Tag: HIPAA

Categories
Health Law Highlights

How HHS OCR Is Boosting HIPAA Enforcement; Here Come Audits

Summary of article from BankInfo Security, by Marianne Kolbasuk McGee:

The Department of Health and Human Services (HHS) is working on a proposed update to the HIPAA Security Rule and intensifying enforcement efforts, including resuming HITECH Act HIPAA audits. The focus is on the requirement for risk analysis, a significant weakness among regulated organizations, contributing to many breaches. HHS plans to update the HIPAA Security Rule by the end of the year to reflect technological and healthcare delivery changes over the last two decades. Despite its scalability and technology-neutral nature, the rule’s 20-year-old framework doesn’t reflect current healthcare practices, necessitating the integration of practices like end-to-end encryption. Additionally, the HHS has reopened HITECH audits and is proactively conducting them.

Categories
Health Law Highlights

FTC Finalizes Changes to Health Breach Notification Rule

Summary of article from Fierce Healthcare, by Heather Landi:

The Federal Trade Commission (FTC) has finalized the revised Health Breach Notification Rule (HBNR) to enhance data privacy protection for consumers using digital health apps. The rule mandates vendors managing digital health records to notify individuals, the FTC, and sometimes the media, of any breach of unsecured personally identifiable health data. The data includes traditional health information, data from fitness trackers, and “emergent health data” such as health information inferred from location data and health-related purchases. The rule also obligates third-party service providers to notify vendors of personal health records following a breach discovery. The rule will be effective 60 days after its publication in the Federal Register.

Categories
Alert

HHS Issues New Rule to Support Reproductive Health Care Privacy Under HIPAA

The Biden-Harris Administration has announced a Final Rule through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to enhance the HIPAA Privacy Rule and protect reproductive health care privacy. This rule prohibits the disclosure of protected health information (PHI) related to lawful reproductive health care under certain conditions. The rule was issued in response to community feedback for better patient confidentiality and to prevent misuse of medical records related to reproductive health care. The rule mandates regulated health care providers and organizations to modify their Notice of Privacy Practices and obtain a signed attestation for certain requests for PHI related to reproductive health care. The current HIPAA Privacy Rule remains in effect until the new rule is implemented.

Categories
Health Law Highlights

Navigating HIPAA Compliance in the Age of AI: Privacy and Security Considerations in Healthcare

Summary of article from HackerNoon, by mcmullen:

Artificial intelligence (AI) is revolutionizing various aspects of healthcare, but it also presents privacy and security risks, particularly in the context of data breaches. Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is crucial when integrating AI into healthcare. To remain HIPAA compliant, healthcare organizations must understand AI algorithms, regularly update policies, and implement robust security measures. Despite the challenges, the implementation of AI in healthcare, when done responsibly and ethically, offers significant potential benefits for patient care and research.

Categories
Health Law Highlights

Companies with Strong Cybersecurity Programs Deliver Higher Returns for Shareholders

Summary of article in The HIPAA Journal, by Steve Adler:

A study by Diligent Institute and Bitsight reveals that organizations with strong cybersecurity programs yield better financial performance and higher shareholder returns. The study, which analyzed data from 4,149 mid to large-sized organizations, found that companies with advanced security ratings created almost four times more value for their shareholders than those with basic security ratings. The report also emphasized that cybersecurity is not just an IT problem, but an enterprise risk affecting the company’s performance and health. There was a correlation between board structure and security ratings, with companies having specialized risk or audit committees performing better. The presence of a cybersecurity expert on these committees significantly improved an organization’s security performance.

