Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Category Archives: Health Privacy/HIPAA

Subscribe to Health Privacy/HIPAA RSS Feed
Posted in Health Privacy/HIPAA

OCR Releases Updated Audit Protocol

The revamped audit protocol for the upcoming HIPAA Phase 2 audits has been released by the US Department of Health and Human Services Office for Civil Rights. The audit protocol, which is posted on the HHS website, includes new requirements added by the 2013 Omnibus Final Rule for HIPAA covered entities and business associates. The Phase 2 audits will be more focused, and the stakes will be higher: the agency has indicated that audits may, in certain circumstances, lead to full compliance reviews—with the potential for fines or settlement agreements related to alleged HIPAA noncompliance. In addition, business associates will be subject to HIPAA audits for the first time.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

OCR Highlights Priorities as it Steps Up HIPAA Enforcement

Last week, the Department of Health and Human Services Office for Civil Rights launched the long-awaited Phase 2 HIPAA Audit Program. Earlier this month, the agency posted two resolution agreements that continue the trend toward big dollar settlement amounts and a focus on security risk assessments and business associate agreements. With Phase 2 HIPAA Audits underway and more full-scale compliance reviews triggered by data breach reports, it is more important than ever to appropriately protect health information.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

Health Sector Regulators Increase Focus on Cybersecurity

The US government has been increasingly active in cybersecurity legislation and enforcement. Congress recently passed the Cybersecurity Act of 2015, which has spurred renewed attention to cybersecurity requirements and cyber threat information sharing. The US government continues to draw attention to how organizations can align their cybersecurity programs with the NIST Cybersecurity Framework. Moreover, a number of federal agencies including the Consumer Financial Protection Bureau, Federal Trade Commission, and Federal Communications Commission have all issued settlements relating to cybersecurity enforcement actions in recent months. In the health sector, the US Department of Health and Human Services has been increasingly focused on cybersecurity, primarily through its HIPAA enforcement activities. Against that backdrop, three recent developments demonstrate the ways in which HHS and the health sector are expanding their cybersecurity focus beyond HIPAA Security Rule compliance.

Posted in Health Privacy/HIPAA

OCR Releases mHealth Guidance for App Developers

Following the launch of its mHealth Developer Portal last October, the HHS Office for Civil Rights has released guidance clarifying how HIPAA applies to mobile health apps. Ensuring that developers understand their legal obligations is critical to protecting consumer privacy and security, especially now that there are more than 165,000 health apps available in the iTunes and Android app stores. A more clear understanding of how the rules apply can also help bring down barriers to innovation.

Posted in Health Privacy/HIPAA, International/EU Privacy

The Final GDPR Text and What It Will Mean for Health Data

The EU General Data Protection Regulation has been called the most lobbied piece of legislation in the history of the EU. Before Christmas last year, what is likely to be the final text of the GDPR emerged from the EU trilogue negotiations. Victoria Hordern, Senior Associate at Hogan Lovells, explores what the new GDPR will mean for those collecting and handling health data, and examines a number of the provisions and themes that impact the use of health data.

Posted in Health Privacy/HIPAA

Precision Medicine Initiative Moves Forward with new Guidelines and Funding Opportunities

The White House released the Precision Medicine Initiative Privacy and Trust Principles, aimed at building patient trust and protecting patient privacy for precision medicine-related activities last month, as the National Institutes of Health announced the availability of $72 million in PMI-related funding opportunities for fiscal year 2016. A Security Policy Framework that will help ensure that security is built into the foundation of the PMI is in development.

Posted in Health Privacy/HIPAA

Help for mHealth: OCR Launches HIPAA Discussion Portal

The HHS Office for Civil Rights has launched an online portal designed to solicit questions from mHealth developers regarding compliance with HIPAA privacy and security requirements. The portal is designed to demystify HIPAA for app developers while providing guidance to regulators about which aspects of HIPAA may require clarification.

Posted in Health Privacy/HIPAA, International/EU Privacy

Mobile Health in the EU (Part 2): Personal Data and Sensitive Information in mHealth Businesses

In our previous post we outlined the key issues regarding mHealth devices and services from a privacy law perspective. Now, we go further into the details and discuss the scope of the personal data involved, especially relating to sensitive health data. We introduce the relevant statutory requirements in the EU and the legal opinions of the Article 29 Working Party and the European Data Protection Supervisor as well as having a look at the upcoming European General Data Protection Regulation. Against this legal background, one core question we will examine is whether information collected and processed by lifestyle apps and devices must be classified as health data and fall under the strict requirements of European data protection laws.

