The State of Washington appears close to enacting a new law that regulates the privacy of consumer health information. If passed, the new law – the My Health My Data Act (MHMDA) –would take effect March 31, 2024 and apply to non-governmental entities that collect, process, share, or sell health information that can be linked
Many privacy professional may have missed it, but In the run-up to the New Year — while many U.S. companies were focused on complying with the California Privacy Rights Act (CPRA) — Congress passed an appropriations bill that contains significant new cybersecurity requirements for medical device companies. The Omnibus Appropriations Bill, which was signed…
The U.S. Department of Health and Human Services (HHS) released guidance to address how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to various entities’ requests for information related to an individual’s COVID-19 vaccination status.
HHS emphasized that the Privacy Rule applies only to covered entities, including health plans and most…
On September 15, 2021, the Federal Trade Commission (“FTC”) issued a policy statement affirming the applicability of its Health Breach Notification Rule (the “Rule”), 16 CFR Part 318, to health apps and connected devices that are not subject to the Health Insurance Portability and Accountability Act (“HIPAA”) but are capable of drawing information from multiple sources. …
Continue Reading FTC Guidance Affirms Breach Notification Obligations for Health Apps and Connected Devices
The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has continued its enforcement of HIPAA’s privacy and security rules in the new administration, announcing a number of settlements of alleged violations in the first seven months of 2021. This settlement activity followed a few other significant HIPAA developments…
The new year began with an unusual amount of activity related to the Health Insurance Portability and Accountability Act (HIPAA). Health care providers, health plans, health care clearinghouses, and business associates subject to HIPAA will need to consider three significant developments—one regulatory, one legislative, and one judicial—relating to the Privacy and Security Rules under HIPAA and the related Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
Continue Reading A Fast Start: 2021 Begins With Major HIPAA Developments
The Cybersecurity Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services have jointly posted an advisory to warn hospitals and other health care providers about the threat of malicious attacks on their information systems. At least six hospitals across the United States were recently victimized by attacks using Trickbot malware…
After a quiet winter, the Department of Health and Human Services’ Office for Civil Rights (OCR) revived with the spring, issuing a set of frequently asked questions and two recent announcements.
The FAQs address the situation where an individual requests a covered entity to disclose protected health information (“PHI”) to an app. The covered entity…
A relatively quiet year for HIPAA enforcement is ending with a small flourish. The Office of Civil Rights of the Department of Health and Human Services (HHS) has announced two settlements with covered entities within the span of eight days.
The first settlement involved Advanced Care Hospitalists (ACH), a company that provides internal medicine physicians to hospitals and nursing homes in Florida. In 2014, ACH received notice from a local hospital that individually identifiable patient information had been posted on the website of a third party billing provider. ACH reported the breach, which ultimately led to an HHS investigation. HHS found that:
- The disclosure affected 9,225 patients.
- ACH failed to enter into a business associate agreement with one or more vendors who had access to protected health information (PHI).
- ACH did not implement privacy, security, or breach notification policies and procedures until after the breach was discovered.
- ACH failed to conduct a security risk analysis until after the breach was discovered.
To settle these matters, ACH agreed to pay a $500,000 penalty and fulfill its obligations under a supervised corrective action plan that focuses on the identified failures.
The second settlement followed from a complaint lodged with HHS against Pagosa Springs Medical Center (PSMC) in Colorado. The ensuing investigation revealed:
- The impermissible disclosure of the PHI of at least 557 individuals to a former employee whose access to PSMC’s information systems was not revoked upon termination of employment.
- The impermissible disclosure of the PHI of at least 557 individuals to a business associate without an appropriate business associate agreement.
Imagine a breach in the privacy of protected health information. The violation of an individual’s HIPAA rights may be clear, but the individual cannot sue under HIPAA. Courts have consistently held that HIPAA provides no private right of action.
In the recent case of Lee-Thomas v. Lab Corp., an individual brought suit, claiming that her HIPAA rights had been violated. When hospitalized, she had been asked to submit medical information on a computer. She alleged that the information she entered was visible to another patient at a nearby computer station. The court did not reach the question of whether the proximity of the computers resulted in a HIPAA violation. It dismissed the claim, observing that HIPAA limits enforcement actions to the U.S. Department of Health and Human Services and states’ attorneys general.
The absence of a private right of action under HIPAA significantly reduces the risks faced by covered entities and business associates, but it does not shield them against all litigation and liability. Lawsuits for the improper disclosure of personal medical information have been brought under different theories, including common law breaches of privacy and breaches of contract. Last year, Anthem Inc. settled a class action, arising from a large 2015 data breach, for $115 million. Currently, litigation is being pursued under non-HIPAA claims for disclosures that have resulted from mailing practices, including the use of window envelopes and incorrect addresses. Case law is emerging, and it is possible that courts will refer to HIPAA’s standards as setting the bar for the privacy and data security safeguards that should be implemented and followed, but individuals who sue for breaches of those safeguards will need to base their claims on something other than a HIPAA violation.
Continue Reading HIPAA Enforcement: Where’s the Action?