On January 6, 2025, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published a Notice of Proposed Rulemaking (“NPRM”) to amend the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule. The proposed changes, if enacted, would represent the first update
Newly effective regulations governing confidentiality of Substance Use Disorder (SUD) records now more closely mirror regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other federal law. The new measures ease the administrative burden on programs by aligning regulations governing the privacy of Part 2 SUD records with the regulatory framework
The new year began with an unusual amount of activity related to the Health Insurance Portability and Accountability Act (HIPAA). Health care providers, health plans, health care clearinghouses, and business associates subject to HIPAA will need to consider three significant developments—one regulatory, one legislative, and one judicial—relating to the Privacy and Security Rules under HIPAA and the related Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
Continue Reading A Fast Start: 2021 Begins With Major HIPAA Developments
After a quiet winter, the Department of Health and Human Services’ Office for Civil Rights (OCR) revived with the spring, issuing a set of frequently asked questions and two recent announcements.
The FAQs address the situation where an individual requests a covered entity to disclose protected health information (“PHI”) to an app. The covered entity
On February 7, 2019, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services published the resolution agreement for its final HIPAA settlement of 2018. The resolution agreement cited two breach notifications that OCR received from the parent of several hospitals in California. In 2013, the provider notified OCR of a breach that occurred when one of its contractors removed electronic security protections from a server. This breach affected more than 50,000 individuals. In 2015, the provider submitted notice of a second breach, this one resulting from an employee’s activation of the wrong website, affecting more than 11,000 individuals.
Continue Reading OCR Closes the Book on 2018 With $3 Million HIPAA Settlement
A celebrity collapses on stage and is rushed to the hospital. Rumors race through social media faster than the ambulance can navigate city streets. Was it exhaustion? Was it her heart? Was there a gunshot? The press broadcasts through the night outside the ER. You are a hospital administrator who has access to information about the celebrity’s medical condition and treatment. You stay past your shift until the patient’s condition is stable and the 11 p.m. news reports have finished. You exit through a side door to avoid attention, but a man comes up alongside you. You know him from some prior incidents. He is an insurance investigator for the arena where the celebrity was performing. He asks you questions, seeking to confirm facts for a preliminary report he is filing. All of the facts that he recites about the celebrity’s condition are true. All of them have been widely reported already. You keep quiet.
You have been well trained. That is what you should do.
Continue Reading HIPAA: Privacy Required, Even When Information Goes Public
Filefax, Inc., a health care records moving and storage company that served as a business associate, went into receivership in 2016. But its receivership did not put an end to an OCR investigation into a HIPAA violation from 2015. Now, the receiver for Filefax has agreed to pay a fine of $100,000 and to properly store, inventory, and dispose of the medical records remaining in its possession under HHS supervision.
The investigation began with a complaint that OCR received about the exposure of a large volume of documents containing protected health information. The investigation confirmed that an individual had left medical records of approximately 2,150 patients at a shredding and recycling facility and that Fllefax had either left the PHI in an unlocked truck in the Filefax parking lot or granted permission to a person to remove the PHI from Filefax and left the PHI, unsecured, outside the Filefax facility for that person to collect.
Continue Reading Closure of Business Does Not Foreclose HIPAA Liabilities