OCR
Subscribe to OCR's Posts

Federal Court Invalidates Key Part of HHS OCR Bulletin Regarding Application of HIPAA to Online Tracking Technologies

In a consequential decision for Health Insurance Portability and Accountability Act (HIPAA)-regulated entities, on June 20, 2024, the US District Court for the Northern District of Texas ruled that the US Department of Health and Human Services Office for Civil Rights exceeded its authority in certain respects in sub-regulatory guidance. The guidance concerned HIPAA’s application to cookies and other online tracking technologies on HIPAA-regulated entities’ unauthenticated webpages.

Read more here.




read more

The Impact of the ACA 1557 Final Regulations on Pregnancy and Abortion

Section 1557 of the Affordable Care Act (ACA) prohibits discrimination on the basis of race, color, national origin, sex, age or disability, or any combination thereof, in a health program or activity, any part of which is receiving federal financial assistance. On May 6, 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) issued final regulations under Section 1557. For an overview of these regulations, please see our post available here.

In a recent post, we reported that the final regulations unambiguously prohibit categorical coverage exclusions or limitations for health services related to gender transition or other gender-affirming care. This, we predicted, is likely to result in a showdown involving the two dozen or so state laws that, among other things, limit gender-affirming care access. In this post, we take up the final regulations’ treatment of pregnancy and abortion. While a similar showdown over abortion is possible, it is (for the reasons set out below) less likely.

Rather than establish protected characteristics, Section 1557 instead cross-references four other civil rights statutes to define what discrimination is prohibited. These include Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972 (Title IX), the Age Discrimination Act of 1975 and Section 504 of the Rehabilitation Act. Notably, three of the cross-references (including Title IX) also contain the abbreviation “et seq.,” which captures the balance of the provisions constituting a given law.

An ongoing source of friction involving ACA Section 1557 is the cross-reference to the “religious exemption” in Title IX. This exemption permits conduct by a religiously controlled educational institution that might otherwise violate the statute’s requirements when the institution acts for a religious reason and compliance with the statute would conflict with a religious tenet. A subsequent amendment clarified that Title IX must be construed to neither require nor prohibit any person or entity to provide abortion-related benefits or services. This is referred to as “abortion neutrality.” The final regulations do not incorporate Title IX’s religious exemption or its abortion neutrality provision.

The final regulations define discrimination “on the basis of sex” to include pregnancy or related conditions. How this squares with abortion is addressed at some length in the preamble and the regulation itself:

  • The decision not to import the Title IX religious exception does not compel any individual provider or covered entity with religious- or conscience-based objections to provide abortion or any other care to the extent doing so would conflict with a sincerely held belief.
  • The ACA’s respect for federal laws applies. That law includes robust protections regarding conscience protection, willingness or refusal to provide abortion, and discrimination on the basis of the willingness or refusal “to provide, pay for, cover, or refer for abortion or to provide or participate in training to provide abortion.’’ In addition, “[i]nsofar as the application of any requirement under this part would violate applicable Federal protections for religious [...]

    Continue Reading



read more

The Impact of the ACA 1557 Final Regulations on Gender-Affirming Care

Section 1557 of the Affordable Care Act (ACA) prohibits discrimination on the basis of race, color, national origin, sex, age or disability, or any combination thereof, in a health program or activity, any part of which is receiving federal financial assistance.

On May 6, 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services published final regulations (final regulations) implementing Section 1557 (Our summary and overview of the final regulations is available here.) Entities that are subject to Section 1557 (covered entities) include hospitals, health clinics, health insurance issuers, state Medicaid agencies and community health centers. While group health plans are not themselves covered entities unless they receive federal financial assistance (e.g., certain Medicare Part D programs and Employer Group Waiver Plans), carriers that provide administrative services to group health plans may themselves be covered entities if they receive federal financial assistance (e.g., by selling Medicare Advantage products).

Reversing prior law, the final regulations unambiguously prohibit categorical coverage exclusions or limitations for health services related to gender transition or other gender-affirming care. OCR finds support for this change in the US Supreme Court’s decision in Bostock v. Clayton County, which held that Title VII of the Equal Employment Act prohibits an employer from discriminating against an individual on the basis of sexual orientation. But prohibiting categorical coverage exclusions is not the same thing as requiring covered entities to provide access to gender-affirming care under all circumstances. There are limits; covered entities must not:

[D]eny or limit services based on gender identity or sex assigned at birth, adopt any policy of treating individuals differently on the basis of sex, including to the extent it prevents an individual from engaging in a health program or activity consistent with the individual’s gender identity, or deny or limit services sought for gender transition or other gender-affirming care based on sex assigned at birth or gender identity.

