On March 21, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of HIPAA security rule claims involving Health Fitness Corporation (Health Fitness). Health Fitness...more
The Department of Health and Human Services (HHS) has proposed significant modifications to the HIPAA Security Rule and the HITECH Act in an attempt to strengthen cybersecurity protections for electronic protected health...more
12/30/2024
/ Business Associates ,
Comment Period ,
Covered Entities ,
Cybersecurity ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Security Rule ,
HITECH Act ,
NPRM ,
OCR ,
Popular ,
Privacy Laws ,
Proposed Rules ,
Regulatory Requirements ,
Rulemaking Process
The FTC has updated its HBNR to clarify that the rule also restricts marketing practices involving personal health information. This update to the HBNR was announced on April 26, 2024, and follows several recent enforcement...more
4/29/2024
/ Breach Notification Rule ,
Data Breach ,
Data Privacy ,
Data Protection ,
Digital Health ,
Federal Trade Commission (FTC) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
PHI ,
Regulatory Agenda ,
Regulatory Reform ,
Technology
I was pleased to take part in the “Transforming Care – Strategies for Integration of Artificial Intelligence in Healthcare” discussion, hosted by the New England Healthcare Executive Network at Foley Hoag on April 1. The...more
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have released version 3.4 of their Security Risk Assessment...more
The Notifications of Enforcement Discretion issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the...more
5/15/2023
/ Coronavirus/COVID-19 ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HITECH Act ,
New Guidance ,
OCR ,
PHI ,
Public Health Emergency ,
Telehealth ,
Telemedicine
Like many regulatory standards, enforcement of HIPAA was relaxed as part of the COVID-19 pandemic response. With the end of the public health emergency declaration on May 11, 2023, the broad relaxed HIPAA enforcement also...more
On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA)...more
Every October, in recognition of National Cybersecurity Awareness Month, the federal government and its partners work to educate stakeholders on cybersecurity awareness and how best to protect the privacy and security of...more
10/26/2022
/ Cyber Incident Reporting ,
Cybersecurity ,
Data Privacy ,
Data Security ,
Enforcement ,
Health Information Technologies ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Security Rule ,
Incident Response Plans ,
Personally Identifiable Information
On September 30, 2021, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR)issued guidance to help the public understand when the Health Insurance Portability and Accountability Act of 1996...more
10/4/2021
/ Americans with Disabilities Act (ADA) ,
Coronavirus/COVID-19 ,
Department of Health and Human Services (HHS) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Mine Safety and Health Administration (MSHA) ,
New Guidance ,
OCR ,
OSHA ,
PHI ,
Privacy Rule ,
Vaccinations ,
Workplace Safety
Nearly 20 years to the day after the first HIPAA privacy regulations were announced, HHS has posted proposed revisions to HIPAA, evidence that even after twenty years, HIPAA privacy remains a work in progress. These proposed...more
Halloween or HIPAA: Which is Scarier?
HIPAA and the Pandemic -
Telehealth:
- On Friday, March 20, 2020, OCR announced it will “exercise its enforcement discretion and will not impose penalties for noncompliance with...more
10/29/2020
/ Breach Notification Rule ,
California Consumer Privacy Act (CCPA) ,
Centers for Medicare & Medicaid Services (CMS) ,
Coronavirus/COVID-19 ,
Disclosure ,
First Responders ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Hospitals ,
New Guidance ,
Notification Requirements ,
OCR ,
Patient Access ,
Patients ,
PHI ,
SAMHSA ,
Telehealth ,
Virus Testing
With apologies to John Donne, ask not for whom the bells tolls, HIPAA business associates, it tolls for thee! While it has been the law for some time that business associates could be held directly liable for breaches,...more
9/28/2020
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Electronic Medical Records ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
HIPAA Security Rule ,
OCR ,
Personally Identifiable Information ,
PHI ,
Settlement Agreements
On March 24, 2020, the Office for Civil Rights (OCR) at the Department of Health and Human Services issued guidance on how HIPAA covered entities may disclose protected health information (PHI) about an individual who has...more
On Friday, March 20, 2020, the Department of Health and Human Services Office for Civil Rights (“OCR”) announced it will “exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory...more
The coronavirus and Covid-19 are impacting everything and everyone, and certainly health information privacy. Here is a useful summary of health information issues to be mindful of from HHS OCR on HIPAA privacy and the...more
Physicians Talking With Their Domestic Partners About Patients -
? Health care institutions often require that physicians and medical students click through annual online modules or attend lectures about HIPAA.
- But...more
11/4/2019
/ California Consumer Privacy Act (CCPA) ,
Centers for Medicare & Medicaid Services (CMS) ,
Cybersecurity ,
Data Collection ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
New Rules ,
Patient Privacy Rights ,
PHI ,
SAMHSA
Yesterday, in the first settlement of its kind, the Office for Civil Rights at the U.S. Department of Health and Human Services (“OCR”) announced that Bayfront Health St. Petersburg (“Bayfront”) has paid $85,000 to OCR and...more
In a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties issued on April 23, 2019, the Department of Health and Human Services (HHS) exercised “its discretion in how it applies HHS regulations...more
In 2018, privacy and data security crossed a number of thresholds. In the public mind, through high-profile data breaches and revelations about unexpected uses of personal information, questions of privacy became much more...more
4/26/2019
/ Attorney General ,
California Consumer Privacy Act (CCPA) ,
Consumer Privacy Rights ,
COPPA ,
Cryptocurrency ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Energy Sector ,
Enforcement Actions ,
FCC ,
FERC ,
General Data Protection Regulation (GDPR) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Political Advertising ,
Popular ,
Privacy Concerns ,
Securities and Exchange Commission (SEC)
"Open the pod door, HAL"
• Commercial voice-activated intelligent personal assistants from Amazon, Apple, Google, and Microsoft, among others, are growing in popularity.
• A report from NPR and Edison Research states...more
2/28/2019
/ Confidential Communications ,
Connected Items ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Security ,
Electronic Medical Records ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Hospitals ,
Mobile Apps ,
Oral Communications ,
Patient Privacy Rights ,
Personal Assistants ,
Physicians ,
Privacy Concerns ,
Security Rule ,
Smart Devices ,
Technology Sector ,
Telecommunications
Editors’ Note: This is the seventh and last in our third annual series examining important trends in data privacy and cybersecurity during the new year. Our previous entries were on political advertising, cryptocurrency,...more
The concept that one is known by the company one keeps dates back to ancient times (the particular phrase is attributed to both Aesop and the Book of Proverbs). But this simple aphorism continues to be true. A recent example...more
Allergy Associates of Hartford, P.C. (“Allergy Associates”), has agreed to pay $125,000 to the Office for Civil Rights (“OCR“) at the U.S. Department of Health and Human Services (“HHS”) and to adopt a corrective action plan...more
20+ Years Post HIPAA ROI Still a Problem –
..Among the 83 top-ranked US hospitals representing 29 states, there was discordance between information provided on authorization forms and that obtained from the simulated...more