Tag Archives: ePHI

OCR Issues Five New HIPAA FAQs on Health Information Apps

On April 18, 2019, the Department of Health & Human Services Office for Civil Rights (OCR) issued five new FAQs addressing the applicability of HIPAA to the use of software applications (apps) by individuals to receive health information from their providers.

The new FAQs are available here under the Header “Access Right, Apps and APIs.”

In the FAQs, OCR:

  • Emphasizes that an individual’s right to access her/his protected health information (“PHI” or “ePHI”) under HIPAA generally obligates a covered entity to send PHI to a designated app, even if the

Texas Health System MD Anderson Seeks 5th Circuit Review of HHS Determination that HIPAA Required Encryption of its ePHI

On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) assessed against MDA by HHS for alleged violations of HIPAA’s Security and Privacy Rules.

The DAB’s decision, issued on February 8, 2019, affirmed a 2018 decision by an Administrative Law Judge that sustained CMPs issued …

OCR Urges Covered Entities and Business Associates to Use HTTPS

New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities. According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which could allow an interception of the communication. These are called man-in-the-middle attacks.

The OCR advises that covered entities and business associates follow US-CERT guidelines and verify that their HTTPS inspection product validates certificate chains and …

OCR’s HIPAA Guidance on Cloud Computing

On October 6, 2016, the Office for Civil Rights (OCR) released HIPAA guidance on cloud computing (Guidance).  The Guidance was intended to help covered entities and business associates understand their HIPAA obligations in cloud computing arrangements, and clarify the HIPAA obligations of cloud service providers (CSPs). The Guidance noted in part that:

  • CSPs that create, receive, maintain or transmit electronic protected health information (ePHI) are classified as “business associates” under HIPAA. If a covered entity or business associate uses a CSP to perform any of these functions, it must enter
LexBlog