On March 18, 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) issued an update to its December 1, 2022, bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” In releasing the 2024 update, OCR stated that its purpose was to “increase clarity for regulated entities and the public.” While the update appears to narrow the scope of what OCR considers to be HIPAA-protected health information (PHI) in the context of online tracking technologies, it largely reconfirms prior guidance in the 2022 bulletin and will likely have limited practical impact for HIPAA-covered entities and business associates that have already heeded the 2022 bulletin.
The US Department of Health and Human Services Office for Civil Rights (OCR) recently reached a $4.75 million settlement with a New York City hospital for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA).
According to OCR, in 2013, a former hospital employee sold the electronically protected medical records of 12,517 patients to an identity theft group, and the NYC hospital did not detect or report the breach to OCR until 2015. OCR’s investigation found several potential HIPAA violations, and in addition to the settlement, the hospital agreed to conduct a thorough security risk assessment, revise HIPAA policies, provide additional training to staff, begin recording and tracking all electronic health record (EHR) activity to monitor who is accessing patient information, and create a risk management plan. OCR will also monitor the hospital for two years for compliance with HIPAA.
The US Department of Health and Human Services Office for Civil Rights (OCR) recently announced a settlement with a community hospital resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. While the settlement involved a medical provider, it offers some important lessons for other HIPAA-covered entities, including employer-sponsored group health plans.
The settlement involved impermissible data breaches by non-medical staff who, allegedly, used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The lesson here is straightforward: all HIPAA-covered entities must “protect the privacy and security of health information.”
The HIPAA privacy and security rules are complex, and full compliance requires substantial resources that are, as a practical matter, beyond the reach of many organizations. While OCR routinely refers to these rules as “scalable,” that claim is difficult to square with our experience. Full compliance with the particulars of the rule is costly and time-consuming, and it requires no shortage of expertise. Thankfully, in practice, OCR tends to focus its investigative resources on certain features of these rules. These features include the following items which covered entities must perform to comply:
Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
Develop, maintain and revise, as necessary, written HIPAA policies and procedures;
Enhance HIPAA and security training programs to provide workforce training on the updated HIPAA policies and procedures; and
Review relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.
Where group health plans are concerned, fully insured plans routinely rely on their carriers for HIPAA compliance, which requires that plan sponsors get only “summary” health information at renewal. This option is not available to self-funded plans, however, even those that contract with a carrier for administrative services. Employers in this latter category should be reasonably confident of surviving an OCR audit or investigation only, at a minimum, by taking the actions listed above.
The My Health My Data Act in Washington State (the Act) is expected to be signed into law by Governor Jay Inslee this year, after being passed by both the Washington Senate and House in different versions. Unlike recent state privacy laws, the Act specifically targets consumer health data that is not covered by the Health Insurance Portability and Accountability Act (HIPAA). It includes provisions that apply to processors and third parties who may handle a broadly defined set of consumer health data, beyond healthcare-adjacent businesses. The Act could have a significant impact on various entities, including advertisers, mobile app providers, wearable device manufacturers, healthcare companies and their data processors who handle non-HIPAA-regulated health information.
On April 12, 2023, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking detailing its proposal to modify the HIPAA Privacy Rule (Proposed Rule). The Proposed Rule comes as a part of the Biden administration’s response to the US Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization.
The Proposed Rule would provide special protections for protected health information (PHI) related to reproductive healthcare. Following the Dobbs decision, many healthcare providers expressed concerns that PHI related to reproductive healthcare may be sought by state and local governments for use in criminal, civil or administrative investigations or proceedings. OCR noted that such compelled uses and disclosures of PHI could have a chilling effect on lawfully obtained healthcare and erode trust in confidential communications between a patient and provider. Additionally, providers could elect to leave out critical details from a patient’s medical record if they fear the information could later be used by a state or local government actor against the patient.
Stakeholders may submit comments on the proposed rule on or before June 16, 2023.
Unlike the European Union, the United States does not have a federal data privacy law like the General Data Protection Regulation. State attorneys general, however, are cracking down on data breaches at healthcare organizations, according to this For the Record article.
