Tag: HIPAA

Categories
Health Law Highlights

Online Tracking Technologies and HIPAA Misconceptions

Summary of article from IAPP, by John Haskell:

Misconceptions persist about the use of online tracking technologies (OTTs) for marketing under HIPAA compliance. HIPAA mandates that covered entities must obtain explicit authorization from individuals before using or disclosing their personal health information (PHI) for marketing purposes. Simply signing a Business Associate Agreement (BAA) does not ensure compliance, particularly when PHI is involved. The U.S. Department of Health and Human Services (HHS) has clarified that disclosures of PHI to tracking technology vendors without proper authorizations are impermissible. Additionally, business associates are prohibited from using PHI for their own purposes, such as marketing campaigns. Compliance with HIPAA requires obtaining valid authorizations and adhering to specific guidelines, rather than relying solely on BAAs. Understanding these requirements is crucial to avoid regulatory issues.

Categories
Health Law Highlights

P-R-I-V-A-C-Y is Priceless to Me: The 2024 Privacy Rule

Summary of article from Holland & Hart, by Leslie Thomson:

The Department of Health and Human Services has issued the 2024 Privacy Rule, amending HIPAA privacy regulations to restrict the use or disclosure of an individual’s Protected Health Information (PHI) related to reproductive healthcare for certain non-healthcare purposes. This rule aims to protect individual privacy and trust in healthcare providers by prohibiting the use of PHI for criminal, civil, or administrative investigations or liabilities concerning lawful reproductive healthcare activities. Covered entities must update workforce training, HIPAA policies, procedures, and business associate agreements by December 23, 2024. Additionally, the Notice of Privacy Practices must be revised by February 16, 2026, to reflect these changes and address proposals related to the Confidentiality of Substance Use Disorder (SUD) Patient Records.

Categories
Health Law Highlights

Does HIPAA Apply to Veterinarians?

Summary of article from The HIPAA Journal, by Steve Adler:

HIPAA does not apply to veterinarians because they do not conduct electronic healthcare transactions for which the Department of Health and Human Services has adopted standards, thus not qualifying as HIPAA covered entities. However, veterinarians are subject to various state-level data privacy and breach notification laws that resemble HIPAA regulations. For instance, California law prohibits the unauthorized disclosure of information concerning animal patients and their owners, with specific exceptions. Additionally, veterinarians handling data of EU citizens must comply with the GDPR. The American Veterinary Medical Association (AVMA) provides guidelines to help veterinarians navigate these diverse data privacy regulations.

Categories
Health Law Highlights

OCR Settles Alleged HIPAA Violations for $950,000 Following 2017 Ransomware Attack

Summary of article from King & Spalding, by Elizabeth Kimball Key:

On July 1, 2024, the HHS Office of Civil Rights (OCR) announced that Heritage Valley Health System agreed to pay $950,000 to settle alleged HIPAA violations following a 2017 ransomware attack. The settlement includes a corrective action plan (CAP) to address compliance gaps, marking the third HIPAA enforcement action involving ransomware. The OCR’s investigation revealed several potential HIPAA violations, including inadequate risk analysis, lack of a contingency plan, and insufficient access controls for electronic protected health information (ePHI). As part of the CAP, Heritage Valley will conduct a comprehensive risk analysis, implement a risk management plan, update its policies and procedures, and train its workforce on HIPAA compliance. OCR highlighted a significant increase in ransomware-related breaches, underscoring its enforcement priority.

Categories
Health Law Highlights

Texas Retina Associates Cyberattack Affects 312,000 Patients

Summary of article from The HIPAA Journal, by Steve Adler:

A cyberattack on Texas Retina Associates, the largest ophthalmology practice in Texas, has compromised the sensitive data of 312,867 patients. The breach, which occurred from October 8, 2023, to March 27, 2024, exposed personal information including names, addresses, Social Security numbers, and medical details. Texas Retina Associates has since secured its systems, enhanced cybersecurity measures, and provided additional training to its staff. Notifications are being issued to affected individuals as a precaution, and a helpline has been established for further assistance. The practice has not mentioned offering complimentary credit monitoring or identity protection services.

