HHS’ Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack

From HHS Press Release:

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), reached a settlement with Green Ridge Behavioral Health, LLC under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) due to potential violations identified during an investigation following a ransomware attack, which affected over 14,000 individuals’ protected health information.

This incident marks the second settlement that OCR has reached with a HIPAA-regulated entity following a ransomware attack. The OCR’s investigation revealed that Green Ridge Behavioral Health had failed to accurately assess potential risks and vulnerabilities to electronic protected health information, implement adequate security measures, and monitor its health information systems effectively to guard against cyber-attacks.

As part of the settlement, Green Ridge Behavioral Health agreed to pay a fine and implement a corrective action plan, which will be monitored by OCR for three years, to address potential violations of the HIPAA Privacy and Security Rules. The CAP includes conducting a thorough risk analysis, developing a risk management plan, revising policies and procedures as needed to comply with HIPAA rules, providing workforce training, auditing third-party arrangements for proper business associate agreements, and reporting non-compliance by workforce members to the OCR.

Health Law Highlights

US Department of Human Services vs Hospital & Tech Sector Showdown

From, by Marlene Maheu, PhD:

Recent developments in digital privacy ethics in the healthcare sector have led to a lawsuit against the US Department of Health and Human Services (HHS) by the American Hospital Association (AHA), with support from hospitals, health centers, other hospital associations, and the tech sector. The issue stems from the widespread practice of sharing online patient information with technology companies for marketing purposes.

The HHS has been actively investigating the use of tracking technologies and has issued fines and penalties to companies improperly handling sensitive data. As far back as 2022, HHS issued a guidance in 2022, emphasizing the obligations of HIPAA covered entities when using online tracking technologies.

A recent study revealed that 98.6% of US hospitals might still be involved in sharing patient information, highlighting the extent of data dissemination within the healthcare industry. This has led to increased interest in preventing or responding to HIPAA violations.

The legal challenge underscores the tension between the need for digital marketing tools in healthcare and the necessity to safeguard patient privacy and will significantly affect how healthcare entities use technology for marketing.

Health Law Highlights

New Guidelines Anticipated Following HHS’s Health Cybersecurity Concept Paper

From Shutts & Bowen LLP, by Kurtis Hutson, Timothy Monaghan, Ella Shenhav:

Updates to HIPAA Security Rule: The Department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS) plan to update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and propose new cybersecurity requirements in Spring 2024. These changes aim to shift the cybersecurity burden from end users to the owners and operators of technologies in critical infrastructure sectors, including healthcare.

Impact on Healthcare Companies: The new requirements could significantly expand the enforcement capabilities of regulators, impacting all entities involved in the healthcare industry. This includes manufacturers, sellers, service providers, healthcare providers, and payors who access, process, transmit, or store electronic protected health information (ePHI).

Voluntary Cybersecurity Performance Goals: HHS is developing voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs). Although termed “voluntary”, these will be used by CMS to propose new cybersecurity requirements for hospitals and participants in Medicare and Medicaid programs, and will influence the update to the HIPAA Security Rule.

Need for Proactive Measures: Healthcare organizations are advised not to adopt a “wait and see” approach, but to ensure they can demonstrate the implementation of Recognized Security Practices (RSPs). The HITECH Act amendment of January 2021 provides a safe harbor that could lead to reduced fines or termination of HIPAA-related investigations for organizations that can prove they had RSPs in place for at least the previous twelve months.


NIST Publishes SP 800-66 Revision 2, Implementing the HIPAA Security Rule

From NIST Computer Security Resource Center:

The National Institute of Standards and Technology (NIST) has released the final version of Special Publication (SP) 800-66r2 (Revision 2), “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide”.

SP 800-66 provides guidance for entities regulated by HIPAA on evaluating and managing risks associated with electronic Protected Health Information (ePHI). It outlines typical activities for an information security program and offers advice to improve cybersecurity posture and assist with HIPAA Security Rule compliance.

NIST’s Cybersecurity and Privacy Reference Tool (CPRT) includes mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework Subcategories and SP 800-53r5 security controls. It also lists NIST publications relevant to each HIPAA Security Rule standard, which can be used as additional resources for implementing HIPAA Security Rule standards and implementation specifications.

Health Law Highlights

CMS Updates Guidance to Allow Texting of Patient Orders

From Robinson & Cole, by Nathaniel Arden:

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) updated its 2018 memorandum to now allow the texting of patient orders among a patient’s healthcare team.

The 2018 memorandum stated that texting of patient orders did not comply with hospital and critical access hospital (CAH) Medicare conditions of participation (CoPs) due to potential issues with record security, author identification, and HIPAA compliance.

The updated guidance recognizes technological advancements, including encryption and interfaces between texting platforms and electronic health record systems (EHRs) that can ensure compliance with CoPs through the texting of patient orders.

CMS advises hospitals and CAHs using text orders to ensure they use secure, encrypted platforms, maintain author identification integrity, comply with HIPAA, and promptly file texted orders in the EHR.

Health Law Highlights

HIPAA and Part 2 Harmonized: What Health Care Organizations Need to Know

From Foley & Lardner LLP, by Jane Blaney, Jennifer J. Hennessy, Aaron T. Maguregui:

Part 2 Final Rule Implementation: The U.S. Department of Health & Human Services (HHS) issued the Part 2 Final Rule to revise the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations. This rule, effective 60 days post-publication, implements provisions of the 2020 CARES Act and includes modifications proposed in the November 2022 Notice of Proposed Rulemaking and additional changes based on public comments.

