Search HIPAA

Summary

On December 27, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) published its Notice of Proposed Rulemaking (“NPRM”) titled HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. HHS seeks comments on proposed modifications to the Security Standards for the Protection of Electronic Protected Health Information comprising 45 C.F.R. Parts 160 and 164, Subpart C, commonly known as the “Security Rule”, to address modern breach and cybersecurity risks to electronic protected health information (“ePHI”)[1] and common deficiencies observed by HHS in Security Rule compliance investigations, and to incorporate current industry best practices[2] and court decisions affecting enforcement of the Security Rule[3].[4] As summarized below, the proposed modifications signal HHS’s commitment to aligning the Security Rule requirements with current cybersecurity standards and addressing areas of non-compliance with more prescriptive measures to enhance ePHI security in the face of evolving cyber threats and technological advancements. HHS invites interested parties to submit comments by March 7, 2025.

Continue Reading HHS Publishes Notice of Proposed Rulemaking to Amend HIPAA Security Rule Requirements – Comments Due March 7, 2025

CPW has previously covered the proliferation of data breaches, including in the healthcare context.  In a dramatic rebuttal of how the Department of Health and Human Services Office of Civil Rights’ (“OCR”) has historically enforced HIPAA, the Fifth Circuit Court of Appeals recently handed down a landmark decision vacating a multi-million dollar penalty that had been assessed against a healthcare provider.  The case concerned three alleged data breaches and violations of various HIPAA requirements involving the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”).  Following an OCR enforcement action, OCR imposed a US$4,348,000 penalty, which M.D. Anderson appealed up to the Fifth Circuit.  In rejecting the penalty, the Court criticized not only OCR’s interpretation of the HIPAA regulations generally but also OCR’s penalty calculation in this case.

(1) The HIPAA Security Rule Encryption Requirement. The Court first interpreted the HIPAA Security Rule requirement to encrypt ePHI. OCR claimed that MD Anderson violated this requirement because it adopted a policy to encrypt portable media, which was not implemented on the devices at issue. The Court, however, ruled that HIPAA only requires Covered Entities to implement a “mechanism” to encrypt data. Here, the Court found that M.D. Anderson had adopted a “mechanism” to encrypt (through its policy requiring such encryption) even if that “mechanism” was not perfectly implemented. In other words, the failure to fully implement the encryption policy did not itself violate the HIPAA encryption requirement.

(2) The HIPAA Privacy Rule Prohibition on Unauthorized Disclosures. The Court next held that the Privacy Rule prohibition on unauthorized “disclosures” is only violated when there is an affirmative act of disclosure, rather than a general loss of data. According to the Court, the mere “loss of control” of PHI (e.g., when a device is stolen), therefore, does not constitute an unauthorized “disclosure.” This position mirrors how California courts have interpreted similar provisions in the analogous state Confidentiality of Medical Information Act (“CMIA”). See, e.g., Sutter Health v. Superior Court, 174 Cal. Rptr. 3d 653 (Cal. 3d Dist. Ct. App. July 21, 2014).

CPW’s Elliot Golding, Kristin Bryan and Christina Lamoureux have prepared an overview of this must-read case and its implications here.

Last month California Governor Gavin Newsom signed AB 713 into law, which more closely aligns CCPA to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other laws governing scientific research. Although these changes may help ease compliance challenges for the health care and life sciences industries, the changes only exempt from the CCPA certain types of data rather than exempt health companies entirely. Continue Reading CCPA Amended to Address HIPAA Exemption, Deidentified Data Rules

Stethoscope head lying on medical formThe US Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a settlement with Georgia-based Athens Orthopedic Clinic PA (the “Clinic”) to resolve multiple alleged violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (“HIPAA”).

Under the terms of the settlement, the Clinic agreed to pay $1.5 million to OCR and to adopt a corrective action plan to settle potential violations of the Privacy and Security Rules under HIPAA. The Clinic provides orthopedic services to approximately 138,000 patients annually. Continue Reading Orthopedic Clinic Settles with HHS OCR for $1.5 Million Over Claims of Systemic HIPAA Noncompliance

As explained in a recent post published on Squire Patton Bogg’s Anticorruption Blog, the DOJ is pursuing providers who submit false claims under the electronic health records initiative.  This enforcement action should serve as a reminder to examine carefully attestations of EHR compliance, including the requirement to complete a HIPAA-required security risk assessment.

