§ 160.101 Statutory basis and purpose.
The requirements of this subchapter implement sections 1171–1180 of the Social Security Act (the Act), sections 262 and 264 of Public Law 104–191, section 105 of Public Law 110–233,...more
On August 29, 2024, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) withdrew its appeal of the US District Court for the Northern District of Texas’s June 20, 2024, decision in American...more
9/4/2024
/ American Hospital Association ,
American Hospital Association et al v Becerra Secretary Of Health And Human Services et al ,
Appeals ,
Cookies ,
Department of Health and Human Services (HHS) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
HIPAA Security Rule ,
OCR ,
Technology Sector ,
Tracking Systems ,
Web Tracking ,
Websites
On August 19, 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) filed a notice of appeal of the US District Court for the Northern District of Texas’s June 20, 2024, decision in American...more
8/28/2024
/ American Hospital Association ,
American Hospital Association et al v Becerra Secretary Of Health And Human Services et al ,
Appeals ,
Cookies ,
Department of Health and Human Services (HHS) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
HIPAA Security Rule ,
OCR ,
Technology Sector ,
Tracking Systems ,
Web Tracking ,
Websites
In a consequential decision for Health Insurance Portability and Accountability Act (HIPAA)-regulated entities, on June 20, 2024, the US District Court for the Northern District of Texas ruled in American Hospital Association...more
On April 26, 2024, the Federal Trade Commission (FTC) issued a final rule to amend its Health Breach Notification Rule (HBN Rule). The HBN Rule works as a complement and counterpart to the breach notification requirements...more
5/29/2024
/ American Recovery and Reinvestment Act ,
Breach Notification Rule ,
Electronic Health Record Incentives ,
Federal Trade Commission (FTC) ,
Final Rules ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Mobile Apps ,
Notification Requirements ,
PHI ,
Popular
On February 8, 2024, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and Substance Abuse and Mental Health Services Administration (SAMHSA) jointly issued a final rule to amend the...more
On March 18, 2024, the US Department of Health and Human Services Office for Civil Rights (OCR) issued an update to its December 1, 2022, bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and...more
3/22/2024
/ Business Associates ,
Covered Entities ,
Department of Health and Human Services (HHS) ,
Enforcement ,
Enforcement Priorities ,
Guidance Update ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
OCR ,
PHI ,
Tracking Systems ,
Web Tracking ,
Websites
The Change Healthcare ransomware attack presents potentially significant ramifications for hospitals, health systems, pharmacies and others that rely on the organization’s tools for healthcare payment, revenue cycle...more
The Federal Trade Commission (FTC), at its May 18, 2023, open Commission meeting, voted unanimously to issue a Notice of Proposed Rulemaking to amend the Health Breach Notification Rule (HBNR). The FTC’s proposed amendment...more
6/12/2023
/ American Recovery and Reinvestment Act ,
Breach Notification Rule ,
Comment Period ,
Digital Health ,
Federal Trade Commission (FTC) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach Notification Rule ,
Medical Records ,
Mobile Apps ,
Proposed Amendments ,
Security Breach ,
Technology Sector
In a Notice of Proposed Rulemaking published December 2, 2022 (the Proposed Rule), the United States Department of Health and Human Services (HHS) proposed long-awaited changes to the regulations protecting the...more
On December 1, 2022, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued a Bulletin on the obligations of covered entities and business associates (regulated entities) under the...more
12/6/2022
/ Data Privacy ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Mobile Apps ,
New Guidance ,
OCR ,
Personally Identifiable Information ,
PHI ,
Tracking Systems ,
Web Tracking
On September 15, 2021, the Federal Trade Commission (FTC) voted 3–2 along party lines (with Republican commissioners dissenting) to issue a policy statement announcing an expansive interpretation of the FTC’s Health Breach...more
9/21/2021
/ Breach Notification Rule ,
Cybersecurity ,
Data Privacy ,
Data Security ,
Digital Health ,
Enforcement ,
Federal Trade Commission (FTC) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Mobile Health Apps ,
Personally Identifiable Information ,
PHI
On December 10, 2020, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) with proposed modifications to the Standards for the Privacy of...more
12/18/2020
/ Department of Health and Human Services (HHS) ,
Disclosure ,
Electronic Protected Health Information (ePHI) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Access Request ,
HIPAA Privacy Rule ,
Information Requests ,
Medicare ,
NPRM ,
OCR ,
Third-Party
