, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued guidance to help consumers, businesses, and healthcare entities understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about an individual’s COVID-19 vaccination status. As a preliminary note, the guidance reminds readers that the HIPAA Privacy Rule does not apply to employers or employment records. The Privacy Rule only applies to HIPAA covered entities, which include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions and, in some cases, to their business associates.

The guidance initially answers a highly popular and controversial question in light of the COVID-19 pandemic. According to the OCR guidance, the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. Because individuals or entities such as businesses are not covered entities, the Privacy Rule generally does not apply to them. The Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI), for example COVID-19 vaccination status, that covered entities and business associates create, receive, maintain, or transmit. In the opposite direction, the Privacy Rule does not prevent customers or clients of a business from disclosing whether they have been vaccinated. The Privacy Rule does not apply to individuals’ disclosures about their own PHI.

The guidance proceeds to inform readers that employers are not prohibited under the Privacy Rule from requiring employees to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties. Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its employees. However, other federal or state laws address terms and conditions of employment. Federal anti-discrimination laws generally do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement. Under the Americans with Disabilities Act (ADA), documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files. Similarly, the Privacy Rule does not prohibit a covered entity or business associate from requiring its employees to disclose to their employers or other parties whether employees have received a COVID-19 vaccine. The Privacy Rule also generally does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers.

Published on:

On June 24, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published comments that it received during the public comment period for the proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. OCR first announced the proposed rule-making in December 2020. While the proposal was not technically subject to the “regulatory freeze” by the Biden administration, it was effectively delayed because OCR extended the public comment period through May 2021.

The proposed changes to HIPAA are part of the larger transition to a value-based health care system in which providers are compensated based on patient health outcomes. The modifications propose to address standards that may impede the transition to a value-based health care system and other unnecessary burdens by increasing individuals’ rights to access their health information, enhancing information sharing for care coordination and case management, improving family and caregiver involvement for individuals experiencing health emergencies, reducing the administrative burden on HIPAA-covered providers, and facilitating the disclosure of certain health information during emergencies such as the opioid crisis and COVID-19 pandemic.

Some of the major changes to the Privacy Rule include:

Published on:

On February 12, 2021, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced the details of its previously-announced discretion in the enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act related to privacy, security, and date breaches. OCR will not penalize covered health care providers or their business associates for non-compliance under HIPAA for the good faith use of online or web-based scheduling applications (WBSAs) for scheduling COVID-19 vaccination appointments during the COVID-19 pandemic.

During the COVID-19 public health emergency, HIPAA covered providers, such as large pharmacy chains, or business associates acting on behalf of the covered providers, may utilize WBSAs to schedule individual appointments for COVID-19 vaccinations. For the purposes of this exercise of discretion, a WBSA is an online or web-based application that only allows the intended parties to access the data and that provides individual appointment scheduling related to largescale COVID-19 vaccination. Technology that directly connects to electronic health records (EHR) systems used by covered providers is not included in this discretionary measure and does not constitute a WBSA. The HIPAA privacy rules allow business associates of a covered entity to use and disclose protected health information (PHI) for certain functions, only as dictated by a business associate contract or other agreement. However, during the COVID-19 pandemic, health care providers need to quickly schedule many appointments for COVID-19 vaccinations and often do this through WBSAs. Some of these online scheduling applications, and the way in which healthcare providers use them, may not comply with the HIPAA privacy rules.  Furthermore, vendors of the WBSAs may not know providers are using these applications to create and send PHI, potentially making the WBSA vendors business associates under HIPAA.

OCR will exercise discretion in the enforcement of HIPAA privacy rules and will not penalize covered healthcare providers, their business associates, or WBSA vendors who are technically business associates, for noncompliance as it relates to the scheduling of individual COVID-19 vaccination appointments during the COVID-19 pandemic. This enforcement discretion applies to covered healthcare providers and their business associates, which are, in good faith, using WBSAs to schedule COVID-19 vaccination appointments, as well as WBSA vendors whose platform is being used to schedule COVID-19 vaccination appointments. Discretion does not apply to covered providers or business associates for activities unrelated to the scheduling of COVID-19 vaccinations or if the covered providers or business associates fail to act in good faith. Instances where a covered provider or business associate are not acting in good faith include: the use of a WBSA that allows the sale of personal information collected, the use of a WBSA for purposes other than scheduling COVID-19 vaccination appointments, the use of a WBSA without reasonable safeguards to protect the PHI, and the use of a WBSA to screen individuals for COVID-19 before an in-person visit.

Contact Information