On March 17, 2020, the Office for Civil Rights’ (“OCR”) announced that—for the duration of the COVID-19 emergency—it would exercise enforcement discretion and waive any potential penalties for HIPAA violations relating to health care providers’ use of “everyday communications technologies” in the provision of services via telehealth (the “HIPAA Waiver”). This move has resulted in a drastic increase in the number of telehealth encounters. The HIPAA Waiver has enabled many providers to immediately leverage these technologies to render services via telehealth for the first time, without the need to expend significant resources to quickly ramp up a HIPAA-compliant telehealth platform. A summary of the HIPAA Waiver can be found in a recent blog post. While the HIPAA Waiver applies only temporarily, it is likely that the increased reliance on telehealth evidenced over the past three months is here to stay.

The COVID-19 pandemic’s impact on the regulatory landscape of telehealth was the topic of a June 17, 2020 hearing before the Senate Health, Education, Labor & Pensions Committee.  As Chairman Lamar Alexander acknowledged during his opening statement, the health care sector and government “have been forced to cram 10 years’ worth of telehealth experience into just the past three months.” Indeed, this “cramming” has resulted in thirty-one temporary changes to telehealth policy at the federal level. Of these temporary changes, Chairman Alexander included the OCR enforcement discretion / HIPAA waiver as one of the three changes he considers most important. However, of the three changes the Chairman views as most important, he declined to include the enforcement discretion in the temporary changes he believes should be made permanent, and instead called upon his colleagues to consider whether to extend the HIPAA waiver.[1]


Continue Reading Every HIPAA Waiver Has Its Thorn

On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).

As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties.  In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.  
Continue Reading HHS Addresses Federal Court Invalidation of Certain Provisions of the HIPAA Rule Relating to the Third-Party Requests for Patient Records

On December 14, 2018 the Department of Health and Human Services, Office for Civil Rights (“OCR”) formally issued a Request For Information (“RFI”) seeking public input on “ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the

Last week’s “WannaCry” worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care

Executive Order Delay Trumps Administration Policy Development

President Trump’s first hundred days did not produce the event that most people in the cybersecurity community expected – a Presidential Executive Order supplanting or supplementing the Obama administration’s cyber policy – but that doesn’t mean that this period has been uneventful, particularly for those in the health

The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), the agency tasked with enforcing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), recently announced that it will redouble its efforts to investigate smaller breaches of Protected Health Information (“PHI”) that affect fewer than five-hundred (500) individuals.

It has been

By Patricia WagnerAli Lakhani and Jonathan Hoerner

On May 20, 2014, the Secretary of the Department of Health and Human Services (HHS) submitted the agency’s Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 (“Breach Report”). This report provides valuable insight for healthcare entities