The Department of Health and Human Services (HHS) announced a Request for Information (RFI) regarding how the HIPAA Privacy, Security, and Breach Notification Rules could be modified to reduce regulatory burdens and to improve care coordination, case management, and value-based health care. In addition to opening the door for public comments on current challenges and potential modifications to the HIPAA Rules, the RFI specifically requests feedback on anticipated changes to several specific provisions of the Privacy Rule.
The Department of Health and Human Services Office for Civil Rights is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
The Department of Health and Human Services released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events.
The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply.
The revamped audit protocol for the upcoming HIPAA Phase 2 audits has been released by the US Department of Health and Human Services Office for Civil Rights. The audit protocol, which is posted on the HHS website, includes new requirements added by the 2013 Omnibus Final Rule for HIPAA covered entities and business associates. The Phase 2 audits will be more focused, and the stakes will be higher: the agency has indicated that audits may, in certain circumstances, lead to full compliance reviews—with the potential for fines or settlement agreements related to alleged HIPAA noncompliance. In addition, business associates will be subject to HIPAA audits for the first time.
Last week, the Department of Health and Human Services Office for Civil Rights launched the long-awaited Phase 2 HIPAA Audit Program. Earlier this month, the agency posted two resolution agreements that continue the trend toward big dollar settlement amounts and a focus on security risk assessments and business associate agreements. With Phase 2 HIPAA Audits underway and more full-scale compliance reviews triggered by data breach reports, it is more important than ever to appropriately protect health information.
Following the launch of its mHealth Developer Portal last October, the HHS Office for Civil Rights has released guidance clarifying how HIPAA applies to mobile health apps. Ensuring that developers understand their legal obligations is critical to protecting consumer privacy and security, especially now that there are more than 165,000 health apps available in the iTunes and Android app stores. A more clear understanding of how the rules apply can also help bring down barriers to innovation.
The White House released the Precision Medicine Initiative Privacy and Trust Principles, aimed at building patient trust and protecting patient privacy for precision medicine-related activities last month, as the National Institutes of Health announced the availability of $72 million in PMI-related funding opportunities for fiscal year 2016. A Security Policy Framework that will help ensure that security is built into the foundation of the PMI is in development.
In an effort to help members of the health IT community better understand the federal laws relating to interoperability, the Office of the National Coordinator for Health Information Technology, part of the Department of Health and Human Services, has published a revised Guide to Privacy and Security of Electronic Health Information. Originally published in 2011, the updated document includes new insights about privacy- and security-related issues that will help providers, health IT professionals, vendors, and the public at large understand the different potentially applicable federal laws and incentive programs and how they fit together
Delaware recently adopted a new law that will add requirements related to the destruction of records containing “personal identifying information.” With that law, Delaware joined a number of other states that place restrictions on the ways in which entities destroy or dispose of personal information. The Delaware law will become effective January 1, 2015.