The HIPAA Privacy, Security, and Breach Notification Rules apply to healthcare providers who engage in certain electronic transactions, healthcare clearinghouses, and health plans, including employee group health plans with...more
5/30/2024
/ Affirmative Defenses ,
Breach Notification Rule ,
Cause of Action Accrual ,
Civil Monetary Penalty ,
Covered Entities ,
Department of Health and Human Services (HHS) ,
Disclosure Requirements ,
Employee Training ,
Federal Trade Commission (FTC) ,
FTC Act ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
HIPAA Privacy Rule ,
HIPAA Security Rule ,
OCR ,
Penalties ,
PHI ,
Popular
As discussed in our prior health law update, New Limits on Minor Consents in Idaho, effective July 1, 2024, parents generally will have the right to access the medical records of their unemancipated minor children subject to...more
4/30/2024
/ Consent ,
Covered Entities ,
Department of Health and Human Services (HHS) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Medical Records ,
Minor Children ,
Parental Rights ,
PHI ,
Preemption
The HIPAA Privacy and Security Rules generally require covered entities (including most healthcare providers) to execute written agreements (“business associate agreements” or “BAAs”) with their business associates before...more
10/20/2023
/ Business Associates ,
Business Associates Agreement (BAA) ,
Civil Monetary Penalty ,
Covered Entities ,
Data Breach ,
Disclosure Requirements ,
Electronic Protected Health Information (ePHI) ,
Federal Trade Commission (FTC) ,
Health Care Providers ,
HIPAA Privacy Rule ,
HIPAA Security Rule ,
HIPAA Violations ,
OCR ,
Penalties ,
PHI ,
Settlement ,
Subcontractors ,
Termination ,
Written Agreements
The HIPAA privacy rules allow healthcare providers to disclose protected health information to the extent another state or federal law or regulation requires it:
A covered entity may use or disclose protected health...more
With limited exceptions, HIPAA generally gives individuals the right to access or obtain copies of their protected health information ("PHI") from covered entities. (45 CFR § 164.524(a)). But the right of access does not...more
Healthcare providers focusing on COVID-19 may have missed the final Interoperability and Information Blocking Rule that was published May 1, 2020 and takes effect November 3, 2020. (45 C.F.R. Part 171). The Rule implements...more
8/27/2020
/ 21st Century Cures Act ,
Coronavirus/COVID-19 ,
Data Collection ,
Data Privacy ,
Department of Health and Human Services (HHS) ,
Final Rules ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
HIPAA Violations ,
Information Blocking Rules ,
OIG
In an era of decreasing reimbursement and rapidly expanding opportunities associated with “big data”, healthcare entities may be looking for ways to monetize protected health information (“PHI”) for their own, non-patient...more
2/20/2020
/ Business Associates ,
Business Associates Agreement (BAA) ,
Consent ,
Consumer Privacy Rights ,
Covered Entities ,
Data Collection ,
Data Privacy ,
Data Sellers ,
Data Use Policies ,
De-Identified Protected Health Information ,
Department of Health and Human Services (HHS) ,
Disclosure Requirements ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
Information Sharing ,
Medical Records ,
Notice Requirements ,
OCR ,
PHI ,
Privacy Policy
The HIPAA privacy rules give special protection to “psychotherapy notes,” but providers often misunderstand what are and are not covered and how they differ from other mental health records.
I. “Psychotherapy Notes”...more
1/29/2020
/ Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare Facilities ,
HIPAA Privacy Rule ,
Medical Records ,
Mental Health ,
NPRM ,
OCR ,
Professional Disciplinary Actions
Healthcare providers sometimes mistakenly assume that they cannot contact a patient’s spouse, parents, or other third parties to obtain payment without the patient’s consent. However, HIPAA generally allows healthcare...more
Business associates may want to use a covered entity’s protected health information (“PHI”) for the business associates’ own purposes, e.g., for their own product development, data aggregation, marketing, etc. However, with...more
9/6/2019
/ Business Associates ,
Covered Entities ,
Cybersecurity ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Privacy Rule ,
OCR ,
PHI
Question: May I share records with another healthcare provider without the patient’s authorization?
Answer: It depends on the purpose. If the disclosure is for purposes of the patient’s treatment, including continuation of...more
So you just discovered that protected health information (“PHI”) from your organization was improperly accessed or disclosed. Are you required to self-report the violation to the affected individual and HHS?
HIPAA Breach...more