At the close of 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (the Proposed Rule) to amend the Security Rule regulations established for protecting electronic health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The updated
OCR Active with Settlements and Enforcement Actions in November and Early December
The Office for Civil Rights of the Department of Health and Human Services (OCR) was busy negotiating and settling enforcement actions in November and early December. Since October 31, 2024, the OCR has settled five separate cases of alleged HIPAA violations. The settlements include resolution agreements and civil monetary penalties.
One of the settlements and…
OCR Settles Fourth Ransomware Investigation
The Office for Civil Rights of the Department of Health and Human Services (OCR) announced on September 26, 2024, that it had entered a settlement with Cascade Eye and Skin Centers (together, Cascade) for $250,000 following an investigation of a ransomware attack against them.
This is the fourth settlement against a victim of a ransomware…
MA and CT Pave the Way for Emergency Contraception Vending Machines
State Law Permitting Dispensation of Emergency Contraception by Vending Machines
Legislation passed in 2022 in Massachusetts and in 2023 in Connecticut removes barriers for college students trying to obtain emergency contraception pills like Plan B One-Step. In light of uncertainty around abortion protections following the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health…
Forecasting the Integration of AI into Health Care Compliance Programs
This post was co-authored by Josh Yoo, legal intern at Robinson+Cole. Josh is not admitted to practice law.
Health care entities maintain compliance programs in order to comply with the myriad, changing laws and regulations that apply to the health care industry. Although laws and regulations specific to the use of artificial intelligence (AI) are limited at this time and in the early stages of development, current law and pending legislation offer a forecast of standards that may become applicable to AI. Health care entities may want to begin to monitor the evolving guidance applicable to AI and start to integrate AI standards into their compliance programs in order to manage and minimize this emerging area of legal risk.
Executive Branch: Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence
Following Executive Order 13960 and the Blueprint for an AI Bill of Rights, Executive Order No. 14110 (EO) amplifies the current key principles and directives that will guide federal agency oversight of AI. While still largely aspirational, these principles have already begun to reshape regulatory obligations for health care entities. For example, the Department of Health and Human Services (HHS) has established an AI Task Force to regulate AI in accordance with the EO’s principles by 2025. Health care entities would be well-served to monitor federal priorities and begin to formally integrate AI standards into their corporate compliance plans.
- Confidentiality and Security: Federal scrutiny of the privacy and security of entrusted information extends to AI’s interactions with data as a core obligation. This general principle also manifests in more specific directives throughout the EO. The EO also orders the HHS AI Task Force to incorporate “measures to address AI-enhanced cybersecurity threats in the health and human services sector.”
- Transparency: The principle of transparency refers to an AI user’s ability to understand the technology’s uses, processes, and risks. Health care entities will likely be expected to understand how their AI tools collect, process, and predict data. The EO envisions labelling requirements that will flag AI-generated content for consumers as well.
- Governance: Governance applies to an organization’s control over deployed AI tools. Internal mechanical controls, such as evaluations, policies, and institutions, may ensure continuous control throughout the AI’s life cycle. The EO also emphasizes the importance of human oversight. Responsibility for AI implementation, review, and maintenance can be clearly identified and assigned to appropriate employees and specialists.
- Non-Discrimination: AI must also abide by standards that protect against unlawful discrimination. For example, the HHS AI Task force will be responsible for ensuring that health care entities continuously monitor and mitigate algorithmic processes that could contribute to discriminatory outcomes. It will be important to permit internal and external stakeholders to have access to equitable participation in the development and use of AI.
Continue Reading Forecasting the Integration of AI into Health Care Compliance Programs
OCR Updates Online Tracking Technologies HIPAA Guidance
On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) updated its guidance on the “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (Guidance). OCR’s Guidance was first published on December 1, 2022, and is the subject of a lawsuit brought by…
HHS Settles with Doctors’ Management Services Over Ransomware Attack
On October 31, 2023, the Office for Civil Rights (OCR) issued a press release announcing that it has settled with Doctors’ Management Services for $100,000 following a ransomware attack that compromised the protected health information of 206,695 individuals.
According to the press release, “this marks the first ransomware agreement OCR has reached.” The facts underlying…
HHS Seeks to Strengthen Protections of Reproductive Health Information with Proposed Changes to HIPAA
On April 12, 2023, the U.S. Department of Health & Human Services (HHS) released a Notice of Proposed Rulemaking (Proposed Rule) that seeks to enhance safeguards of reproductive health care information through changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The proposal is intended to align with President Biden’s Executive Order…
OCR Reminder: Pandemic-Era HIPAA Flexibilities Will End May 11, 2023
On April 11, 2023 – one month in advance of the end of the COVID-19 public health emergency (PHE) on May 11, 2023 – the federal Office for Civil Rights (OCR) confirmed that various Notifications of Enforcement Discretion issued under HIPAA during the PHE will expire at the end of the day on May 11, 2023.Continue Reading OCR Reminder: Pandemic-Era HIPAA Flexibilities Will End May 11, 2023
CMS Issues Guidance for Providers on Waivers, Flexibilities and End of COVID-19 Public Health Emergency
The Centers for Medicare & Medicaid Services (CMS) recently issued a Fact Sheet (Fact Sheet) providing guidance on the impact of the end of the federal COVID-19 Public Health Emergency (PHE) on certain regulatory waivers, legislative changes, and flexibilities that have been established during the PHE. The government previously announced that the PHE will expire at the end of the day on May 11, 2023. CMS is providing this guidance as part of efforts to ease the transition for health care providers, patients, and other industry stakeholders away from pandemic-era policies and practices tied to PHE authorities. CMS emphasizes that many of the waivers and flexibilities are or will become permanent or extended, and others are intended to end on or soon following May 11, 2023.
Below please find a summary of key guidance provided by CMS in the Fact Sheet and in related CMS PHE guidance documents issued recently:Continue Reading CMS Issues Guidance for Providers on Waivers, Flexibilities and End of COVID-19 Public Health Emergency