The provision would outlaw blanket bans on both gender-affirming care itself and on specific gender-affirming procedures (like facial feminization surgery). But it would also prohibit plans or carriers that qualify as covered entities from covering breast reconstruction for cancer treatment, or hormones to treat post-menopause symptoms, without also covering these procedures to treat gender dysphoria.

The final regulations do not interfere with individualized clinical judgment about the appropriate course of care for a patient. (The preamble makes further claims that OCR has a general practice of deferring to a clinician’s judgment about whether a particular service is medically appropriate for an individual, or whether the clinician has the appropriate expertise to provide care.) A provider’s belief that gender transition or other gender-affirming care can never be beneficial, or its compliance with a state or local law that reflects a similar judgment, is not a sufficient basis for a judgment that a health service is never clinically appropriate, however.

The 2016 final Section 1557 regulations were successfully challenged in Franciscan Alliance v. Burwell (N.D. [...]

Continue Reading




read more

OCR Update on Tracking Technologies Provides Little Relief for HIPAA-Regulated Entities

On March 18, 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) issued an update to its December 1, 2022, bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” In releasing the 2024 update, OCR stated that its purpose was to “increase clarity for regulated entities and the public.” While the update appears to narrow the scope of what OCR considers to be HIPAA-protected health information (PHI) in the context of online tracking technologies, it largely reconfirms prior guidance in the 2022 bulletin and will likely have limited practical impact for HIPAA-covered entities and business associates that have already heeded the 2022 bulletin.

Read more here.




read more

Hospital Settles With OCR for $4.75 Million Over HIPAA Violations

The US Department of Health and Human Services Office for Civil Rights (OCR) recently reached a $4.75 million settlement with a New York City hospital for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA).

According to OCR, in 2013, a former hospital employee sold the electronically protected medical records of 12,517 patients to an identity theft group, and the NYC hospital did not detect or report the breach to OCR until 2015. OCR’s investigation found several potential HIPAA violations, and in addition to the settlement, the hospital agreed to conduct a thorough security risk assessment, revise HIPAA policies, provide additional training to staff, begin recording and tracking all electronic health record (EHR) activity to monitor who is accessing patient information, and create a risk management plan. OCR will also monitor the hospital for two years for compliance with HIPAA.




read more

HIPAA Compliance 101: Lessons from a Recent OCR Settlement

The US Department of Health and Human Services Office for Civil Rights (OCR) recently announced a settlement with a community hospital resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. While the settlement involved a medical provider, it offers some important lessons for other HIPAA-covered entities, including employer-sponsored group health plans.

The settlement involved impermissible data breaches by non-medical staff who, allegedly, used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The lesson here is straightforward: all HIPAA-covered entities must “protect the privacy and security of health information.”

The HIPAA privacy and security rules are complex, and full compliance requires substantial resources that are, as a practical matter, beyond the reach of many organizations. While OCR routinely refers to these rules as “scalable,” that claim is difficult to square with our experience. Full compliance with the particulars of the rule is costly and time-consuming, and it requires no shortage of expertise. Thankfully, in practice, OCR tends to focus its investigative resources on certain features of these rules. These features include the following items which covered entities must perform to comply:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
  • Develop, maintain and revise, as necessary, written HIPAA policies and procedures;
  • Enhance HIPAA and security training programs to provide workforce training on the updated HIPAA policies and procedures; and
  • Review relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

Where group health plans are concerned, fully insured plans routinely rely on their carriers for HIPAA compliance, which requires that plan sponsors get only “summary” health information at renewal. This option is not available to self-funded plans, however, even those that contract with a carrier for administrative services. Employers in this latter category should be reasonably confident of surviving an OCR audit or investigation only, at a minimum, by taking the actions listed above.




read more

HHS Issues Guidance on Requirements Under HIPAA for Online Tracking Technologies, Addressing Privacy and Security Concerns Related to Health Information

