By February 16, 2026, HIPAA covered entities receiving substance use disorder (SUD) records from a Part 2 program must revise their Notice of Privacy Practices to comply with a 2024 HHS Final Rule.
The December 23, 2024 deadline is fast approaching for HIPAA-covered entities to revise their policies and procedures regarding reproductive health. The Office for Civil Rights (OCR) issued a Final Rule that restricts the disclosure of protected health information (PHI) related to lawful reproductive health care, requiring policy amendments ...
Vendors of personal health records will face new rules for data breach notifications, as clarified by the Federal Trade Commission's Final Rule. The amendments address the increased use of health-related technology and emphasize the importance of notifying individuals and the FTC in case of a breach. The rule expands on definitions, breach ...
The U.S. Department of Health and Human Services announced a Final Rule called HIPAA Privacy Rule to Support Reproductive Health Care Privacy, prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. The rule also affects the confidentiality of substance use disorder ...
On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors.
On November 28, 2022, HHS released Proposed Rule to amend Part 2 regulation on confidentiality of substance use disorder (SUD) patient records in federally assisted Part 2 Programs. The Proposed Rule would align Part 2 with HIPAA's requirements for consent, disclosure, de-identification, unsecured PHI, data breach notification, and other ...
On 9/30/2021, HHS Office for Civil Rights issues guidance on when HIPAA applies and does not apply to COVID-19 vaccine information. Generally, HIPAA applies to disclosures of protected health information by HIPAA covered entities and not to requests for such information by such entities or other businesses. Accordingly, HIPAA does not prohibit ...
Congressional Bill H.R. 7898 signed into law on 1/5/2021 amends HIPAA's penalty standard for data breaches by mandating that HHS give favorable consideration to "recognized security practices" that the covered entity or business associate implemented.
COVID-19 expanded the use of telehealth and it's likely here to stay. Cyber criminals are taking advantage of healthcare's quick turn to audio-video platforms without having taken time to protect health information from unauthorized disclosure. Here are some tips to ensure your audio-video communication is secure ...
By Lindsay K. Scott
Following expansion by the Department of Human Health Services’ Office for Civil Rights (“OCR”) and the Centers for Medicare and Medicaid Services (“CMS”) of federal telehealth services and relaxation of certain requirements, Kentucky Medicaid is following suit.
On March 17, 2020, the Centers for Medicare and ...
Hospital Agrees to Pay $85,000 for Failure to Provide Patient Timely Access to Records
by Margaret Young Levi and Kathie McDonald-McClure
On September 9, 2019, the Office for Civil Rights (OCR) announced its first settlement under its “Right of Access Initiative.” Without admitting any wrongdoing, a hospital has agreed to pay $85,000 to ...
CMS proposes new Medicare Conditions of Participation for hospitals that will require hospital EHRs to send electronic event notifications to other providers when a patient has been admitted, discharged or transferred. CMS is seeks stakeholder input, including timeframe for implementation. Comments are due by Friday, May 3, 2019 ...
By Margaret Young Levi and Kathie McDonald-McClure
Among the many mandates of the Affordable Care Act (ACA) (a/k/a “Obama Care”) still in force today is Section 1557. Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. The U.S ...
Allscripts' ransomware attack on its cloud-based platforms triggers HIPAA compliance obligations for "covered entities" who entered patient health information on those platforms. A putative class action lawsuit filed on behalf of providers using the Allscripts platforms alleges the attack was a HIPAA "breach". Providers who used these ...
Blockchain technology may solve healthcare IT's security and interoperability challenges. The HHS ONC and healthcare IT developers are rushing to explore its capabilities and launch opensource development tools.
The U.S. Department of Health & Human Services, Office of Civil Rights (OCR) entered into a settlement with Presence Health Network relating to its failure to provide timely notification of a breach of unsecured protected health information under the Health Insurance Portability & Accountability Act (HIPAA). OCR data breach settlements ...
The United States Court for the Eleventh Circuit granted LabMD's motion to stay enforcement of the FTC's Final Order, holding that there was no proof that LabMD’s failure in securing the privacy of the patient data at issue caused injury or harm or that it was “likely to cause” injury or harm
On July 29, 2016, the Federal Trade Commission (FTC) made the latest move in its battle with LabMD, Inc. (LabMD) when it reversed an initial decision by an administrative law judge (ALJ). The FTC determined that LabMD’s data security practices constitute an unfair act or practice within the meaning of Section 5 of the Federal Trade Commission Act. ...
On July 11, 2016, the HHS Office for Civil Rights issued a Fact Sheet about Ransomware for entities subject to HIPAA. Due to the unique nature of ransomware in making computer data inaccessible, OCR notes that patients may still need to be notified if care is compromised as a result of a ransomware attack. The HIPAA standard that presumes there is a breach ...
By Kathie McDonald-McClure
We recently posted an article about Tennessee's amendment to its data breach notification law. This amendment has drawn much attention among cyber security professionals and corporate general counsel across the country. As Jennifer Williams-Alvarez reported in her article for Corporate Counsel magazine
The Department of Health and Human Services's Office for Civil Rights (OCR) announced last week that it has launched Phase 2 of its HIPAA Audit Program. Under this Audit Program, OCR will review whether entities subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Data Breach Notification ...
