Tag Archives: HHS

HHS OCR Guidance to 60,000 Retail Pharmacies: Refusal to Fill Rx Based on Potential Pregnancy Termination Concerns Is a Civil Rights Violation, Will Be Investigated

Photo of Kimberly GordyPhoto of Aleksandra VoldBy Kimberly Gordy and Aleksandra Vold on Posted in HHS
On July 13, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued guidance to retail pharmacies that refusing to dispense a prescribed medication or making a determination on the suitability of that medication on the basis of the patient’s sex, pregnancy, or pregnancy-related conditions is discriminatory conduct in violation of … Continue Reading

New Director of HHS Office for Civil Rights Announced: What could Lisa J. Pino’s appointment mean for future HIPAA enforcement?

Photo of Sara GoldsteinBy Sara Goldstein on Posted in Cybersecurity, Enforcement, Healthcare, HHS, HIPAA/HITECH
More than eight months into the Biden administration, the U.S. Department of Health & Human Services (HHS) announced the appointment of Lisa J. Pino as the new director of the Office for Civil Rights (OCR) on Sept. 27, 2021. As the new director of the OCR, Pino will be responsible for enforcing the Health Insurance … Continue Reading

Privacy-Forward California AG Xavier Becerra Confirmed as Next HHS Secretary

Photo of Aleksandra VoldPhoto of Alexandra RoyalBy Aleksandra Vold and Alexandra Royal on Posted in HHS
On March 19, 2021, Xavier Becerra was confirmed as the secretary of the U.S. Department of Health and Human Services (HHS). HHS is the federal regulatory body that oversees the Office for Civil Rights (OCR), which is the primary federal enforcer of the Health Insurance Portability and Accountability Act (HIPAA). The secretary oversees 11 operating … Continue Reading

Court Finds HHS Had No Lawful Basis Under HIPAA for a $4.3 Million Civil Money Penalty: What Does This Mean for Future HHS Enforcement Actions?

Photo of Sara GoldsteinPhoto of Jessica Captain NovickPhoto of Lynn SessionsBy Sara Goldstein, Jessica Captain Novick and Lynn Sessions on Posted in HHS, HIPAA/HITECH
The United States Court of Appeals for the Fifth Circuit recently found that the United States Department of Health and Human Services (HHS) lacked a lawful basis for a $4.3 million civil money penalty order that it issued to a healthcare provider for alleged violations of the Health Insurance Portability and Accountability Act of 1996 … Continue Reading

ONC Announces Delay of Information Blocking Provisions

Photo of Vimala DevassyBy Vimala Devassy on Posted in Healthcare, HHS
The Department of Health and Human Services’ (HHS)’ Office of the National Coordinator (ONC) published an interim final rule today delaying several key compliance deadlines in the ONC 21st Century Cures Act final rule – including that of the information blocking provisions, which were slated to become effective on November 2, 2020 – until April 5, … Continue Reading

Due to the COVID-19 Pandemic, HHS Eases Restrictions on the Use and Disclosure of PHI by Business Associates

Photo of Eric A. PackelBy Eric A. Packel on Posted in HHS
The COVID-19 public health emergency already has caused the U.S. Health and Human Services (HHS) Office for Civil Rights to announce various enforcement changes and waivers. On April 2, HHS issued another notification of enforcement discretion – this one relating to business associates. This latest notification allows business associates to use and disclose protected health … Continue Reading

HHS Issues Two Important Bulletins Waiving HIPAA Sanctions During the COVID-19 National Emergency

Photo of Vimala DevassyBy Vimala Devassy on Posted in HHS
The HHS Office for Civil Rights (OCR) issued two important bulletins this week regarding the novel coronavirus disease (COVID-19) outbreak. On Mar. 16, OCR issued a limited waiver of HIPAA sanctions and penalties for noncompliance with certain provisions of the HIPAA Privacy Rule, including the requirement to obtain a patient’s agreement to speak with family … Continue Reading

New HHS Rules Give Patients ‘Unprecedented’ Digital Access to Their Own Health Data but May Put Privacy at Risk