Posted in Health Privacy/HIPAA

HHS Office of Inspector General Calls On OCR for Increased HIPAA Oversight

The HHS Office for Civil Rights needs to improve and expand its health privacy and data breach enforcement efforts. This was the message delivered by the September 29 release of twin reports by the U.S. Department of Health and Human Services Office of Inspector General that assessed OCR’s enforcement of federal health privacy laws. The studies were commissioned out of concern that the failure to adequately safeguard health information can expose large numbers of patients “to privacy invasion, fraud, identity theft, and/or other harm.” The enforcement of the HIPAA privacy laws in the U.S. are viewed as critical to ensuring that vulnerabilities that can lead to data breaches and potential harm to patients are addressed.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

Recap of the OCR/NIST Conference on Safeguarding Health Information

Government officials and experts from the private sector discussed enabling precision medicine and efforts to bolster patients’ rights to access medical records, and also emphasized the importance of controlling access to protected health information at the eighth annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 2–3, 2015, and co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services, Office for Civil Rights. Comprehensive risk analysis and risk management practices remained a point of emphasis throughout the conference. This blog post addresses the following additional themes that emerged during the conference.

Posted in Health Privacy/HIPAA

Health IT Regulator Updates Guidance on Privacy and Security

In an effort to help members of the health IT community better understand the federal laws relating to interoperability, the Office of the National Coordinator for Health Information Technology, part of the Department of Health and Human Services, has published a revised Guide to Privacy and Security of Electronic Health Information. Originally published in 2011, the updated document includes new insights about privacy- and security-related issues that will help providers, health IT professionals, vendors, and the public at large understand the different potentially applicable federal laws and incentive programs and how they fit together

Posted in Health Privacy/HIPAA, International/EU Privacy

The Treatment of Health Data Under the EU Data Protection Regulation – Cause for Hope?

On 9 March, the Council of the EU issued a partial general approach on a key chapter of the EU Data Protection Regulation which has implications for the regulation of health data. The Council’s stance has been welcomed by a number of healthcare commentators as it promotes a more flexible approach to the use of health data and accords with the tenor of the revised version of the draft Regulation that emerged from the Council in December last year.

Posted in Health Privacy/HIPAA

Interoperability and Privacy are Buzzwords at 2015 ONC Annual Meeting

Federal health IT leaders emphasized interoperability and computable privacy during the two-day Annual Meeting of the U.S. Office of the National Coordinator for Health Information Technology, which took place on February 2 and 3. Over 1,200 participants representing viewpoints across the healthcare spectrum attended the meeting in Washington, D.C. The meeting built on momentum from last week’s release of ONC’s draft Nationwide Interoperability Roadmap, as well as several high-profile announcements reinforcing the Obama Administration’s commitment to interoperability and privacy.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

Latest HIPAA Settlement Emphasizes Need to Regularly Address Software Vulnerabilities

On December 2, the Department of Health and Human Services, Office for Civil Rights announced a $150,000 settlement with Anchorage Community Mental Health Services, Inc. for alleged violations of the HIPAA Security Rule. The announcement followed an OCR investigation into a breach of unsecured electronic protected health information affecting 2,743 individuals. OCR highlighted three Security Rule violations in its resolution agreement: (1) failure to conduct an accurate and thorough risk analysis; (2) failure to implement security policies and procedures; and (3) failure to have reasonable firewalls in place, as well as supported and patched IT resources. In a press release regarding the settlement, OCR Director Jocelyn Samuels noted that “successful HIPAA compliance . . . . includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

OCR and NIST Host Conference and Provide Insights on Safeguarding Health Information

Government officials emphasized the importance of risk analysis and risk management in safeguarding PHI at the Seventh Annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 23–24, 2014, and co-hosted by the National Institute of Standards and Technology and the Department of Health and Human Services, Office for Civil Rights. The conference’s themes—which include risk analysis and risk management, information sharing, and upcoming OCR enforcement efforts—highlighted how HIPAA regulated entities should approach cybersecurity considerations and compliance with the HIPAA Security Rule.