As the federal government, state governments, businesses and other entities continue their response efforts related to the COVID-19 pandemic, the privacy and security of consumers’ personal health information remains a top...more
5/31/2020
/ Consent ,
Consumer Privacy Rights ,
Contact Tracing ,
Coronavirus/COVID-19 ,
Data Collection ,
Data Security ,
Disclosure Requirements ,
Enforcement Actions ,
Federal Trade Commission (FTC) ,
Geolocation ,
Health Information Technologies ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Opt-In ,
Opt-Outs ,
Personally Identifiable Information ,
Reporting Requirements ,
State and Local Government
On April 2, 2020, the US Department of Health and Human Services, Office for Civil Rights announced that it will not impose civil money penalties against covered entity health care providers or their business associates for a...more
Throughout the past year, the healthcare and life science industries experienced a proliferation of digital health innovation that challenged traditional notions of healthcare delivery and payment, as well as product...more
1/29/2020
/ Anti-Kickback Statute ,
Biometric Information ,
California Consumer Privacy Act (CCPA) ,
Department of Justice (DOJ) ,
Digital Health ,
Electronic Medical Records ,
Electronic Protected Health Information (ePHI) ,
Enforcement ,
Food and Drug Administration (FDA) ,
Fraud and Abuse ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Life Sciences ,
Regulatory Standards ,
Stark Law ,
Telemedicine
Recent months have seen a wave of ransomware attacks in the US healthcare industry, many involving a sophisticated strain of malware called Ryuk. To protect themselves, healthcare providers should review OCR’s recent guidance...more
12/12/2019
/ Criminal Investigations ,
Cyber Attacks ,
Cybersecurity ,
Electronic Protected Health Information (ePHI) ,
FBI ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
New Guidance ,
OCR ,
Patient Privacy Rights ,
Popular ,
Ransomware ,
US-CERT
There are myriad opportunities for hospitals and health systems (HHSs) to engage in data-focused collaborations with other stakeholders in the healthcare industry. These collaborations include, to an increasing extent,...more
10/4/2019
/ Data Breach ,
Data Collection ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Digital Health ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Investors ,
Joint Venture ,
Patient Privacy Rights ,
Personally Identifiable Information ,
Private Equity ,
Risk Assessment
In this second installment of the Healthcare Enforcement Quarterly Roundup for 2019, we cover several topics that have persisted over the past few years and identify new issues that will shape the scope of enforcement efforts...more
8/16/2019
/ Acquisitions ,
Centers for Medicare & Medicaid Services (CMS) ,
DEA ,
Department of Health and Human Services (HHS) ,
Department of Justice (DOJ) ,
Enforcement Actions ,
False Claims Act (FCA) ,
Fraud and Abuse ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare Fraud ,
Home Health Agencies ,
Mergers ,
New Guidance ,
New Rules ,
OCR ,
OIG ,
Opioid ,
Pharmaceutical Industry
On April 26, 2019, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties (the Notice) to inform the public...more
5/10/2019
/ Civil Monetary Penalty ,
Covered Entities ,
Department of Health and Human Services (HHS) ,
Eighth Amendment ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
HITECH Act ,
OCR ,
Regulatory Agenda ,
Settlement Negotiations
The US Department of Health and Human Services, Office for Civil Rights (OCR) published a long-awaited Request for Information seeking feedback on whether and how the HIPAA Rules should be revised to better promote...more
Lack of a sufficient risk analysis continues to be one of the most commonly alleged violations in Office for Civil Rights (OCR) HIPAA enforcement actions, appearing in half of all OCR settlements announced in the last 12...more
The US Department of Health and Human Services Office for Civil Rights recently posted guidance clarifying that a business associate such as an information technology vendor generally may not block or terminate access by a...more
10/27/2016
/ Anti-Kickback Statute ,
Business Associates ,
Corporate Counsel ,
Covered Entities ,
Data Blocking ,
Department of Health and Human Services (HHS) ,
EHR ,
Health Information Technologies ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
OIG ,
PHI ,
Privacy Rule ,
Vendors
On September 29, 2015, the U.S. Department of Health & Human Services Office of the Inspector General (OIG), Office of Evaluation and Inspections, released two studies calling on the HHS Office for Civil Rights (OCR) to...more
Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities have reported that the U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently sent pre-audit screening surveys...more
5/18/2015
/ Audits ,
Breach Notification Rule ,
Business Associates ,
Covered Entities ,
De-Identified Protected Health Information ,
Electronic Medical Records ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Medical Records ,
OCR ,
PHI