Photo of Stefanie FerrariPhoto of Sara GoldsteinBy Stefanie Ferrari and Sara Goldstein on Posted in HHS
On Monday, the U.S. Department of Health and Human Services (HHS) issued what it calls “transformative” rules that will govern how healthcare providers, insurers and technology vendors must design their systems to give patients safe and secure access to their health data. Issued by two different agencies within HHS – the Office of the National … Continue Reading

Federal Court Invalidates 2013 HIPAA Omnibus Rule Regulations and HHS Guidance on Fees for Copies of Medical Records

Photo of Sara GoldsteinPhoto of Aleksandra VoldPhoto of Alexandra RoyalBy Sara Goldstein, Aleksandra Vold and Alexandra Royal on Posted in HHS, HIPAA/HITECH
In what is being seen as a strong rebuke to years of regulatory overreach, the United States District Court for the District of Columbia entered an order on January 23, 2020 that invalidates provisions of the 2013 Omnibus Rule to the Health Insurance Portability and Accountability Act (“HIPAA”) and 2016 guidance issued by United States … Continue Reading

Departments of Education and HHS Release Joint Guidance on the Relationship Between FERPA and HIPAA

Photo of Kathryn CareyPhoto of Benjamin WellsBy Kathryn Carey and Benjamin Wells on Posted in HIPAA/HITECH
At the end of 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and U.S. Department of Education Student Privacy Policy Office (ED) issued an update to their joint guidance on the relationship between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability … Continue Reading

Risk Management Strategies to Reduce Risk Associated with Telehealth

By Paulette Thomas on Posted in HHS, Medical Privacy
The use of technology to provide healthcare has existed for decades; however, recent advances in technology and changes in reimbursement have increased the prevalence of telehealth for diagnosing and treating patients. Telehealth is an emerging and promising method of providing healthcare in areas where healthcare may be limited or unavailable. Telehealth provides quality, cost-effective healthcare … Continue Reading

‘Apparent Inconsistency’ in HITECH Language Leads HHS OCR to Significantly Decrease Yearly Fines

Photo of Aleksandra VoldBy Aleksandra Vold on Posted in HIPAA/HITECH, Medical Privacy
On April 26, 2019, the U.S. Department of Health & Human Services (HHS) issued an announcement that the annual penalty cap for three of the four tiers of HIPAA violations would be reduced significantly to match what HHS called a “better reading” of inconsistent language found in the Health Information Technology for Economic and Clinical … Continue Reading

Deeper Dive: The Landscape of Healthcare Data Breaches

Photo of Lynn SessionsPhoto of Patrick H. HaggertyPhoto of Kimberly GordyBy Lynn Sessions, Patrick H. Haggerty and Kimberly Gordy on Posted in HIPAA/HITECH, Medical Privacy
Healthcare was the industry most affected by data breaches in 2018. We worked on nearly 200 healthcare matters involving multispecialty academic medical centers, hospital systems, small and large physician practices, small and large health insurers, and biotech and pharmaceutical companies. In 2018, health information alone was just behind Social Security numbers (which can also be … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Insider-Caused Data Loss

Photo of Aleksandra VoldPhoto of Kathryn CareyBy Aleksandra Vold and Kathryn Carey on Posted in HHS, HIPAA/HITECH, Medical Privacy
This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. While any security incident may cause an entity heartburn, when the incident is traced back to an … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Loss or Theft of Devices

Photo of Aleksandra VoldPhoto of Kathryn CareyBy Aleksandra Vold and Kathryn Carey on Posted in HHS, HIPAA/HITECH
This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. The report on cybersecurity best practices (Report) weighs in on one of the issues many entities find … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Ransomware Prevention

Photo of Aleksandra VoldPhoto of Kathryn CareyBy Aleksandra Vold and Kathryn Carey on Posted in HHS, HIPAA/HITECH, Phishing, Ransomware
This article is part of a series of blog posts exploring the recommendations and guidance Health & Human Services (HHS) provides to healthcare organizations in its “Cybersecurity Best Practices” report. For previous articles in the series, click here. The report on cybersecurity best practices (Report) is not the first time HHS has discussed the prevalent … Continue Reading

What Can We Learn From the Healthcare Data Breach ‘Wall of Shame’?

