On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).

As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties.  In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.  
Continue Reading

In an effort to address the challenge of increasing drug prices for patients and families, the U.S. Food and Drug Administration (“FDA”) and the U.S. Department of Health and Human Services (“HHS”) recently outlined a proposal for facilitating the importation of pharmaceuticals originally intended for foreign markets.  The Safe Importation Action Plan (the “Action Plan”),

On Friday April 26, 2019, the US Department of Health and Human Services (“HHS”) issued a notification regarding HHS’ use of Civil Monetary Penalties (“CMP”) under the Health Insurance Portability and Accountability Act (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  https://www.federalregister.gov/documents/2019/04/30/2019-08530/enforcement-discretion-regarding-hipaa-civil-money-penalties.  The notice provides: “As a

The healthcare industry is still struggling to address its cybersecurity issues as 31 data breaches were reported in February 2019, exposing data from more than 2 million people.  However, the emergence of artificial intelligence (AI) may provide tools to reduce cyber risk.

AI cybersecurity tools can enable organizations to improve data security by detecting

Recently, the U.S. Department of Health & Human Services (“HHS”) issued guidance for healthcare cybersecurity best practices.  As required under the Cybersecurity Act (CSA) of 2015, this four-part guidance was generated by a Task Group charged with the following:

  1. Examining current cybersecurity threats affecting the healthcare and public health sector;
  2. Identifying specific weaknesses that

On November 30, 2018, the Department for Health and Human Services (“HHS”) Health Resources and Services Administration (“HRSA”) will publish its final rule to change the effective date for its 340B Drug Pricing Program ceiling price and manufacturer civil monetary penalty final rule to January 1, 2019.

After two years of proposed rulemaking, HHS published

A dental practice and related dental management company have become the first two entities to make their way on to the newly created “High Risk – Heightened Scrutiny” list from the Office of Inspector General for the United States Department of Health and Human Services (the “OIG”).[1]

ImmediaDent of Indiana, LLC, a professional dental

On November 1, 2018, the Office of the Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) published an audit report finding that the U.S. Food and Drug Administration’s (“FDA”) policies and procedures were “deficient for addressing medical device cybersecurity compromises.” (A copy of OIG’s complete report is available here and

The American Clinical Laboratory Association (“ACLA”) challenged the final rules promulgated by the Department for Health and Human Services (“HHS”) pertaining to how the Medicare Clinical Laboratory Fee Schedule (“CLFS”) payment rates are established for laboratory services (Am. Clinical Lab. Ass’n v. Azar, No. 17-2645 ABJ, 2018 U.S. Dist. LEXIS 161639, 2018 WL

On June 20, 2018, the Centers for Medicare and Medicaid Services (“CMS”) published an advance copy of a request for information seeking public input on reforms to the Physician Self-Referral Law (or “Stark Law”).

The request for information stems from on-going efforts by the Department of Health and Human Services (“HHS”) to accelerate the government’s