For more than 20 years, the HIPAA Security Rule has been virtually unchanged other than extending its scope beyond covered entities to also include business associates. During that time, technology has changed, cybersecurity...more
1/9/2025
/ Compliance ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
HIPAA Security Rule ,
Notice of Proposed Rulemaking (NOPR) ,
OCR ,
Proposed Rules ,
Risk Management ,
Trump Administration
We just want to provide a friendly reminder that, before key staff depart for the holidays, HIPAA covered entities and business associates should finalize their compliance with the 2024 HIPAA amendments related to...more
12/19/2024
/ Compliance ,
Covered Entities ,
Data Privacy ,
Deadlines ,
Department of Health and Human Services (HHS) ,
Disclosure Requirements ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
New Amendments ,
OCR ,
PHI ,
Reproductive Healthcare Issues ,
Settlement
Changes to guidance are unlikely to mitigate widespread concerns -
On March 18, 2024, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) revised its controversial guidance on how HIPAA applies...more
The long-anticipated final rule addressing substance use disorder (SUD) records at 42 C.F.R. Part 2, commonly referred to as Part 2, is here. The final rule is a joint undertaking by the U.S. Department of Health and Human...more
2/21/2024
/ Breach Notification Rule ,
CARES Act ,
Civil Monetary Penalty ,
Confidentiality Policies ,
Consent Agreements ,
Department of Health and Human Services (HHS) ,
Disclosure Requirements ,
Enforcement ,
Final Rules ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Notice of Proposed Rulemaking (NOPR) ,
OCR ,
Penalties ,
PHI ,
Risk Assessment ,
SAMHSA ,
Substance Abuse
February 29, 2024, is the date by which HIPAA-covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of all "small" breaches of unsecured protected health information that...more
The U.S. Department of Health and Human Services ("HHS") issued a concept paper describing its overarching strategy to address healthcare cybersecurity. The concept paper builds on the Biden-Harris Administration's National...more
12/18/2023
/ Cybersecurity ,
Department of Health and Human Services (HHS) ,
Enforcement ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HITECH Act ,
Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) ,
Medicare ,
OCR ,
Popular
On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (the "Act"), which will regulate the collection, use, and disclosure of "consumer health data" ("Consumer Health Data" or "CHD"). The...more
5/2/2023
/ Business Associates ,
Covered Entities ,
Data Privacy ,
Data Protection ,
Data Security ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
Patient Privacy Rights ,
PHI ,
Private Right of Action
Walking a middle path, the HHS Office for Civil Rights (OCR) published proposed amendments to the HIPAA Privacy Rule on April 17, 2023, to further safeguard the privacy of reproductive health care information. This comes in...more
HIPAA-covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of "small" breaches of unsecured protected health information that were discovered during calendar-year 2022 no...more
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a bulletin on December 1, 2022, clarifying that "regulated entities are not permitted to use tracking technologies in a manner that would...more
On June 24, 2022, the US Supreme Court released its opinion Dobbs v. Jackson Women's Health Organization, 142 S.C. 2228 (2022), reversing Roe v. Wade and holding that the US Constitution does not confer a right to abortion....more
In two weeks, on October 6, 2022, the scope of the 21st Century Cures Act Information Blocking Rule expands to prohibit health care providers from blocking or interfering with patient access to any electronic information in a...more
On June 13, 2022, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced new guidance on using remote communication technologies to provide audio-only telehealth services in compliance with...more
Just one month remains to comment on the U.S. Department of Health and Human Services (HHS) Office for Civil Rights' (OCR) current Request for Information (RFI), which seeks public input on the implementation of two statutory...more
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced four enforcement resolutions at the end of March 2022, with issues ranging from the misuse of protected health information (PHI)...more
March 1, 2021, is the due date for HIPAA-covered entities to notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) about "small" breaches of unsecured protected health information discovered...more
Telehealth is an essential tool in addressing the COVID-19 pandemic as well as in treating other ailments during this time. The Department of Health and Human Services' Office for Civil Rights (OCR) recently issued a...more
In a Rare Imposition of HIPAA Civil Monetary Penalties (CMPs) Rather than Settlement, What to Accept May Have Been the Question -
On October 23, 2019, the Department of Health and Human Services Office for Civil Rights...more
The Department of Health and Human Services Office for Civil Rights (OCR) today announced that it is lowering the maximum total penalties it may assess against covered entities and business associates for multiple violations...more
March 1, 2019 is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were...more
When a patient publicly disparages a health care provider, HIPAA leaves the health care provider in a seemingly impossible situation. If the health care provider does not respond and dispute the allegation, then its...more
Recent statements at the 27th National HIPAA Summit suggest that the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) may be changing its position and expecting a greater level of vendor due...more
March 1, 2018 is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were...more
There has been confusion as to whether the Affordable Care Act’s nondiscrimination provision (“ACA”) affects a covered entity’s notice of privacy practices (“NPP”) or data breach notifications. OCR has issued guidance...more
As a reminder that state attorneys general have enforcement authority over breach notifications, the New York Attorney General recently announced a $130,000 settlement for a failing to provide breach notification in a...more