On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) updated its guidance on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (Guidance). OCR’s Guidance was first published on December 1, 2022, and is the subject of a lawsuit brought by

Health care providers subject to the Information Blocking rules issued under the 21st Century Cures Act, Pub.L. 114–255, are reminded that such Information Blocking rules will apply to an expanded set of information beginning on October 6, 2022. The Information Blocking rules currently apply only to a limited portion of electronic health information (EHI) represented by the specific data elements identified in the United States Core Data for Interoperability version 1 standard (commonly referred to as USCDIv1). Effective October 6, 2022, the Information Blocking rules will apply to all EHI, which is defined as all electronic protected health information (as defined by HIPAA) to the extent that such electronic protected health information is included in a designated record set (also as defined by HIPAA), and excluding psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative proceeding.Continue Reading REMINDER: October 6 Deadline for Information Blocking Rules Approaches

On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit overturned a $4.348 million penalty for alleged HIPAA violations assessed by the U.S. Department of Health & Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (Hospital). The case arises from an enforcement action undertaken by HHS following the Hospital’s self-disclosure of three separate instances of lost or stolen portable devices containing electronic protected health information (ePHI). The government’s investigation determined that the devices were not encrypted, and that the Hospital’s failure to encrypt the devices to protect the ePHI contained therein constituted a violation of HIPAA’s Privacy and Security Rules. After HHS imposed the penalty in 2017, the Hospital appealed the penalty first to an Administrative Law Judge, and then to HHS’s Departmental Appeals Board before petitioning the Fifth Circuit for review in 2019 (see our prior analyses of this case here).
Continue Reading Fifth Circuit Overturns “Arbitrary and Capricious” $4.3 Million HIPAA Penalty Against Hospital

On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) assessed against MDA by HHS for alleged violations of HIPAA’s Security and Privacy Rules.

The DAB’s decision, issued on February 8, 2019, affirmed a 2018 decision by an Administrative Law Judge that sustained CMPs issued against MDA arising from three HIPAA breaches in 2011 and 2012 (see our previous analysis of the ALJ’s decision here).
Continue Reading Texas Health System MD Anderson Seeks 5th Circuit Review of HHS Determination that HIPAA Required Encryption of its ePHI

New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities. According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which

On October 6, 2016, the Office for Civil Rights (OCR) released HIPAA guidance on cloud computing (Guidance).  The Guidance was intended to help covered entities and business associates understand their HIPAA obligations in cloud computing arrangements, and clarify the HIPAA obligations of cloud service providers (CSPs). The Guidance noted in part that:

  • CSPs that create,