protected health information
Subscribe to protected health information's Posts

OCR Update on Tracking Technologies Provides Little Relief for HIPAA-Regulated Entities

On March 18, 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) issued an update to its December 1, 2022, bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” In releasing the 2024 update, OCR stated that its purpose was to “increase clarity for regulated entities and the public.” While the update appears to narrow the scope of what OCR considers to be HIPAA-protected health information (PHI) in the context of online tracking technologies, it largely reconfirms prior guidance in the 2022 bulletin and will likely have limited practical impact for HIPAA-covered entities and business associates that have already heeded the 2022 bulletin.

Read more here.




read more

Washington State Legislature Passes My Health My Data Act

The My Health My Data Act in Washington State (the Act) is expected to be signed into law by Governor Jay Inslee this year, after being passed by both the Washington Senate and House in different versions. Unlike recent state privacy laws, the Act specifically targets consumer health data that is not covered by the Health Insurance Portability and Accountability Act (HIPAA). It includes provisions that apply to processors and third parties who may handle a broadly defined set of consumer health data, beyond healthcare-adjacent businesses. The Act could have a significant impact on various entities, including advertisers, mobile app providers, wearable device manufacturers, healthcare companies and their data processors who handle non-HIPAA-regulated health information.

Read more here.




read more

OCR Issues Proposed Rule to Modify HIPAA Privacy Rule to Include Explicit Protections for Reproductive Healthcare

On April 12, 2023, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking detailing its proposal to modify the HIPAA Privacy Rule (Proposed Rule). The Proposed Rule comes as a part of the Biden administration’s response to the US Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization.

The Proposed Rule would provide special protections for protected health information (PHI) related to reproductive healthcare. Following the Dobbs decision, many healthcare providers expressed concerns that PHI related to reproductive healthcare may be sought by state and local governments for use in criminal, civil or administrative investigations or proceedings. OCR noted that such compelled uses and disclosures of PHI could have a chilling effect on lawfully obtained healthcare and erode trust in confidential communications between a patient and provider. Additionally, providers could elect to leave out critical details from a patient’s medical record if they fear the information could later be used by a state or local government actor against the patient.

Stakeholders may submit comments on the proposed rule on or before June 16, 2023.

Read more here.




read more

HHS Issues Guidance on Requirements Under HIPAA for Online Tracking Technologies, Addressing Privacy and Security Concerns Related to Health Information

On December 1, 2022, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued a Bulletin on the obligations of covered entities and business associates (regulated entities) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) when using online tracking technologies, such as cookies, web beacons and pixels. The Bulletin aims to provide further clarity on when identifiable information collected by such tracking technologies may also constitute protected health information (PHI) as defined and interpreted under the HIPAA Rules. In such instances, the Bulletin instructs that the technology vendor may be seen as providing a service to the regulated entity that would, in light of the use and disclosure of PHI, create a direct or downstream business associate relationship. Accordingly, the Bulletin states that the regulated entities would need to enter into a business associate agreement (BAA) with the vendor of the technology (and the vendor would, in turn, become a regulated entity) and meet other requirements under the HIPAA Rules. The Bulletin provides long-awaited guidance to help regulated entities review their positions and procedures concerning tracking technologies to ensure that the trackers they implement either do not collect PHI or meet the prerequisites outlined in the Bulletin.

Access the full article.




read more

Navigating Data Privacy Questions Post-Dobbs

The US Supreme Court’s recent decision to overturn Roe v. Wade in Dobbs v. Jackson Women’s Health Organization has raised many questions about potential efforts by law enforcement agencies to obtain data from healthcare and other service providers to detect the performance of a possibly unlawful abortion. For example, data collected by period-tracking apps, patients’ self-reported symptoms, or diagnostic-testing results might be used to establish the timeframe in which an individual became pregnant, and then demonstrate that a pregnancy was terminated, as part of investigative or enforcement efforts against individuals or organizations allegedly involved in such termination.

On June 29, 2022, the office within the US Department of Health and Human Services (HHS) that is responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), the Office for Civil Rights (OCR), issued guidance addressing how HIPAA limits disclosures by covered entities and business associates to law enforcement agencies in the absence of a court order or other legal mandate. The guidance provides helpful insight on how OCR may use HIPAA enforcement to discourage unauthorized disclosures of protected health information (PHI) to law enforcement officials in the wake of new state laws outlawing abortion. The guidance also implicitly confirms, however, that HIPAA does not provide a complete shield against law enforcement and litigation-driven requests for abortion-related information.

Read more here.




read more

HIPAA Privacy and Security Compliance for Group Health Plan Sponsors

Joanna Kerpen authored an article on final HIPAA rules for privacy enforcement and audit programs, particularly those with additional requirements aimed at group health plan sponsors. This report focuses on the final regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), in January 2013, HIPAA enforcement and audit programs, HIPAA-related additional requirements of group health plan sponsors, and the actions that must be taken by group health plan sponsors to ensure compliance with the final regulations and requirements and to prepare for potential audits and enforcement actions.

“The final HIPAA regulations made many changes to the existing HIPAA privacy and security rules that are applicable to covered entities,” Ms. Kerpen wrote, and she urged plan sponsors to conduct a comprehensive review of their compliance plans to prepare for audits or enforcement action.

Read the full article here.




read more

Phase 2 HIPAA Audits Are Underway

The US Department of Health and Human Services Office for Civil Rights (OCR) will soon begin a second phase of audits for compliance with HIPAA privacy, security and breach notification standards as required by the HITECH Act. In this second phase, OCR will audit both covered entities and their business associates, unlike the pilot audits of 2011 and 2012, which focused on covered entities alone. This On the Subject details practical steps that covered entities, including employer-sponsored group health plans, and their business associates can take to prepare for a potential audit.

Read the full article.




read more

OCR Launches Phase 2 HIPAA Audit Program with Pre-Audit Screening Surveys

HIPAA covered entities have reported that the HHS Office for Civil Rights recently sent pre-audit screening surveys to a pool of covered entities that may be selected for the previously delayed second phase of HIPAA compliance audits. This On the Subject describes the phase two audit program and identifies steps that covered entities and business associates should take to prepare for these audits.

Read the full article.




read more

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

Top ranked chambers 2022
US leading firm 2022