Categories
Health Law Highlights

Comprehensive Federal Privacy Bill May Open Backdoor for HIPAA Private Right of Action

Summary of article from Fox Rothschild, by Elizabeth Litten:

The American Privacy Rights Act of 2024 (APRA) is a significant data privacy bill that aims to establish national data privacy rights and protections, superseding existing state data privacy laws. The Federal Trade Commission, states, and impacted individuals will enforce it. The bill includes a provision for entities subject to the Health Insurance Portability and Accountability Act (HIPAA), stipulating they must comply with HIPAA’s data privacy and security requirements. However, the bill leaves room for non-compliant entities to be subject to APRA’s robust enforcement mechanisms, including the right for individuals to sue for alleged HIPAA violations. Given the complexity and evolving nature of HIPAA compliance requirements, the stability of APRA’s HIPAA provisions may be uncertain.

Categories
Health Law Highlights

Ernest Health Sued Over 2024 Ransomware Attack and Data Breach

Summary of article from The HIPAA Journal, by Steve Adler:

Ernest Health, a Texas-based health system, is facing a lawsuit following a cyberattack that compromised the protected health information of approximately 94,747 patients. The breach, claimed by the LockBit ransomware group, occurred between January 16, 2024, and February 4, 2024, leading to unauthorized access to sensitive patient data. The lawsuit, filed by Joe Lara and Lauri Cook, alleges that Ernest Health had insufficient cybersecurity measures and training, resulting in the inability to prevent or effectively respond to the breach. The plaintiffs claim that the 73-day delay in individual notifications hindered their ability to mitigate damages and that the response measures, including credit monitoring and identity theft protection, were inadequate. The lawsuit seeks a jury trial, various forms of relief, and damages, alleging negligence, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty.

Categories
Health Law Highlights

Online Tracking Technologies: Updated HIPAA Guidance Creates Uncertainty

From Morgan Lewis, by W. Reece Hirsch, Amy M. Magnano, Michael J. Madderra, Sydney Reed Swanson:

The US Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) updated its guidance on the use of online tracking technologies, causing further uncertainty for HIPAA-covered entities. OCR acknowledges that tracking technologies, such as cookies and web beacons, can unintentionally capture protected health information (PHI), thus implicating HIPAA. The updated guidance states that individually identifiable health information (IIHI) collected on a regulated entity’s website or app is generally considered PHI, even without specific treatment or billing details. The guidance differentiates between authenticated and unauthenticated pages, warning that PHI could be accessible even on unauthenticated pages. The update presents a compliance challenge for HIPAA-regulated entities, as discerning the subjective intent of website visitors is difficult, and entities must also consider other federal and state laws where HIPAA does not apply.

Categories
Alert

HHS’ Office for Civil Rights Settles HIPAA Investigation with Phoenix Healthcare

From U.S. Health and Human Services:

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a settlement with Phoenix Healthcare over a potential violation of the HIPAA Right of Access provision. The case involved a daughter, acting as a representative for her mother, who could not access her mother’s health information for almost a year despite numerous requests. OCR Director Melanie Fontes Rainer emphasized the importance of timely access to medical records for patient decision-making and treatment accuracy. Phoenix Healthcare eventually provided the requested records 323 days after the initial request. This case marks OCR’s 47th enforcement action related to the Right of Access provision under HIPAA.

Categories
Health Law Highlights

New State Health Privacy Laws—Moving Beyond HIPAA and Recasting Consumer Health Data Rights?

From Jones Day, by Alexis S. Gilroy, Lisa M. Ropple, Ryan P. Blaney, Claire E. Castles, Jennifer C. Everett and Kristen Pollock McDonald:

The new consumer health data (CHD) privacy laws enacted in Washington and Nevada aim to offer state-level protections for personal health data not covered by the Health Insurance Portability and Accountability Act (HIPAA). The laws, effective from March 31, 2024, mandate entities to obtain affirmative consent before collecting or sharing CHD, develop privacy policies, implement security safeguards, and restrict geofencing. Both laws grant consumers rights to access, review, and delete their CHD, and to withdraw consent for its collection or sharing. Washington’s law, uniquely, gives consumers a private right of action for CHD-related violations, potentially leading to increased litigation. Companies are advised to review and revise their policies and practices to ensure compliance.