As anticipated, a Texas federal district court has vacated the HIPAA Reproductive Health Rule (the “Rule”) nationwide. (Memorandum Opinion and Order, Purl v. HHS, 2:24-CV-228-Z (N. Dist. Tex (Jun. 18, 2025), available here)....more
The HIPAA Privacy and Security Rules require covered entities (including healthcare providers and health plans) and their business associates to protect patient information stored or transmitted electronically, including...more
Law enforcement officers often request or demand that Idaho hospitals draw blood or conduct other tests on patients for law enforcement purposes; nevertheless, the general rule remains that patients (including persons in...more
3/6/2025
/ Compliance ,
Consent ,
Criminal Prosecution ,
Data Privacy ,
DUI ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Hospitals ,
Patient Privacy Rights ,
PHI
Healthcare providers must comply with the new HIPAA Reproductive Health Rule (the “Rule”) by December 23, 2024. Here is what you need to know and do before then.
Overview. In the wake of Dobbs v. Jackson Women’s Health...more
Idaho’s new parental consent law took effect July 1, 2024. Under the new law:
“[A]n individual shall not furnish a health care service or solicit to furnish a health care service to a minor child without obtaining the...more
On June 20, 2024, a Texas federal court vacated the Office for Civil Rights’ (OCR's) controversial guidance concerning Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, available here....more
The HIPAA Privacy, Security, and Breach Notification Rules apply to healthcare providers who engage in certain electronic transactions, healthcare clearinghouses, and health plans, including employee group health plans with...more
5/30/2024
/ Affirmative Defenses ,
Breach Notification Rule ,
Cause of Action Accrual ,
Civil Monetary Penalty ,
Covered Entities ,
Department of Health and Human Services (HHS) ,
Disclosure Requirements ,
Employee Training ,
Federal Trade Commission (FTC) ,
FTC Act ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
HIPAA Privacy Rule ,
HIPAA Security Rule ,
OCR ,
Penalties ,
PHI ,
Popular
On May 6, 2024, the Department of Health and Human Services (HHS) published its final rule revamping the non-discrimination regulations issued under § 1557 of the Affordable Care Act. The revised rules apply to all...more
5/22/2024
/ Affordable Care Act ,
Americans with Disabilities Act (ADA) ,
Civil Rights Act ,
Compliance ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
Non-Discrimination Rules ,
Notice Requirements ,
OCR ,
Policies and Procedures ,
Popular ,
Telehealth ,
Title VI
As discussed in our prior health law update, New Limits on Minor Consents in Idaho, effective July 1, 2024, parents generally will have the right to access the medical records of their unemancipated minor children subject to...more
4/30/2024
/ Consent ,
Covered Entities ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Medical Records ,
Minor Children ,
Parental Rights ,
PHI ,
Preemption
By Kim Stanger Note: This health law update originally was published on April 9, 2024. It was updated April 26, 2024, to reflect additional information. Effective July 1, 2024, Idaho healthcare providers must obtain parental...more
HIPAA applies to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity that “creates, receives, maintains or transmits”...more
10/25/2023
/ Business Associates ,
Business Associates Agreement (BAA) ,
Covered Entities ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Security Rule ,
OCR ,
Patient Confidentiality Breaches ,
PHI ,
Security Risk Assessments ,
Software ,
Subcontractors
The HIPAA privacy rules (45 CFR § 164.501 et seq.) generally prohibit healthcare providers and their business associates from disclosing protected health information in response to subpoenas and other government demands...more
9/18/2023
/ Confidentiality Agreements ,
Disclosure Requirements ,
Grand Juries ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Jurisdiction ,
Law Enforcement ,
Noncompliance ,
PHI ,
Protective Orders ,
Public Health ,
Subpoenas ,
Warrants ,
Workers’ Compensation
It’s that time of year when many healthcare providers offer free or discounted sports or student physicals as a community service or marketing ploy. If you participate in such programs, make sure you consider the legal...more
After three years, the federal public health emergency (PHE) will expire May 11, 2023. Most of the relaxed regulatory and payor standards will end on or within a few months after the deadline, including many relating to: ...more
3/21/2023
/ Anti-Kickback Statute ,
Civil Monetary Penalty ,
Consolidated Appropriations Act (CAA) ,
Coronavirus/COVID-19 ,
DEA ,
