Categories
Health Law Highlights

Texas Children’s Hospital Whistleblower Doctor Indicted on Four Counts of Criminal HIPAA Violations

Summary of article from The HIPAA Journal, by Steve Adler:

Dr. Eithan Haim, a surgeon from Texas Children’s Hospital, has been indicted on four counts of violating the Health Insurance Portability and Accountability Act (HIPAA) by the Department of Justice. Dr. Haim allegedly leaked documents proving the hospital continued to provide gender-affirming care to minors, despite public claims to the contrary, following legal threats from Texas Governor Greg Abbott. The leaked documents, shared with reporter Christopher F. Rulo, indicated that treatments, including hormone-related therapies and implanted puberty blockers, were provided throughout 2022 and 2023. Dr. Haim, who admitted to being the whistleblower, is now facing prosecution, though he maintains that all sensitive patient information was redacted from the documents. This case follows a new law passed by the Texas Legislature banning gender-affirming interventions, which Texas Children’s Hospital has since complied with.

Categories
Health Law Highlights

Avoiding HIPAA Penalties: A Checklist for Covered Entities

Summary of article from Holland & Hart, by Kim Stanger:

The Health Insurance Portability and Accountability Act (HIPAA) applies to healthcare providers, healthcare clearinghouses, and health plans, enforcing rigorous privacy, security, and breach notification rules. Non-compliance can lead to severe civil and criminal penalties, with a tiered penalty structure based on the severity and nature of the violation. While there isn’t an explicit private cause of action for injured individuals under HIPAA, claims can be made under negligence or common law. To ensure compliance, entities should assign HIPAA responsibility, understand use and disclosure rules, implement and maintain written policies, execute appropriate business associate agreements, and stay updated with changes in regulations.

Categories
Health Law Highlights

Privacy Abuses Will Meet ‘Full Force of the Law’ From New Texas Unit, Attorney General Says

Summary of article from The Record, by Joe Warminsky:

Texas Attorney General Ken Paxton has announced the formation of a new data-privacy team within the consumer protection unit of his office. The team will enforce Texas privacy laws, focusing on data privacy and security, identity theft, data brokers, biometric information, consumer protection, and federal laws covering children’s privacy (COPPA) and healthcare information (HIPAA). The Texas Data Privacy and Security Act, a consumer-friendly law, will come into effect on July 1. Paxton has stated that companies exploiting consumer data will face legal consequences. This move is in line with several states, like Vermont, implementing broad privacy laws as federal regulation remains in limbo.

Categories
Health Law Highlights

Employers Must Keep Reproductive Health Information About Their Plan Participants Private Under New HIPAA Privacy Rule

Summary of article from Akerman LLP, by Beth Alcalde, Elizabeth Hodge:

The newly updated HIPAA Privacy Rule, effective June 25, 2024, provides enhanced protection for reproductive health care records, preventing their disclosure to state law enforcement agencies except under certain conditions. The definition of “reproductive health care” is broad, encompassing a wide range of male and female health services. There are strict restrictions on using such information for investigations, and health plan administrators and associated businesses have direct responsibility for compliance. Upon receiving a request for such information, a signed written attestation is required from the requester stating the intended use or disclosure is not for a prohibited purpose. Revisions to the Notice of Privacy Practices (NOPP) must be in place by February 16, 2026, and legal challenges to the Final Rule are expected.

Categories
Ask the Health Lawyer

The Colorado AI Act: What You Need to Know

Summary of article from IAPP, by Cobun Zweifel-Keegan:

The Colorado AI Act, the first U.S. cross-sector AI governance law, was signed into law on May 17, 2024, with key provisions effective from Feb. 2026. The law focuses on high-risk AI systems, defined as those making consequential decisions, and introduces stringent requirements to prevent algorithmic discrimination. The Act imposes responsibilities on both developers and deployers of AI systems, requiring them to use reasonable care to avoid algorithmic discrimination and mandating comprehensive documentation and impact assessments. The law also requires incident reporting, public disclosure of risk management, and direct consumer notifications. The law exempts entities covered by HIPAA if they provide AI-generated recommendations that require a health care provider to take action to implement that recommendation. Enforcement of the law, which treats violations as breaches of Colorado’s general consumer protection statute, will be carried out by the Colorado attorney general starting 1 Feb. 2026.

