Summary

On December 27, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) published its Notice of Proposed Rulemaking (“NPRM”) titled HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. HHS seeks comments on proposed modifications to the Security Standards for the Protection of Electronic Protected Health Information comprising 45 C.F.R. Parts 160 and 164, Subpart C, commonly known as the “Security Rule”, to address modern breach and cybersecurity risks to electronic protected health information (“ePHI”)[1] and common deficiencies observed by HHS in Security Rule compliance investigations, and to incorporate current industry best practices[2] and court decisions affecting enforcement of the Security Rule[3].[4] As summarized below, the proposed modifications signal HHS’s commitment to aligning the Security Rule requirements with current cybersecurity standards and addressing areas of non-compliance with more prescriptive measures to enhance ePHI security in the face of evolving cyber threats and technological advancements. HHS invites interested parties to submit comments by March 7, 2025.

Continue Reading HHS Publishes Notice of Proposed Rulemaking to Amend HIPAA Security Rule Requirements – Comments Due March 7, 2025

Join Elliot Golding, a data privacy partner at SPB along with Joanne Charles (Microsoft) and Trinity Car (eHealth) for a must-attend webinar sponsored by the ABA next Thursday, September 9, at 1 pm EST.

In this era of digital health, the panelists will look “beyond HIPAA” and highlight other federal and state laws governing health information. They will explore the laws that relate to health information other than HIPAA and provide risk management strategies. Their session will focus on: Research and data analytics covering federal laws (the Common Rule) and state privacy laws (CCPA and biometrics); vulnerable populations, including children (subject to COPPA, FERPA, etc.), and sensitive health information (mental health and substance use disorders); Advertising and communication issues subject to federal laws (CAN-SPAM and TCPA), state laws (CCPA) and industry (DAA) standards.

Registration is available here

CPW has previously covered the proliferation of data breaches, including in the healthcare context.  In a dramatic rebuttal of how the Department of Health and Human Services Office of Civil Rights’ (“OCR”) has historically enforced HIPAA, the Fifth Circuit Court of Appeals recently handed down a landmark decision vacating a multi-million dollar penalty that had been assessed against a healthcare provider.  The case concerned three alleged data breaches and violations of various HIPAA requirements involving the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”).  Following an OCR enforcement action, OCR imposed a US$4,348,000 penalty, which M.D. Anderson appealed up to the Fifth Circuit.  In rejecting the penalty, the Court criticized not only OCR’s interpretation of the HIPAA regulations generally but also OCR’s penalty calculation in this case.

(1) The HIPAA Security Rule Encryption Requirement. The Court first interpreted the HIPAA Security Rule requirement to encrypt ePHI. OCR claimed that MD Anderson violated this requirement because it adopted a policy to encrypt portable media, which was not implemented on the devices at issue. The Court, however, ruled that HIPAA only requires Covered Entities to implement a “mechanism” to encrypt data. Here, the Court found that M.D. Anderson had adopted a “mechanism” to encrypt (through its policy requiring such encryption) even if that “mechanism” was not perfectly implemented. In other words, the failure to fully implement the encryption policy did not itself violate the HIPAA encryption requirement.

(2) The HIPAA Privacy Rule Prohibition on Unauthorized Disclosures. The Court next held that the Privacy Rule prohibition on unauthorized “disclosures” is only violated when there is an affirmative act of disclosure, rather than a general loss of data. According to the Court, the mere “loss of control” of PHI (e.g., when a device is stolen), therefore, does not constitute an unauthorized “disclosure.” This position mirrors how California courts have interpreted similar provisions in the analogous state Confidentiality of Medical Information Act (“CMIA”). See, e.g., Sutter Health v. Superior Court, 174 Cal. Rptr. 3d 653 (Cal. 3d Dist. Ct. App. July 21, 2014).

CPW’s Elliot Golding, Kristin Bryan and Christina Lamoureux have prepared an overview of this must-read case and its implications here.

The Fifth Circuit Court of Appeals recently handed down a landmark decision criticizing and restricting how the Department of Health and Human Services Office of Civil Rights’ (OCR) interprets HIPAA and OCR’s penalty authority. OCR brought an enforcement action against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) stemming from three alleged data breaches and violations of various HIPAA requirements. OCR imposed a US$4,348,000 penalty, which M.D. Anderson appealed up to the Fifth Circuit. In rejecting the penalty, the Court criticized not only OCR’s interpretation of the HIPAA regulations generally but also OCR’s penalty calculation in this case. Our report on the decision prepared by Elliot Golding, Kristin Bryan and Christina Lamoureux is available here.

California Pop MapLast month California Governor Gavin Newsom signed AB 713 into law, which more closely aligns CCPA to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other laws governing scientific research. Although these changes may help ease compliance challenges for the health care and life sciences industries, the changes only exempt from the CCPA certain types of data rather than exempt health companies entirely. Continue Reading CCPA Amended to Address HIPAA Exemption, Deidentified Data Rules

Stethoscope head lying on medical formThe US Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a settlement with Georgia-based Athens Orthopedic Clinic PA (the “Clinic”) to resolve multiple alleged violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (“HIPAA”).

Under the terms of the settlement, the Clinic agreed to pay $1.5 million to OCR and to adopt a corrective action plan to settle potential violations of the Privacy and Security Rules under HIPAA. The Clinic provides orthopedic services to approximately 138,000 patients annually. Continue Reading Orthopedic Clinic Settles with HHS OCR for $1.5 Million Over Claims of Systemic HIPAA Noncompliance

As explained in a recent post published on Squire Patton Bogg’s Anticorruption Blog, the DOJ is pursuing providers who submit false claims under the electronic health records initiative.  This enforcement action should serve as a reminder to examine carefully attestations of EHR compliance, including the requirement to complete a HIPAA-required security risk assessment.

Overview of Recent Settlement Actions

Recent Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York may signal a broader trend of increased state HIPAA enforcement.  Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at 42 U.S.C. § 1320d-5(d), state attorney generals have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected.  Although states also have authority to bring civil actions under state law Unfair and Deceptive Acts (“UDAP”) laws, their additional authority under HIPAA provides an independent vehicle to enforce data privacy and cybersecurity practices.  This increased enforcement trend provides yet another reason that health care entities subject to HIPAA need to ensure they have taken steps to ensure HIPAA compliance. Continue Reading States Increase HIPAA Enforcement

The HHS Office of Civil Rights announced earlier this month that a court appointed receiver for Illinois moving and storage company, Filefax, has entered into a resolution agreement and corrective action plan to settle alleged violations of the HIPAA Privacy and Security Rules.  The receiver for Filefax, which went out of business during OCR’s investigation, has agreed to pay $100,000 for alleged mishandling and improper disclosure of medical records containing protected health information for approximately 2,150 patients. OCR Director Roger Severino has pointed to the settlement agreement as a reminder to companies that HIPAA still applies regardless of whether a covered entity is opening or closing its doors.  For more information, please see our Triage Health Law blog post.