You are the HIPAA privacy official of a hospital or health plan (a covered entity under HIPAA). You receive an email from a vendor that handles protected health information (a business associate), informing you that one month ago an unauthorized actor infiltrated its information systems. The intruder may have gained access to information about your

The State of Washington appears close to enacting a new law that regulates the privacy of consumer health information.   If passed, the new law – the My Health My Data Act (MHMDA) –would take effect March 31, 2024 and apply to non-governmental entities that collect, process, share, or sell health information that can be linked

The U.S. Department of Health and Human Services (HHS) released guidance to address how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to various entities’ requests for information related to an individual’s COVID-19 vaccination status.

HHS emphasized that the Privacy Rule applies only to covered entities, including health plans and most

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has continued its enforcement of HIPAA’s privacy and security rules in the new administration, announcing a number of settlements of alleged violations in the first seven months of 2021.  This settlement activity followed a few other significant HIPAA developments

The new year began with an unusual amount of activity related to the Health Insurance Portability and Accountability Act (HIPAA). Health care providers, health plans, health care clearinghouses, and business associates subject to HIPAA will need to consider three significant developments—one regulatory, one legislative, and one judicial—relating to the Privacy and Security Rules under HIPAA and the related Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
Continue Reading  A Fast Start: 2021 Begins With Major HIPAA Developments

On December 18, 2020, the United States Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued guidance specific to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the COVID-19 public health emergency. The guidance addresses permitted HIPAA disclosures of Protected Health Information (“PHI”) by covered entities and business associates via health information exchanges (“HIEs”) for certain public health purposes.
Continue Reading  OCR Issues Guidance Related to PHI Disclosures During COVID

The Cybersecurity Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services have jointly posted an advisory to warn hospitals and other health care providers about the threat of malicious attacks on their information systems.  At least six hospitals across the United States were recently victimized by attacks using Trickbot malware

Following a very quiet start to HIPAA settlement activity in 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced eight settlements with covered entities and business associates.

The most recent of these announcements involves the second-largest HIPAA settlement amount in OCR’s history, amounting to $6.85 million.

The Office of Civil Rights of the U.S. Department of Health and Human Services has issued guidance clarifying how HIPAA’s Privacy Rule permits covered entities (in particular, health care providers and health plans) or their business associates to contact former COVID-19 patients about plasma donation to treat or potentially treat patients. The guidance follows the

Health care providers, health plans, and others who are subject to HIPAA are sure to have questions about when they may disclose information about individuals who have contracted, or been exposed to, Coronavirus (COVID-19).

To address these questions, the Office of Civil Rights, U.S. Department of Health and Human Services, has issued guidance.  First, it