The Biden-Harris Administration has announced a Final Rule through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to enhance the HIPAA Privacy Rule and protect reproductive health care privacy. This rule prohibits the disclosure of protected health information (PHI) related to lawful reproductive health care under certain conditions. The rule was issued in response to community feedback for better patient confidentiality and to prevent misuse of medical records related to reproductive health care. The rule mandates regulated health care providers and organizations to modify their Notice of Privacy Practices and obtain a signed attestation for certain requests for PHI related to reproductive health care. The current HIPAA Privacy Rule remains in effect until the new rule is implemented.
Tag: HIPAA
Summary of article from HackerNoon, by mcmullen:
Artificial intelligence (AI) is revolutionizing various aspects of healthcare, but it also presents privacy and security risks, particularly in the context of data breaches. Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is crucial when integrating AI into healthcare. To remain HIPAA compliant, healthcare organizations must understand AI algorithms, regularly update policies, and implement robust security measures. Despite the challenges, the implementation of AI in healthcare, when done responsibly and ethically, offers significant potential benefits for patient care and research.
Summary of article in The HIPAA Journal, by Steve Adler:
A study by Diligent Institute and Bitsight reveals that organizations with strong cybersecurity programs yield better financial performance and higher shareholder returns. The study, which analyzed data from 4,149 mid to large-sized organizations, found that companies with advanced security ratings created almost four times more value for their shareholders than those with basic security ratings. The report also emphasized that cybersecurity is not just an IT problem, but an enterprise risk affecting the company’s performance and health. There was a correlation between board structure and security ratings, with companies having specialized risk or audit committees performing better. The presence of a cybersecurity expert on these committees significantly improved an organization’s security performance.
Summary of article from Fox Rothschild, by Elizabeth Litten:
The American Privacy Rights Act of 2024 (APRA) is a significant data privacy bill that aims to establish national data privacy rights and protections, superseding existing state data privacy laws. The Federal Trade Commission, states, and impacted individuals will enforce it. The bill includes a provision for entities subject to the Health Insurance Portability and Accountability Act (HIPAA), stipulating they must comply with HIPAA’s data privacy and security requirements. However, the bill leaves room for non-compliant entities to be subject to APRA’s robust enforcement mechanisms, including the right for individuals to sue for alleged HIPAA violations. Given the complexity and evolving nature of HIPAA compliance requirements, the stability of APRA’s HIPAA provisions may be uncertain.
Summary of article from The HIPAA Journal, by Steve Adler:
Ernest Health, a Texas-based health system, is facing a lawsuit following a cyberattack that compromised the protected health information of approximately 94,747 patients. The breach, claimed by the LockBit ransomware group, occurred between January 16, 2024, and February 4, 2024, leading to unauthorized access to sensitive patient data. The lawsuit, filed by Joe Lara and Lauri Cook, alleges that Ernest Health had insufficient cybersecurity measures and training, resulting in the inability to prevent or effectively respond to the breach. The plaintiffs claim that the 73-day delay in individual notifications hindered their ability to mitigate damages and that the response measures, including credit monitoring and identity theft protection, were inadequate. The lawsuit seeks a jury trial, various forms of relief, and damages, alleging negligence, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty.
From Morgan Lewis, by W. Reece Hirsch, Amy M. Magnano, Michael J. Madderra, Sydney Reed Swanson:
The US Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) updated its guidance on the use of online tracking technologies, causing further uncertainty for HIPAA-covered entities. OCR acknowledges that tracking technologies, such as cookies and web beacons, can unintentionally capture protected health information (PHI), thus implicating HIPAA. The updated guidance states that individually identifiable health information (IIHI) collected on a regulated entity’s website or app is generally considered PHI, even without specific treatment or billing details. The guidance differentiates between authenticated and unauthenticated pages, warning that PHI could be accessible even on unauthenticated pages. The update presents a compliance challenge for HIPAA-regulated entities, as discerning the subjective intent of website visitors is difficult, and entities must also consider other federal and state laws where HIPAA does not apply.
From U.S. Health and Human Services:
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a settlement with Phoenix Healthcare over a potential violation of the HIPAA Right of Access provision. The case involved a daughter, acting as a representative for her mother, who could not access her mother’s health information for almost a year despite numerous requests. OCR Director Melanie Fontes Rainer emphasized the importance of timely access to medical records for patient decision-making and treatment accuracy. Phoenix Healthcare eventually provided the requested records 323 days after the initial request. This case marks OCR’s 47th enforcement action related to the Right of Access provision under HIPAA.
From Jones Day, by Alexis S. Gilroy, Lisa M. Ropple, Ryan P. Blaney, Claire E. Castles, Jennifer C. Everett and Kristen Pollock McDonald:
The new consumer health data (CHD) privacy laws enacted in Washington and Nevada aim to offer state-level protections for personal health data not covered by the Health Insurance Portability and Accountability Act (HIPAA). The laws, effective from March 31, 2024, mandate entities to obtain affirmative consent before collecting or sharing CHD, develop privacy policies, implement security safeguards, and restrict geofencing. Both laws grant consumers rights to access, review, and delete their CHD, and to withdraw consent for its collection or sharing. Washington’s law, uniquely, gives consumers a private right of action for CHD-related violations, potentially leading to increased litigation. Companies are advised to review and revise their policies and practices to ensure compliance.
From The HIPAA Journal, by Steve Alder:
The Department of Health and Human Services (HHS) has issued a letter to teaching hospitals and medical schools, emphasizing the necessity of obtaining informed consent from patients before conducting sensitive examinations, particularly when the patient is under anesthesia. The letter comes in response to reports indicating that medical students often perform such examinations without obtaining proper consent during their training. The HHS insists on the importance of documenting informed consent and upholds the patients’ right to refuse such examinations for teaching purposes. The Centers for Medicare & Medicaid Services (CMS) has provided new guidelines to clarify hospital responsibilities regarding informed consent. Furthermore, the Office for Civil Rights (OCR) underscores the HIPAA Privacy Rule, which allows patients to restrict access to their protected health information (PHI), even when unconscious.
From U.S. Department of Health and Human Services:
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) updated its guidance to regulated entities when using online tracking technologies. These technologies, used to collect and analyze user interaction with websites or mobile applications, must comply with HIPAA rules if the information gathered includes protected health information (PHI). Unauthorized disclosures of PHI to tracking technology vendors, such as for marketing purposes without compliant authorizations, are deemed impermissible.
The update emphasizes that regulated entities should ensure they disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule. It provides guidance on the application of HIPAA rules to the use of tracking technologies on user-authenticated webpages, unauthenticated webpages, and within mobile apps. For instance, tracking technologies on user-authenticated webpages generally have access to PHI, and tracking technology vendors are considered business associates if they handle PHI.
Unauthenticated webpages, which do not require user login, usually do not have tracking technologies that access PHI. However, in cases where PHI is accessible, HIPAA rules apply. For mobile apps offered by regulated entities, information collected is generally considered PHI, and the entity must comply with HIPAA rules for any PHI the app uses or discloses. However, HIPAA does not protect information users voluntarily enter into non-regulated mobile apps.
Disclosures of PHI to tracking technology vendors must be specifically permitted by the Privacy Rule. If the vendor is a business associate, a business associate agreement (BAA) must be established. The use of tracking technologies should be addressed in the entity’s Risk Analysis and Risk Management processes. If there’s an impermissible disclosure of PHI, breach notification to affected individuals and the Secretary is required. OCR is prioritizing compliance with the HIPAA Security Rule in investigations into the use of online tracking technologies.