Categories
Health Law Highlights

OCR HIPAA Audit Program to Commence in 2024

Summary of article from The HIPAA Journal, by Steve Adler:

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 mandates periodic audits of HIPAA-regulated entities by the Office for Civil Rights (OCR) to assess HIPAA compliance, with a focus on the HIPAA Security Rule. OCR has confirmed that audits will be conducted in 2024. The increasing rate and scale of data breaches suggest inadequate compliance with the HIPAA Security Rule among healthcare organizations. OCR aims to improve future audit programs and cybersecurity across the healthcare sector, with a particular focus on risk analysis and management provisions of the HIPAA Security Rule. OCR is working on an update to the HIPAA Security Rule, expected to be finalized by the end of the year, to reflect changes in technology and working practices, including the adoption of cloud technology, encryption, and multifactor authentication.

Categories
Health Law Highlights

HIPAA Privacy Final Rule: Landmark Changes Related to Reproductive Health Care Information

Summary of article from Polsinelli, by Hiba AI-Ramahi, Iliana Peters, Rebecca Frigy Romine:

The U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) issued a “Final Rule” providing special protections and obligations related to Protected Health Information (PHI) about reproductive health care. The Rule applies to all HIPAA regulated entities and covers a broad range of reproductive health care services. It prohibits the use or disclosure of PHI for the purpose of conducting a criminal, civil, or administrative investigation into or imposing liability on any person for seeking, obtaining, providing, or facilitating reproductive health care. Regulated entities must obtain a signed, written attestation from the person or entity requesting the PHI that the intended use or disclosure of the requested PHI is not for one of the prohibited purposes. This Rule is effective on June 25, 2024, with regulated entities given 180 days for compliance and until February 16, 2026 for Notice of Privacy Practices (NPP) modification compliance.

Categories
Health Law Highlights

FTC Finalizes Expansion of Health Breach Notification Rule’s Broad Applicability to Unauthorized App Disclosures

Summary of article from Davis Wright Tremaine, by Adam H. Greene, Apurva Dharia:

The Federal Trade Commission (FTC) has finalized changes to the Health Breach Notification Rule (HBNR), expanding its scope to include virtually all health and wellness apps. The revised rule requires vendors of personal health records (PHRs) and related entities to notify individuals, the FTC, and, in some cases, the media of any unauthorized disclosure of identifiable health data. The updated rule also includes a broader definition of “health care services or supplies” and “breach of security,” and clarifies the role and responsibilities of PHR related entities. The FTC has also modernized the method of notice, expanded the content of the notice, and revised the timing of notice to the FTC. The changes signal the FTC’s increased prioritization of protecting consumers’ sensitive health information.

Categories
Health Law Highlights

How HHS OCR Is Boosting HIPAA Enforcement; Here Come Audits

Summary of article from BankInfo Security, by Marianne Kolbasuk McGee:

The Department of Health and Human Services (HHS) is working on a proposed update to the HIPAA Security Rule and intensifying enforcement efforts, including resuming HITECH Act HIPAA audits. The focus is on the requirement for risk analysis, a significant weakness among regulated organizations, contributing to many breaches. HHS plans to update the HIPAA Security Rule by the end of the year to reflect technological and healthcare delivery changes over the last two decades. Despite its scalability and technology-neutral nature, the rule’s 20-year-old framework doesn’t reflect current healthcare practices, necessitating the integration of practices like end-to-end encryption. Additionally, the HHS has reopened HITECH audits and is proactively conducting them.

Categories
Health Law Highlights

FTC Finalizes Changes to Health Breach Notification Rule

Summary of article from Fierce Healthcare, by Heather Landi:

The Federal Trade Commission (FTC) has finalized the revised Health Breach Notification Rule (HBNR) to enhance data privacy protection for consumers using digital health apps. The rule mandates vendors managing digital health records to notify individuals, the FTC, and sometimes the media, of any breach of unsecured personally identifiable health data. The data includes traditional health information, data from fitness trackers, and “emergent health data” such as health information inferred from location data and health-related purchases. The rule also obligates third-party service providers to notify vendors of personal health records following a breach discovery. The rule will be effective 60 days after its publication in the Federal Register.