Search results for: HIPAA

Summary

On December 27, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) published its Notice of Proposed Rulemaking (“NPRM”) titled HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. HHS seeks comments on proposed modifications to the Security Standards for the Protection of Electronic Protected Health Information comprising 45 C.F.R. Parts 160 and 164, Subpart C, commonly known as the “Security Rule”, to address modern breach and cybersecurity risks to electronic protected health information (“ePHI”)[1] and common deficiencies observed by HHS in Security Rule compliance investigations, and to incorporate current industry best practices[2] and court decisions affecting enforcement of the Security Rule[3].[4] As summarized below, the proposed modifications signal HHS’s commitment to aligning the Security Rule requirements with current cybersecurity standards and addressing areas of non-compliance with more prescriptive measures to enhance ePHI security in the face of evolving cyber threats and technological advancements. HHS invites interested parties to submit comments by March 7, 2025.

Continue Reading HHS Publishes Notice of Proposed Rulemaking to Amend HIPAA Security Rule Requirements – Comments Due March 7, 2025

CPW has previously covered the proliferation of data breaches, including in the healthcare context.  In a dramatic rebuttal of how the Department of Health and Human Services Office of Civil Rights’ (“OCR”) has historically enforced HIPAA, the Fifth Circuit Court of Appeals recently handed down a landmark decision vacating a multi-million dollar penalty that had been assessed against a healthcare provider.  The case concerned three alleged data breaches and violations of various HIPAA requirements involving the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”).  Following an OCR enforcement action, OCR imposed a US$4,348,000 penalty, which M.D. Anderson appealed up to the Fifth Circuit.  In rejecting the penalty, the Court criticized not only OCR’s interpretation of the HIPAA regulations generally but also OCR’s penalty calculation in this case.

(1) The HIPAA Security Rule Encryption Requirement. The Court first interpreted the HIPAA Security Rule requirement to encrypt ePHI. OCR claimed that MD Anderson violated this requirement because it adopted a policy to encrypt portable media, which was not implemented on the devices at issue. The Court, however, ruled that HIPAA only requires Covered Entities to implement a “mechanism” to encrypt data. Here, the Court found that M.D. Anderson had adopted a “mechanism” to encrypt (through its policy requiring such encryption) even if that “mechanism” was not perfectly implemented. In other words, the failure to fully implement the encryption policy did not itself violate the HIPAA encryption requirement.

(2) The HIPAA Privacy Rule Prohibition on Unauthorized Disclosures. The Court next held that the Privacy Rule prohibition on unauthorized “disclosures” is only violated when there is an affirmative act of disclosure, rather than a general loss of data. According to the Court, the mere “loss of control” of PHI (e.g., when a device is stolen), therefore, does not constitute an unauthorized “disclosure.” This position mirrors how California courts have interpreted similar provisions in the analogous state Confidentiality of Medical Information Act (“CMIA”). See, e.g., Sutter Health v. Superior Court, 174 Cal. Rptr. 3d 653 (Cal. 3d Dist. Ct. App. July 21, 2014).

CPW’s Elliot Golding, Kristin Bryan and Christina Lamoureux have prepared an overview of this must-read case and its implications here.

Last month California Governor Gavin Newsom signed AB 713 into law, which more closely aligns CCPA to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other laws governing scientific research. Although these changes may help ease compliance challenges for the health care and life sciences industries, the changes only exempt from the CCPA certain types of data rather than exempt health companies entirely. Continue Reading CCPA Amended to Address HIPAA Exemption, Deidentified Data Rules

Stethoscope head lying on medical formThe US Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a settlement with Georgia-based Athens Orthopedic Clinic PA (the “Clinic”) to resolve multiple alleged violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (“HIPAA”).

Under the terms of the settlement, the Clinic agreed to pay $1.5 million to OCR and to adopt a corrective action plan to settle potential violations of the Privacy and Security Rules under HIPAA. The Clinic provides orthopedic services to approximately 138,000 patients annually. Continue Reading Orthopedic Clinic Settles with HHS OCR for $1.5 Million Over Claims of Systemic HIPAA Noncompliance

As explained in a recent post published on Squire Patton Bogg’s Anticorruption Blog, the DOJ is pursuing providers who submit false claims under the electronic health records initiative.  This enforcement action should serve as a reminder to examine carefully attestations of EHR compliance, including the requirement to complete a HIPAA-required security risk assessment.

