On April 12, 2023, the U.S. Department of Health & Human Services (HHS) released a Notice of Proposed Rulemaking (Proposed Rule) that seeks to enhance safeguards of reproductive health care information through changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The proposal is intended to align with President Biden’s Executive Order
HIPAA
OCR Reminder: Pandemic-Era HIPAA Flexibilities Will End May 11, 2023
On April 11, 2023 – one month in advance of the end of the COVID-19 public health emergency (PHE) on May 11, 2023 – the federal Office for Civil Rights (OCR) confirmed that various Notifications of Enforcement Discretion issued under HIPAA during the PHE will expire at the end of the day on May 11, 2023.…
Continue Reading OCR Reminder: Pandemic-Era HIPAA Flexibilities Will End May 11, 2023
CMS Issues Guidance for Providers on Waivers, Flexibilities and End of COVID-19 Public Health Emergency
The Centers for Medicare & Medicaid Services (CMS) recently issued a Fact Sheet (Fact Sheet) providing guidance on the impact of the end of the federal COVID-19 Public Health Emergency (PHE) on certain regulatory waivers, legislative changes, and flexibilities that have been established during the PHE. The government previously announced that the PHE will expire at the end of the day on May 11, 2023. CMS is providing this guidance as part of efforts to ease the transition for health care providers, patients, and other industry stakeholders away from pandemic-era policies and practices tied to PHE authorities. CMS emphasizes that many of the waivers and flexibilities are or will become permanent or extended, and others are intended to end on or soon following May 11, 2023.
Below please find a summary of key guidance provided by CMS in the Fact Sheet and in related CMS PHE guidance documents issued recently:…
HHS Issues HIPAA Guidance to Support Audio-Only Telehealth Services
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently issued new guidance (Guidance) on the use of remote communication technologies to deliver audio-only telehealth in accordance with HIPAA. Per OCR, the Guidance is intended to ensure continued access for patients to audio-only telehealth in a secure and compliant manner, particularly once OCR’s notification of enforcement discretion (previously discussed here) tied to the COVID-19 pandemic is rescinded (i.e., once the HHS-declared COVID-19 public health emergency is ended).…
Continue Reading HHS Issues HIPAA Guidance to Support Audio-Only Telehealth Services
No Private Right of Action under HIPAA, but State Law Claims May Still be Asserted
A federal district court in Montana has confirmed that HIPAA precludes a private right of action for patients to claim an unauthorized access, use, or disclosure of protected health information. Nonetheless, the court denied the defendant covered entity’s motion to dismiss the complaint, holding that the plaintiff could move forward with state-specific claims of invasion of privacy, negligence, negligent infliction of emotional distress, and violation of Montana’s Consumer Protection Act because the federal law does not bar the suit under state law. The court held that, although HIPAA does not allow private lawsuits to be brought for unauthorized disclosure of health information, it does not preempt state law remedies that offer stronger protections than HIPAA.
Continue Reading No Private Right of Action under HIPAA, but State Law Claims May Still be Asserted
OCR Announces it Will Not Impose HIPAA Penalties for Use of COVID-19 Vaccine Scheduling Apps
The Office of Civil Rights (OCR) issued a notice yesterday stating that it will not impose penalties for HIPAA non-compliance in connection with a covered entity health care provider’s or business associate’s good faith use of online or web-based scheduling applications (WBSAs) for the scheduling of appointments for COVID-19 vaccinations during the public health emergency. The notice is retroactively effective to December 11, 2020. OCR highlights to covered health care providers and business associates that its temporary lifting of HIPAA penalties applies only to scheduling of COVID-19 vaccinations and to no other activities.
Continue Reading OCR Announces it Will Not Impose HIPAA Penalties for Use of COVID-19 Vaccine Scheduling Apps
HHS Proposes Modifications to the HIPAA Privacy Rule to Enhance Care Coordination and Management and Remove Barriers to Accessing Information
On December 10, 2020, the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which is one of several rules that protect the privacy and security of individuals’ medical records and other protected health information (PHI). According to HHS, the proposed changes are intended to support individuals’ engagement in their health care, remove barriers to coordinated care and case management, and reduce regulatory burdens on the health care industry, while continuing to protect the privacy and security of individuals’ PHI.
Continue Reading HHS Proposes Modifications to the HIPAA Privacy Rule to Enhance Care Coordination and Management and Remove Barriers to Accessing Information
Dignity Health Settles with OCR for $160,000 for Failing to Provide Access to Records
Continuing with its previous enforcement actions centered on covered entities’ failure to provide patients with access to their health records, the Office for Civil Rights (OCR) announced on October 9, 2020 that it entered into a settlement with Dignity Health, doing business as St. Joseph’s Hospital and Medical Center in Phoenix (St. Joseph’s) for $160,000 for failing to respond to multiple requests of a mother for her son’s records.
Continue Reading Dignity Health Settles with OCR for $160,000 for Failing to Provide Access to Records
Data Breach Regulatory Settlements Update
Community Health Systems, Inc. Settles for $5 M in Multi-State Settlement
On October 8, 2020, New Jersey Attorney General Gurbir Grewal
…
HIPAA Business Associate Pays $2.3 Million Settlement After Hackers Target PHI of Over 6 Million Individuals
Health care providers and contractors continue to be a popular target for hackers. Recently, CHSPSC LLC (CHSPSC), which provides various services to hospitals and clinics indirectly owned by Community Health Systems, Inc. of Tennessee, agreed to pay $2,300,000 to the Office for Civil Rights (OCR) in settlement of potential violations of HIPAA’s Privacy and Security Rules. The OCR investigation and settlement stemmed from a data breach affecting over six million people.…
Continue Reading HIPAA Business Associate Pays $2.3 Million Settlement After Hackers Target PHI of Over 6 Million Individuals