On December 1, 2022, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued a Bulletin on the obligations of covered entities and business associates (regulated entities) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) when using online tracking technologies, such as cookies, web beacons and pixels. The Bulletin aims to provide further clarity on when identifiable information collected by such tracking technologies may also constitute protected health information (PHI) as defined and interpreted under the HIPAA Rules. In such instances, the Bulletin instructs that the technology vendor may be seen as providing a service to the regulated entity that would, in light of the use and disclosure of PHI, create a direct or downstream business associate relationship. Accordingly, the Bulletin states that the regulated entities would need to enter into a business associate agreement (BAA) with the vendor of the technology (and the vendor would, in turn, become a regulated entity) and meet other requirements under the HIPAA Rules. The Bulletin provides long-awaited guidance to help regulated entities review their positions and procedures concerning tracking technologies to ensure that the trackers they implement either do not collect PHI or meet the prerequisites outlined in the Bulletin.

Access the full article.




read more

GAO Releases Report on Telehealth

On September 26, the US Government Accountability Office (GAO) released a report titled “Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks.” The 75-page report describes the utilization of Medicare telehealth services under current pandemic-related waivers, the Centers for Medicare & Medicaid Services (CMS) efforts to identify and monitor risks posed by the current waivers, and a change made by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to the enforcement of regulations governing patients’ protected health information during the COVID-19 public health emergency (PHE).

GAO made four recommendations—three directed to CMS and one directed to OCR—aimed at remedying the issues set forth in the report:

  • CMS should develop an additional billing modifier or clarify its guidance regarding billing of audio-only office visits to allow the agency to fully track these visits.
  • CMS should require providers to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes.
  • CMS should comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the PHE.
  • OCR should provide additional education, outreach or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services.

Among its utilization findings, the GAO report found that the use of telehealth services increased from about five million services pre-waiver (April to December 2019) to more than 53 million services post-waiver (April to December 2020) and that, post-waiver, 5% of providers delivered more than 40% of telehealth services, and 5% of beneficiaries accounted for almost 40% of telehealth utilization.

The report noted that CMS lacks complete data on the use of audio-only technology and telehealth visits furnished in patients’ homes, because there is no billing mechanism for providers to identify all instances of audio-only visits, and because providers are not required to use available codes to identify visits furnished in homes. The GAO report also noted that OCR did not advise providers about specific language to use or give direction on explaining risks to patients, with respect to OCR’s March 2020 policy that it would not impose penalties against providers for noncompliance with privacy and security requirements in connection with the good faith provision of telehealth during the PHE.

This GAO report comes on the heels of a recent report from the HHS Office of Inspector General that found little evidence of waste and fraud related to Medicare telehealth services during the first year of the pandemic. These reports are part of a broader push by Congress and the Biden administration to examine current telehealth flexibilities and determine how to extend them beyond the COVID-19 PHE.




read more

HHS Finalizes Anti-Discrimination Revisions to ACA Section 1557

On June 12, 2020, the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) finalized a rule under Section 1557 of the Patient Protection and Affordable Care Act (the 2020 Final Rule) that rescinds certain protections afforded to LGBTQ individuals and persons with limited English proficiency. At the same time, the 2020 Final Rule removes burdensome disclosure requirements that may be a welcome relief for entities covered by Section 1557. On June 15, 2020, the Supreme Court of the United States ruled that workplace discrimination based on gender identity and sexual orientation is forbidden under Title VII of the Civil Rights Act of 1964. Although Title VII is not included in the precedential civil rights laws that gave rise to Section 1557, we nevertheless anticipate that the Supreme Court’s holding will lead to legal challenges in a number of areas, including healthcare and health insurance, religious exemptions and the 2020 Final Rule from HHS OCR.

Access the full article.




read more

HIPAA Boss Sees ‘Low-Hanging Fruit’ Ripe For Enforcement

Healthcare providers and insurers are still making tons of rookie mistakes on patient privacy, turning themselves into easy enforcement targets, according to Roger Severino, director of the US Department of Health and Human Services.

Severino made headlines in 2017 for expressing interest in punishing a “big, juicy, egregious” privacy breach, and seemingly followed through with a $16 million settlement stemming from Anthem Inc.’s megabreach involving 79 million patients. But, an emphasis on smaller violations makes sense in light of the OCR’s recent acknowledgement of limits on its penalty powers, said Edward G. Zacharias, a McDermott partner.

Access the full article.

Originally posted on Law360, February 2020




read more

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

Top ranked chambers 2022
US leading firm 2022