Overview of Recent Settlement Actions

Recent Health Insurance Portability and Accountability Act (“HIPAA”) enforcement settlements for Virtual Medical Group (“VMG”) in New Jersey and EmblemHealth in New York may signal a broader trend of increased state HIPAA enforcement.  Under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA, codified at 42 U.S.C. § 1320d-5(d), state attorney generals have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected.  Although states also have authority to bring civil actions under state law Unfair and Deceptive Acts (“UDAP”) laws, their additional authority under HIPAA provides an independent vehicle to enforce data privacy and cybersecurity practices.  This increased enforcement trend provides yet another reason that health care entities subject to HIPAA need to ensure they have taken steps to ensure HIPAA compliance. Continue Reading States Increase HIPAA Enforcement

The HHS Office of Civil Rights announced earlier this month that a court appointed receiver for Illinois moving and storage company, Filefax, has entered into a resolution agreement and corrective action plan to settle alleged violations of the HIPAA Privacy and Security Rules.  The receiver for Filefax, which went out of business during OCR’s investigation, has agreed to pay $100,000 for alleged mishandling and improper disclosure of medical records containing protected health information for approximately 2,150 patients. OCR Director Roger Severino has pointed to the settlement agreement as a reminder to companies that HIPAA still applies regardless of whether a covered entity is opening or closing its doors.  For more information, please see our Triage Health Law blog post.

Last month, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two helpful new HIPAA guidance documents regarding research uses and disclosures of PHI, fulfilling a mandate in the 21st Century Cures Act (Public Law 114-255) (the “Act”).  Although the documents merely reaffirm prior guidance in many places, the documents also contain helpful new information and serve to collect prior guidance spread in numerous places into a single location.  The first document focuses on research authorizations and revocations: Continue Reading HHS Office for Civil Rights Issues Updated HIPAA and Research Guidance in Response to 21st Century Cures Act Mandate

The 2025 legislative cycle marked a pivotal year in US privacy law, defined not only by continued nationwide expansion into Artificial Intelligence (AI) governance, children’s and teen privacy and online safety, as well as emerging data categories, but by a major restructuring of California’s privacy enforcement infrastructure. California’s introduction of the Delete Request and Opt-out Platform (DROP) system, the nation’s first centralized, statewide platform for managing consumer deletion requests; combined with sweeping reforms to the Consumer Privacy Fund, will materially increase CalPrivacy and attorney general enforcement capacity on a recurring, self-replenishing basis. These developments accompany completion of a far-reaching rulemaking package that imposes detailed obligations for Data Protection Impact Assessments (DPIAs or risk assessments), cybersecurity governance and Automated Decision-Making Technology (ADMT). At the same time, states beyond California have enacted targeted statutory reforms addressing neurotechnology, data-broker practices and minors’ online safety, underscoring that – absent federal preemption – state-driven models will continue to shape the national privacy compliance landscape in 2026. By January 2026, there will be 20 state consumer privacy laws in effect, several with unique material obligations. We detail what enterprises need to be prepared for in 2026 and explain why we believe next year will be a watershed period for consumer privacy in the US.

Continue Reading 2025 State Privacy Roundup: Key Trends and California Developments to Watch in 2026

In early October, a federal court in the Northern District of Illinois refused to dismiss a privacy litigation brought against a healthcare website operator for claims under the Electronic Communications Privacy Act (ECPA). The court held that the plaintiff plausibly alleged that Defendant violated the Health Insurance Portability and Accountability Act (HIPAA) by revealing to a third party that she clicked on the login button to the healthcare provider’s patient portal, and, as a result, disclosed her individually identifiable healthcare information—even though no third-party data collection tools were installed on the patient portal itself. Hartley v. Univ. of Chi. Med. Ctr., Case No. 22-cv-5891, 2025 WL 2802317 (N.D. Ill. Oct. 1, 2025).  However, at the same time, the court dismissed certain claims arising out of Plaintiff’s use of a “find-a-physician feature,” rejecting the full scope of Plaintiff’s theories. On the balance, this decision unfortunately broadens the scope of potential liability under the ECPA and will likely result in ECPA suits being brought against website operators in the healthcare sector.

Continue Reading Federal Court Holds That Button-Click Data From Public Website Can Disclose Patient Status in Violation of the ECPA