HIPAA Privacy Rule and Security Rule Developments to Note Early in 2021

Ballard Spahr LLP

Ballard Spahr LLP

The Health Insurance Portability and Accountability Act (HIPAA) has been the subject of several major developments already in 2021. Healthcare providers, health plans, healthcare clearinghouses, and business associates subject to HIPAA must consider these developments to comply with HIPAA’s technical requirements through 2021 and beyond. For those entities subject to the HIPAA Privacy Rule and Security Rule, our team of HIPAA lawyers has penned an Alert describing these developments in detail. This post will summarize several highlights.

In the regulatory arena, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released proposed changes to the HIPAA Privacy Rule in late January 2021. The proposed regulations include several modifications to HIPAA requirements, including changes that enhance individuals’ access to their own health information and require revisions to privacy notices. Although the rules were announced under the prior Administration, and are subject to President Biden’s Regulatory Freeze Pending Review, many of these rules were previously raised by President Obama’s Administration and are likely to be adopted.

A key legislative development to note is an amendment to Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) that requires HHS to consider a covered entity or business associate’s use of “recognized security practices” when conducting an audit, assessing penalties, or seeking corrective action for violations. Recognized security practices may include practices consistent with standards promulgated by the National Institute of Standards and Technology (NIST) or approaches under the Cybersecurity Act of 2015.

The courts have also recently weighed in on HIPAA privacy and security. The Fifth Circuit recently vacated a nearly $5 million penalty imposed by HHS against a university cancer center for three alleged HIPAA security breaches. The court determined that the agency’s action constituted an arbitrary and capricious enforcement of its regulations. The decision is a sharp reversal of HIPAA penalties previously upheld on appeal, but is not a basis for relaxing vigilance on privacy and security.

These wide-ranging developments demonstrate that entities subject to HIPAA need to monitor current developments and prepare to adapt quickly.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.