Patient Consent Changes: The rule allows SUD programs to obtain a single patient consent for all future uses and disclosures of Part 2 records for treatment, payment, and healthcare operations (TPO), as per HIPAA regulations. This consent can be revoked by the patient in writing. The rule also permits HIPAA-covered entities and business associates to redisclose records under this consent, barring use in legal proceedings against the patient without specific consent or court order.

Patient Notice and Rights: The rule aligns Part 2’s patient notice requirements more closely with the HIPAA Notice of Privacy Practices. It also provides patients with additional rights, such as requesting restrictions of disclosures to health plans for services paid in full or for purposes of TPO, obtaining an accounting of disclosures, and opting out of fundraising communications.

Breach Notification and Counseling Notes: The rule applies HIPAA’s Breach Notification Rule to breaches of unsecured records by Part 2 programs. It also includes a definition of SUD counseling notes similar to the HIPAA definition of psychotherapy notes, requiring specific consent from the individual for their disclosure.

Data Segregation and Penalties: The rule removes the requirement for segregation or segmentation of Part 2 records but maintains their protection. Violations of Part 2 will be subject to the same civil and criminal penalties as HIPAA violations, and patients can file complaints with HHS for violations of Part 

Health Law Highlights

Confidentiality of Substance Use Disorder Records Now More Closely Aligned With HIPAA

From Fox Rothschild, by Elizabeth G. Litten:

Part 2 records may be disclosed pursuant to the patient’s written consent, which may be a single consent for all future uses and disclosures for treatment, payment, and health care operations (as such terms are defined under HIPAA)

Part 2 records may be disclosed to a public health authority without patient consent if the records are de-identified (as defined and set forth under HIPAA)

Part 2 records are subject to HIPAA’s breach notification requirements

Part 2 SUD providers must provide HIPAA Notice of Privacy Practices-type notices to patients

Patients have the right to complain to HHS regarding alleged violations of Part 2

Health Law Highlights

HTI-1 Final Rule in Effect

From The HIPAA Journal, by Steve Adler:

The Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule, issued by the HHS’ Office of the National Coordinator for Health Information Technology (ONC), took effect on February 8, 2024. It implements provisions of the 21st Century Cures Act and updates the ONC Health IT Certification Program with new standards for AI systems.

The Final Rule is designed to advance ONC-certified health IT interoperability, algorithm transparency, and data standardization. It aims to improve patient outcomes and reduce healthcare costs by promoting the safe, secure, and trustworthy development of AI.

The Final Rule introduces new transparency requirements for AI and other predictive algorithms within ONC-certified health IT. It allows clinical users to access a consistent set of information about the algorithms and assess them for fairness, validity, effectiveness, and safety.

It adopts the United States Core Data for Interoperability (USCDI) Version 3 (v3) as the new baseline standard within the ONC Health IT Certification Program. Developers of certified health IT have until January 1, 2026, to transition to USCDI v3.

The Final Rule introduces new information blocking requirements and definitions, adds a new exception to support information sharing, and introduces new interoperability-focused reporting metrics. It is crucial that IT systems, information sharing policies, data collection, and reporting practices are assessed to ensure compliance with these new requirements.

Health Law Highlights

Wellness Apps and Privacy

From Seyfarth Shaw LLP, by Diane Dygert:

  • Employers are increasingly interested in providing wellness tools, such as apps and wearables, to enhance employee benefits. These tools, which cover various areas like mental health, physical fitness, and financial fitness, are relatively inexpensive and easily accessible.
  • The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individually identifiable health information. However, this only applies to data created or maintained by a “covered entity”, usually healthcare providers or health plans. Many wellness apps are not developed by such entities, and therefore, their data may not be protected by HIPAA.
  • If a wellness app is provided as part of an employer’s health plan, the underlying data collected may be considered HIPAA Protected Health Information (PHI). In such cases, the wellness vendor and the health plan must enter into a HIPAA compliant business associate agreement outlining the uses and security measures for the PHI.
  • State laws may also impact the privacy of health data collected through wellness apps. Several states are passing their own privacy laws to cover health data privacy gaps in HIPAA’s scope. However, most of these laws exclude information collected in the scope of an employment relationship, and the extent of these exclusions is not yet clear.
  • Employers deploying wellness apps should consider privacy implications at both federal and state levels before implementation. Failure to do so could potentially lead to privacy law liability.
Health Law Highlights

7 HIPAA Predictions For 2024

From Becker’s Hospital Review, by Madeline Ashley:

  • The Office for Civil Rights (OCR) is expected to increase enforcement actions for violations of HIPAA security and breach notification rules, with a predicted record number of civil monetary penalties and settlements in 2024.
  • The HIPAA right of access will continue to be a focus for OCR enforcement due to its straightforward nature and minimal resource requirement for investigations.
  • An update to the HIPAA security rule is anticipated in spring 2024, likely introducing new mandatory cybersecurity measures, including stricter access control requirements such as mandatory multi-factor authentication.
  • Following the overturning of Roe v. Wade, a new rule on reproductive health information disclosure, limiting its use to specific purposes like payment, healthcare operations, treatment, and legal investigations related to reproductive healthcare services.
  • The American Hospital Association’s lawsuit against OCR’s tracking technologies guidance could lead to the first enforcement action regarding the use of tracking technologies on hospital websites in 2024. If the lawsuit is successful, further rulemaking on tracking technology is expected to enhance patient privacy.
  • The Centers for Medicare & Medicaid Services (CMS) are projected to introduce cybersecurity requirements as a condition for participation in their programs.
  • State attorneys general are expected to increase HIPAA compliance enforcements, imposing additional financial penalties on healthcare organizations failing to meet minimum cybersecurity standards.