Categories
Health Law Highlights

HIPAA Unique Identifiers Explained

Summary of article from The HIPAA Journal, by Steve Adler:

HIPAA mandates unique identifiers for employers, health plans, and healthcare providers to enhance transaction efficiency and reduce administrative costs, though no standards for individual identifiers were adopted due to cost and complexity. Employer identifiers use IRS-issued EINs, while health plan identifiers, initially introduced in 2012, were rescinded in 2019 due to implementation challenges. Healthcare providers use National Provider Identifiers (NPIs), established before HIPAA and extended in 2004. It’s crucial to distinguish these HIPAA unique identifiers from PHI identifiers, which must be removed for data de-identification. Entities uncertain about these distinctions should seek HIPAA compliance guidance to avoid violations.

Categories
Health Law Highlights

Six Months to Go: HIPAA Privacy Rule Changes Require Additional Diligence

Summary of article from Taft Privacy & Data Security Insights, by Scot Ganow:

The Department of Health and Human Services (HHS) has issued final regulations modifying the HIPAA Privacy Rule to protect individuals’ reproductive health information, effective June 25, 2024, with compliance required by December 23, 2024. These changes prohibit HIPAA-regulated entities from disclosing protected health information (PHI) for purposes of investigating or imposing liability for lawful reproductive health care. Additionally, the regulations establish a presumption of lawfulness for reproductive care and mandate obtaining signed attestations for certain disclosures. HIPAA-covered entities and business associates must update their policies, procedures, agreements, and training to align with these new requirements. Notices of privacy practices must also be revised by February 16, 2026.

Categories
Health Law Highlights

Texas Judge Upholds Hospitals’ Right to Use Online Tracking Technology

Summary of article from The Record, by Suzanne Smalley:

A Texas federal judge ruled that the Biden administration’s policy to limit hospitals’ use of online tracking technology overstepped its authority. The policy, issued by the HHS in 2022, aimed to protect user privacy by warning that third-party data collection could violate HIPAA. Despite the HHS’s recent revision and warnings about the risks of technologies like Meta/Facebook Pixel and Google Analytics, the judge found that the guidance improperly extended HIPAA’s reach to data from public website searches. This decision followed a lawsuit from the American Hospital Association and other plaintiffs. The ruling underscores the complexity and extensive reach of federal regulations in modern life.

Categories
Health Law Highlights

Feds Announce Final Penalties for Information Blocking. Hospitals and Medical Groups Aren’t Happy

Summary of article from Chief Healthcare Executive, by Ron Southwick:

The U.S. Department of Health & Human Services has finalized rules to prevent information blocking, imposing significant financial penalties on hospitals, clinicians, and medical groups that fail to share health information freely. Hospitals could face reductions in federal aid and substantial financial disincentives, while clinicians and medical groups could see reduced reimbursements and other penalties. The American Hospital Association and the Medical Group Management Association have criticized the penalties as excessive and punitive, urging for more collaborative approaches. The rule also affects Accountable Care Organizations by barring violators from participating in the Medicare Shared Savings Program for at least a year. These measures will take effect 30 days after the rule’s publication.

Categories
Health Law Highlights

Court Strikes Down HHS “Guidance” Regarding Online Tracking Technologies and HIPAA: Implications for Healthcare Providers

Summary of article from Health Law Attorney Blog:

In a recent decision, the United States District Court for the Northern District of Texas partially granted summary judgment to the plaintiffs, striking down the HHS rule that expanded the definition of “Individually Identifiable Health Information” (IIHI) to include the combination of an individual’s IP address and their visits to healthcare providers’ websites. The Court ruled that HHS exceeded its statutory authority under HIPAA and imposed new legal obligations without proper rulemaking procedures. This decision relieves healthcare providers from the significant compliance burdens associated with the now-invalidated rule. Providers should review their use of tracking technologies to ensure compliance with the ruling and stay informed about any new guidance from HHS. This case underscores the necessity for clear, consistent regulatory guidance aligned with statutory definitions and procedural norms.