Privacy & Data Security

June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! But there are still many questions about how some of the new requirements should be implemented. Among those giving covered entities and business associates the most angst is the new Attestation requirement.
Continue Reading HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!

What should covered entity healthcare providers be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take in order to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.
Continue Reading Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches

The Final Rule amending 42 CFR Part 2 finalizes changes that will align uses and disclosures of Part 2 information with HIPAA for treatment, payment & health care operations. Part 2 providers and others who must comply with Part 2 and this Final Rule have two (2) years to get into compliance. Read more about the changes and how we can help with compliance.
Continue Reading 42 C.F.R. Part 2 Final Rule Amending Privacy of Substance Use Disorder Records Released.

Part 1 – What Data is (maybe?) Covered and Who Must Comply with the New Jersey Data Privacy Act?

This week we take a quick look at the newest state effort to tackle data privacy. New Jersey entered the data privacy playing field last week with Governor Murphy putting pen to paper on a new comprehensive Data Privacy Act. 332_R6 significantly strengthens New Jersey’s consumer protection and privacy laws, placing enforcement in the hands of the New Jersey Division of Consumer Affairs (“DCA”) and the Attorney General’s Office. While it shares some similarities with other recently enacted state privacy laws,
Continue Reading New Jersey’s new data privacy act and its impact on health care orgs

The New Jersey Data Privacy Act (NJDPA) was enacted on January 16, 2024. Although PHI collected by a HIPAA CE or BA is excluded from the NJDPA HIPAA CEs and BAs are NOT wholly excluded from compliance with the NJDPA. Also, HHS’ recent problematic interpretation that IP addresses collected by a healthcare provider’s website may be PHI adds even more complexity in interpreting the NJDPA.
Continue Reading Meet New Jersey’s Brand New Data Privacy Act and Its Impact on Healthcare Organizations & Others

The Proposed Rule for enforcement is out, and the potential financial “hit” that health care providers may face if the OIG finds them to have violated the Information Blocking Rule (IBR) could be substantial. but it’s not time to get spooked, just yet. The reach of the proposed enforcement has limitations. Read more to find out why.
Continue Reading Hefty Monetary Disincentives Proposed for Health Care Providers Engaged in Information Blocking – But Not Every Provider Will Be on the Hook.

The Proposed Rule for enforcement is out, and the potential financial “hit” that health care providers may face if the OIG finds them to have violated the Information Blocking Rule (IBR) could be substantial, but don’t get spooked. The reach of the proposed enforcement has limitations. Read more to find out why.
Continue Reading Hefty Monetary Disincentives Proposed for Health Care Providers Engaged in Information Blocking – But Not Every Provider Is on the Hook.

The Minnesota Supreme Court held that HIPAA “authorizes” disclosures for purposes of state law and consent was not required for a hospital to disclose PHI to its institutionally related foundation for fundraising purposes. Other states might take a similar stance. The Information Blocking Rule (IBR) prohibits health care providers from interfering with the access and exchange of EHI in an unreasonable manner. State with laws containing similar “as authorized by federal law” exceptions to consent must be carefully considered when claiming the IBR’s Privacy Exception to “block” EHI.  
Continue Reading Minnesota Supreme Court Finds State Law Permits Health Information to be Shared Because HIPAA Authorizes It

OCR reaches a new $1.3 million dollar settlement with a health plan for HIPAA violations. OCR says, “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.” Employers that offer Employee Benefits must evaluate if they are responsible for a health plan with HIPAA compliance obligations.
Continue Reading Is Your Organization Paying for the Cost of Health Care? You Might be Responsible for a Health Plan with HIPAA Compliance Obligations.

OIG’s authority to begin enforcement of the Information Blocking Rule begins September 1, 2023. Certain Actors subject to the Information Blocking Rule may be subject up to a $1 million penalty per violation! Actors need to be proactive in ensuring their compliance with the Information Blocking Rule and not wait for the OIG to discover them.
Continue Reading Penalties for Violation of the Information Blocking Rule Start Today!

Genetic testing companies, and those who partner with them, must take care to ensure that the scope of how consumers’ sensitive data is used and shared in the future aligns with the scope of consent that was granted by the consumer at the point of collection. The FTC found that a California-based genetic testing company informed consumers that it would only share consumers’ sensitive health and other personal information “in limited circumstances,” but then expanded sharing such information with new third parties, like supermarket chains. The FTC has now stepped up to protect consumers’ sensitive genetic information.
Continue Reading Genetic Testing Company Violates Privacy and Security Policies, FTC Says.

After OCR created a Morton’s Fork for hospitals and health systems by publishing its HIPAA Guidance on the Use of Online Tracking Technologies, the American Hospital Association initially stayed out of the fray. Not any more. In its letter dated May 22, 2023, AHA makes its case to HHS as to why OCR’s Online Tracking Guidance should suspended or amended.
Continue Reading AHA Writes Letter to HHS and Pushes Back on OCR’s Online Tracking Guidance

The FTC releases its second enforcement action under the Health Breach Notification Rule in just over 3 months. This time, the FTC found that a fertility app called Premom shared sensitive fertility information with third parties for unauthorized purposes. While Premom told its users that it would not share their health information with third parties without users’ consent, it used third-party automated tracking tools known as software development kits (SDKs) which shared highly sensitive health information (e.g., data about an individual user’s sexual & reproductive health, pregnancy status etc.) for advertising and marketing purposes.
Continue Reading FTC Finds that Ovulation Tracking App Violated the Health Breach Notification Rule