Overview of Recent Settlement Actions

Recent Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York may signal a broader trend of increased state HIPAA enforcement.  Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at 42 U.S.C. § 1320d-5(d), state attorney generals have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected.  Although states also have authority to bring civil actions under state law Unfair and Deceptive Acts (“UDAP”) laws, their additional authority under HIPAA provides an independent vehicle to enforce data privacy and cybersecurity practices.  This increased enforcement trend provides yet another reason that health care entities subject to HIPAA need to ensure they have taken steps to ensure HIPAA compliance. Continue Reading States Increase HIPAA Enforcement

The HHS Office of Civil Rights announced earlier this month that a court appointed receiver for Illinois moving and storage company, Filefax, has entered into a resolution agreement and corrective action plan to settle alleged violations of the HIPAA Privacy and Security Rules.  The receiver for Filefax, which went out of business during OCR’s investigation, has agreed to pay $100,000 for alleged mishandling and improper disclosure of medical records containing protected health information for approximately 2,150 patients. OCR Director Roger Severino has pointed to the settlement agreement as a reminder to companies that HIPAA still applies regardless of whether a covered entity is opening or closing its doors.  For more information, please see our Triage Health Law blog post.

Last month, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two helpful new HIPAA guidance documents regarding research uses and disclosures of PHI, fulfilling a mandate in the 21st Century Cures Act (Public Law 114-255) (the “Act”).  Although the documents merely reaffirm prior guidance in many places, the documents also contain helpful new information and serve to collect prior guidance spread in numerous places into a single location.  The first document focuses on research authorizations and revocations: Continue Reading HHS Office for Civil Rights Issues Updated HIPAA and Research Guidance in Response to 21st Century Cures Act Mandate

As we reported in our post about the Minnesota Customer Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) was passed by the state legislature on June 13th.  Governor McKee did not either sign or veto but transmitted it to the Rhode Island Secretary of State. i.e., it is effective without the Governor’s signature. 

1. WHEN IS RI-DTPPA IN FORCE?

The RI-DTPPA effective date is January 1, 2026 – the same date as the customer privacy laws in Indiana and Kentucky. 

Since Vermont’s consumer privacy law was vetoed, the RI-DTPPA makes 20 state consumer privacy laws.  The 19 state customer privacy laws preceding RI-DTPPA (collectively, the State Customer Privacy Laws) are in force as follows.

StateState Customer Privacy Law TitleEffective Date
CaliforniaCalifornia Customer Privacy Act (CCPA)January 1, 2020; CCPA Regulations effective January 1, 2023
ColoradoColorado Privacy ActJuly 1, 2023
ConnecticutConnecticut Personal Data Privacy and Online Monitoring ActJuly 1, 2023
DelawareDelaware Personal Data Privacy ActJanuary 1, 2025
FloridaFlorida Digital Bill of RightsJuly 1, 2024
IndianaIndiana Customer Data Protection ActJanuary 1, 2026
IowaIowa’s Act Relating to Customer Data ProtectionJanuary 1, 2025
KentuckyKentucky Customer Data PrivacyJanuary 1, 2026
MarylandMaryland Online Data Privacy ActOctober 1, 2025
MinnesotaMinnesota Customer Data Privacy ActJuly 31, 2025
MontanaMontana Customer Data Privacy ActOctober 1, 2024
NebraskaNebraska’s Data Privacy ActJanuary 1, 2025
New HampshireAct Relative to the Expectation of PrivacyJanuary 1, 2025
New JerseyNew Jersey Data Protection ActJanuary 15, 2025
OregonOregon Customer Privacy ActJuly 1, 2024 (July 1, 2025, for in-scope non-profit organizations)
TennesseeTennessee Information Protection ActJuly 1, 2025
TexasTexas Data Privacy and Security ActJuly 1, 2024
UtahUtah Customer Privacy ActDecember 31, 2023
VirginiaVirginia Customer Data Protection ActJanuary 1, 2023
Continue Reading Rhode Island Makes it an Even 20

Last week, the Texas AG’s office began an enforcement sweep of apparent violations of Texas’ Data Broker Law (the “Law”). Specifically, over 100 companies received letters for alleged failure to register as data brokers with the Texas Secretary of State by the March 1, 2024 deadline.

The Law defines a Data Broker as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The penalty for a Data Broker who violates the registration requirement is up to $10,000.00 within a 12-month period. The Law also imposes additional requirements such as the need to develop, implement, and maintain a comprehensive information security program.

Continue Reading The Eyes of Texas are Upon You: Texas Privacy Enforcement Heats Up!