Department of Health and Human Services (HHS) ,
EMTALA ,
Expiration Date ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Medicines and Healthcare Products Regulatory Agency (MHRA) ,
Public Health Emergency ,
Public Readiness and Emergency Preparedness Act (PREP Act) ,
Ryan Haight Act ,
Stark Law ,
Telehealth ,
Virus Testing
HHS has issued helpful FAQs that answer common questions concerning the No Surprise Billing Rules and self-pay patients, available here. The FAQs confirm the following:
Providers and facilities are not required to...more
Given the COVID-19 vaccine mandates, employers—including healthcare entities—will need to confirm their employees’ vaccination status. Employers and healthcare providers must ensure they comply with privacy rules relating to...more
9/24/2021
/ Americans with Disabilities Act (ADA) ,
Coronavirus/COVID-19 ,
Disclosure Requirements ,
Employer Mandates ,
Equal Employment Opportunity Commission (EEOC) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
PHI ,
Vaccinations ,
Virus Testing
The HIPAA privacy and security rules impose significant requirements on covered entities and their business associates; violations may result in penalties ranging from $119 to $59,522 per violation. (45 CFR § 160.404; 45 CFR...more
With limited exceptions, HIPAA generally gives individuals the right to access or obtain copies of their protected health information ("PHI") from covered entities. (45 CFR § 164.524(a)). But the right of access does not...more
The OCR has announced a surprising number of HIPAA settlements in the past few months with penalties ranging from $10,000 to $6.5 million. Here are some of the key takeaways for healthcare providers:
1. Protect against...more
10/27/2020
/ Centers for Medicare & Medicaid Services (CMS) ,
Cyber Attacks ,
Data Breach ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
OCR ,
Personal Information ,
Phishing Scams ,
Settlement
Healthcare providers focusing on COVID-19 may have missed the final Interoperability and Information Blocking Rule that was published May 1, 2020 and takes effect November 3, 2020. (45 C.F.R. Part 171). The Rule implements...more
8/27/2020
/ 21st Century Cures Act ,
Coronavirus/COVID-19 ,
Data Collection ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Final Rules ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
HIPAA Violations ,
Information Blocking Rules ,
OIG
Federal Action. To promote the use of telehealth in response to Coronavirus, the federal government took several significant steps this week:
- Medicare dramatically expanded the telehealth services for which it will pay.
...more
In an era of decreasing reimbursement and rapidly expanding opportunities associated with “big data”, healthcare entities may be looking for ways to monetize protected health information (“PHI”) for their own, non-patient...more
2/20/2020
/ Business Associates ,
Business Associates Agreement (BAA) ,
Consent ,
Consumer Privacy Rights ,
Covered Entities ,
Data Collection ,
Data Privacy ,
Data Sellers ,
Data Use Policies ,
De-Identified Protected Health Information ,
Department of Health and Human Services (HHS) ,
Disclosure Requirements ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Information Sharing ,
Medical Records ,
Notice Requirements ,
OCR ,
PHI ,
Privacy Policy
Thanks to a federal judge, the Office for Civil Rights has modified its rules for sending records to third parties. Covered entities are no longer required by HIPAA to send non-electronic protected health information (“PHI”)...more
2/10/2020
/ Business Associates ,
Covered Entities ,
Data Protection ,
Data Transfers ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Omnibus Rule ,
HITECH Act ,
Medical Records ,
OCR ,
Patient Privacy Rights ,
PHI ,
Records Request ,
Right of Access
The HIPAA privacy rules give special protection to “psychotherapy notes,” but providers often misunderstand what are and are not covered and how they differ from other mental health records.
I. “Psychotherapy Notes”...more
1/29/2020
/ Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare Facilities ,
HIPAA Privacy Rule ,
Medical Records ,
Mental Health ,
NPRM ,
OCR ,
Professional Disciplinary Actions
This week, the Office for Civil Rights (“OCR”) announced a $3,000,000 HIPAA settlement arising from a medical center’s loss of an unencrypted laptop and flash drive. This is simply the latest of many HIPAA settlements based...more
11/8/2019
/ Business Associates ,
Covered Entities ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Encryption ,
Enforcement Actions ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach Notification Rule ,
HIPAA Security Rule ,
HITECH Act ,
Laptop Computers ,
Mobile Devices ,
OCR ,
Penalties ,
Settlement