Photo of Eric A. PackelBy Eric A. Packel on Posted in HHS, HIPAA/HITECH
In addition to dealing with the public outcry and regulatory scrutiny resulting from a healthcare data breach, covered entities under the Health Insurance Portability and Accountability Act (or their business associates) are required to report breaches to the Department of Health & Human Services’ (HHS) Office for Civil Rights. But the pain doesn’t end there. … Continue Reading

Best Cybersecurity Practices for Healthcare Organizations – Phishing Prevention

Photo of Kathryn CareyPhoto of Aleksandra VoldBy Kathryn Carey and Aleksandra Vold on Posted in Cybersecurity, HHS, HIPAA/HITECH
This article is part of a series of blog posts exploring the recommendations and guidance Health and Human Services (HHS) provides healthcare organizations in its Cybersecurity Best Practices report. For previous articles in the series, click here. In its report on cybersecurity best practices, HHS highlights email phishing attacks as one of the top threats … Continue Reading

HHS Issues Cybersecurity Guidance for Healthcare Organizations

Photo of Kathryn CareyPhoto of Aleksandra VoldBy Kathryn Carey and Aleksandra Vold on Posted in Cybersecurity, HHS
BakerHostetler will post a series of blogs to fully explore the recommendations and guidance Health and Human Services provides healthcare organizations in its report. Cyberattacks continue to rise across industries, and healthcare is no different. Eighty percent of U.S. physicians reported having experienced some form of cyberattack. In 2017, cyberattacks cost small and midsize businesses … Continue Reading

HHS OIG Launches Cybersecurity Webpage to Raise Awareness and Boost Cybersecurity Best Practices

Photo of Lynn SessionsPhoto of Alexandra RoyalBy Lynn Sessions and Alexandra Royal on Posted in Cybersecurity, HHS
Healthcare data can be up to 10 times more valuable to cyber criminals than credit card numbers, according to a report from the Department of Health & Human Services’ (HHS) Office of the Inspector General (OIG). And, with healthcare-focused ransomware attacks like WannaCry and NotPetya in the news more frequently, it’s no wonder that HHS OIG … Continue Reading

The Weekly Privacy Rewind

By Aaron Lancaster on Posted in Weekly Privacy Rewind
Class Actions Plaintiffs Seek Approval for $4.3 Million Settlement With Sonic in Credit Card Data Breach Suit • Following a variety of lawsuits against fast food chain Sonic Drive-In related to a 2017 credit card data breach, plaintiffs are seeking consolidation of those suits, class certification and a $4.3 million settlement. • The settlement would … Continue Reading

OCR Issues Alert Regarding Phishing Email Disguised as Official OCR Audit Communication

Photo of Patrick H. HaggertyBy Patrick H. Haggerty on Posted in HIPAA/HITECH, Medical Privacy
11/30/2016 Update: Today OCR issued another alert relating to the phishing email campaign and has shared that the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for OCR’s HIPAA audit program, OSOCRAudit@hhs.gov. Covered entities and business associates … Continue Reading

OCR Continues Waving Its HIPAA Enforcement Flag: Don’t Forget About Medical Devices

Photo of Theodore J. Kobus IIIBy Theodore J. Kobus III on Posted in HIPAA/HITECH, Medical Privacy
The day before Thanksgiving, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the largest resolution agreement of 2015, against Lahey Hospital and Medical Center (Lahey). The incident giving rise to the $850,000 settlement was apparently an isolated theft involving 599 patients with electronic protected health information (ePHI) on … Continue Reading

OCR Updates Breach Report Web Portal — Changes Could Impact Annual Breach Reports

Photo of Lynn SessionsBy Lynn Sessions and Cory J. Fox on Posted in HIPAA/HITECH, Medical Privacy
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently launched an updated version of the portal covered entities must use to notify OCR regarding a breach of unsecured protected health information (PHI) under 45 C.F.R. § 164.408, and the changes could impact covered entities planning to submit their 2014 … Continue Reading
LexBlog