Posted in Health Privacy/HIPAA

As Business Associate Agreements Amendment Deadline Approaches, OCR Discusses Upcoming HIPAA Audits

The 2009 HITECH Act mandated that the U.S. Department of Health and Human Services Office for Civil Rights conduct periodic audits of covered entities and business associates for compliance with HIPAA privacy and security requirements. In 2012, OCR conducted a pilot audit program involving 115 covered entities. In February 2014, the agency issued a notice in the Federal Register announcing its plan to survey up to 1,200 covered entities and business associates to select organizations for the next round of HIPAA audits.

Posted in Health Privacy/HIPAA

NIH Issues Rules on Genomic Data Sharing

On August 27, 2014, the National Institutes of Health issued a new Genomic Data Sharing Policy, which replaces the current genome-wide association study data policy that was instituted in 2007. The GDS Policy applies to all NIH-funded research that generates large-scale human or non-human genomic data as well as the use of that data for subsequent research. As discussed in this post, the Policy promotes the use of broad informed consent for future study and sharing.

Posted in Health Privacy/HIPAA

California Appeals Court Rules that Mere Possession of Medical Information by Unauthorized Person is Insufficient to Support Breach Claims Under the CMIA

In a ruling that was welcome news to health care providers, insurers, and others that maintain medical information of California residents, the California Court of Appeals recently held that the mere possession of medical information by an unauthorized person, without actual viewing of the information, is not sufficient to establish a breach of confidentiality under the California Confidentiality of Medical Information Act , Cal. Civ. Code §§ 56 et seq.

Posted in Consumer Privacy, Health Privacy/HIPAA

FTC Examines Benefits and Risks of Consumer Generated and Controlled Health Data

On May 7, 2014, the Federal Trade Commission (FTC) held a seminar on Consumer Generated and Controlled Health Data (CGHD) that included participants from government, industry, and advocacy organizations. The seminar—which consisted of opening remarks by FTC Commissioner Julie Brill, brief presentations by FTC representatives on health information data flows and sharing of CGHD with third parties, and a panel discussion moderated by FTC attorneys Kristen Anderson and Cora Han—examined the potential benefits and risks of CGHD.

Posted in Health Privacy/HIPAA

HHS Releases Security Risk Assessment Tool

The U.S. Department of Health and Human Services (HHS) recently released a security risk assessment (SRA) tool as a resource to assist health care providers in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The Security Rule applies to HIPAA “covered entities”—which include health plans, health care clearinghouses, and most health care providers—that handle electronic protected health information (ePHI). The Security Rule also applies to “business associates” that perform functions or services on behalf of covered entities involving ePHI. The Rule requires covered entities and business associates to conduct a risk assessment to identify possible gaps in their information security programs in order to help ensure that patient information is protected against data breaches or other security events.

Posted in Health Privacy/HIPAA

HHS Reaches First Settlement with Local Government Over HIPAA Violations

The U.S. Department of Health and Human Services sent a strong message to local governments last week when it reached a settlement with Skagit County, Washington over alleged violations of the Health Insurance Portability and Accountability Act. This is the first time that HHS has settled charges against a local—and not state level—government entity for HIPAA violations.

Posted in Health Privacy/HIPAA

HHS Issues Guidance on Sharing Mental Health Information

HHS has issued new guidance addressing when it is appropriate under the HIPAA Privacy Rule for a health care provider to share the protected health information of a patient who is being treated for a mental health condition. The guidance does not impose new obligations, but rather is intended to clarify the application of existing HIPAA requirements to the disclosure of mental health information. Covered entity providers that handle such information may find it helpful to review the guidance to ensure that their practices are consistent with regulatory expectations.

Posted in Health Privacy/HIPAA

Puerto Rico Hits Insurer with Record $6.8 Million Fine for HIPAA Breach

On February 18, Puerto Rican insurer Triple S Salud revealed that it will face a $6.8 million fine for violating the Health Insurance Portability and Accountability Act. According to an 8-K filing submitted to the Securities and Exchange Commission, the Puerto Rico Health Insurance Administration notified Triple S on February 11, 2014 regarding its plans to sanction the insurer for HIPAA violations resulting from a 2013 breach of protected health information. The Health Insurance Administration also plans to impose administrative sanctions on the insurer, including the suspension of new enrollments into one of its plans and the obligation to notify affected individuals of their right to disenroll.