On September 26, the US Government Accountability Office (GAO) released a report titled “Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks.” The 75-page report describes the utilization of Medicare telehealth services under current pandemic-related waivers, the Centers for Medicare & Medicaid Services (CMS) efforts to identify and monitor risks posed by the current waivers, and a change made by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to the enforcement of regulations governing patients’ protected health information during the COVID-19 public health emergency (PHE).
GAO made four recommendations—three directed to CMS and one directed to OCR—aimed at remedying the issues set forth in the report:
CMS should develop an additional billing modifier or clarify its guidance regarding billing of audio-only office visits to allow the agency to fully track these visits.
CMS should require providers to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes.
CMS should comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the PHE.
OCR should provide additional education, outreach or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services.
Among its utilization findings, the GAO report found that the use of telehealth services increased from about five million services pre-waiver (April to December 2019) to more than 53 million services post-waiver (April to December 2020) and that, post-waiver, 5% of providers delivered more than 40% of telehealth services, and 5% of beneficiaries accounted for almost 40% of telehealth utilization.
The report noted that CMS lacks complete data on the use of audio-only technology and telehealth visits furnished in patients’ homes, because there is no billing mechanism for providers to identify all instances of audio-only visits, and because providers are not required to use available codes to identify visits furnished in homes. The GAO report also noted that OCR did not advise providers about specific language to use or give direction on explaining risks to patients, with respect to OCR’s March 2020 policy that it would not impose penalties against providers for noncompliance with privacy and security requirements in connection with the good faith provision of telehealth during the PHE.
This GAO report comes on the heels of a recent report from the HHS Office of Inspector General that found little evidence of waste and fraud related to Medicare telehealth services during the first year of the pandemic. These reports are part of a broader push by Congress and the Biden administration to examine current telehealth flexibilities and determine how to extend them beyond the COVID-19 PHE.
The US Supreme Court’s recent decision to overturn Roe v. Wade in Dobbs v. Jackson Women’s Health Organization has raised many questions about potential efforts by law enforcement agencies to obtain data from healthcare and other service providers to detect the performance of a possibly unlawful abortion. For example, data collected by period-tracking apps, patients’ self-reported symptoms, or diagnostic-testing results might be used to establish the timeframe in which an individual became pregnant, and then demonstrate that a pregnancy was terminated, as part of investigative or enforcement efforts against individuals or organizations allegedly involved in such termination.
On June 29, 2022, the office within the US Department of Health and Human Services (HHS) that is responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), the Office for Civil Rights (OCR), issued guidance addressing how HIPAA limits disclosures by covered entities and business associates to law enforcement agencies in the absence of a court order or other legal mandate. The guidance provides helpful insight on how OCR may use HIPAA enforcement to discourage unauthorized disclosures of protected health information (PHI) to law enforcement officials in the wake of new state laws outlawing abortion. The guidance also implicitly confirms, however, that HIPAA does not provide a complete shield against law enforcement and litigation-driven requests for abortion-related information.
On June 12, 2020, the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) finalized a rule under Section 1557 of the Patient Protection and Affordable Care Act (the 2020 Final Rule) that rescinds certain protections afforded to LGBTQ individuals and persons with limited English proficiency. At the same time, the 2020 Final Rule removes burdensome disclosure requirements that may be a welcome relief for entities covered by Section 1557. On June 15, 2020, the Supreme Court of the United States ruled that workplace discrimination based on gender identity and sexual orientation is forbidden under Title VII of the Civil Rights Act of 1964. Although Title VII is not included in the precedential civil rights laws that gave rise to Section 1557, we nevertheless anticipate that the Supreme Court’s holding will lead to legal challenges in a number of areas, including healthcare and health insurance, religious exemptions and the 2020 Final Rule from HHS OCR.
On Friday, May 13, 2016, the US Department of Health and Human Services Office for Civil Rights finalized regulations that provide explicit protections from discrimination on the basis of gender identity in health care and insurance under Section 1557 of the Affordable Care Act.