OCR publishes guidance on HIPAA, COVID vaccines and the workplace

The Office for Civil Rights (OCR) of the Department of Health & Human Services has published guidance on what inquiries and disclosures about COVID-19 vaccination status are permitted. The OCR notes that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies only to covered entities and their business associates. (Covered entities are health plans, health care clearinghouses and health care providers that conduct electronic transactions, and business associates are entities that provide various management and related services for covered entities.).

The HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether customers or clients have received a COVID-19 vaccine. This is the case even for businesses that are covered entities or business associates, because the HIPAA Privacy Rule applies to uses and disclosures of protected health information (PHI) by covered entities and business associates, not requests for information. HIPAA also does not prohibit an individual from disclosing whether the individual has been vaccinated.

The OCR points out that the HIPAA Privacy Rule does not apply to employment records (including records held by covered entities or business associates in their capacity as employers). HIPAA does not regulate what information can be requested from employees as a condition of employment. Therefore, employers (including covered entities and business associates) can require their employees to provide documentation of COVID-19 vaccination, to sign an authorization for the employee's health care provider to provide such documentation, to wear a mask while on the employer's premises or in the course of performing their duties, or to disclose whether the employee is vaccinated if a patient asks for that information. The OCR notes, however, that the Americans with Disabilities Act requires that documentation of vaccination, like other employee health information, must be kept confidential and stored separately from personnel files. The OCR also addressed questions relating to employee health services. Health care providers are permitted to disclose PHI relating to an individual's vaccination status to an employer in connection with medical surveillance of the workplace or to evaluate whether the individual has a work-related illness, but only if the health care provider is providing services to the individual at the request of the employer, the individual is notified that PHI related to medical surveillance and work-related illnesses will be disclosed to the employer, and certain other conditions apply.

It is necessary to distinguish between employment records and health records maintained by a health care provider in the course of treatment. The HIPAA Privacy Rule generally requires covered entities, including health care providers, to obtain the patient's authorization in order to disclose information (with certain exceptions, such as disclosures to public health authorities).

NIST invites comments on Security Rule compliance guide

The National Institute of Standards and Technology (NIST) is inviting comments on updating its resource guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. NIST's resource guide was published in 2008. The public is invited to provide input by June 15, 2021. NIST seeks comments on how health care organizations and business associates are using the resource guide to assist in complying with the HIPAA Security Rule. NIST also invites comment on how organizations assess risk to electronic protected health information (ePHI), how health care organizations manage concerns regarding business associates' compliance with the Security Rule, and how organizations document implementation of recognized security practices.


The topic of how recognized security practices are implemented should be particularly important for health care organizations and business associates. Effective January 5, 2021, the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) was amended by P.L. 116-321 to provide that in conducting audits of Security Rule compliance and assessing fines, the Department of Health and Human Services shall consider whether the organization has demonstrated that it had recognized security practices in place. The term "recognized security practices" is defined to include standards, guidelines and best practices developed by NIST.

HHS extends comment period for HIPAA Privacy Rule changes to May 6

The Department of Health & Human Services (HHS) has announced that it is allowing additional time for public comment on proposed changes relating to access to and disclosure of protected health information (PHI). The Office for Civil Rights (OCR) of HHS published significant proposed modifications to the Health Insurance Portability & Accountability Act (HIPAA) Privacy Standards in the Federal Register on January 21, 2021. The proposed rules were focused on supporting the transition to value-based health care by modifying restrictions on use of PHI for care coordination and case management. OCR also proposed significant changes in procedures for individuals’ access to their PHI. The original comment date of March 22, 2021 has been extended to May 6, 2021.

Read more ...

OCR will permit providers to schedule COVID vaccine appointments online

The Office for Civil Rights (OCR) has issued a notification of enforcement discretion permitting entities covered under the Health Insurance Portability and Accountability Act (HIPAA), and their business associates, to use online or web-based scheduling applications (WBSAs) to schedule appointments for COVID-19 vaccinations during the public health emergency. The notification will be published in the Federal Register on February 24, 2021 and applies as of December 11, 2020.

Read more ...

HITECH amendment encourages adoption of recognized security practices

An amendment to the Health Information Technology for Economic and Clinical Health Act (HITECH) enacted on January 5, 2021 provides incentive for a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), or a covered entity’s business associates, to adopt recognized security practices. H.R. 7898, enacted as P.L. 116-321, states that the Secretary of the Department of Health and Human Services shall consider whether the covered entity or business associate has adopted recognized security practices, that may mitigate fines or other remedies imposed for HIPAA security violations, or favorable termination of a HIPAA security audit. Recognized security practices are standards, guidelines and best practices developed by the National Institute of Standards & Technology (NIST) or other regulatory guidelines for cybersecurity.

Banner Health settlement is largest so far in the OCR’s Right of Access initiative

On January 12, 2021, the Department of Health & Human Services Office for Civil Rights (OCR) reported that it had reached a $200,000 settlement with Banner Health. This is the fourteenth settlement in OCR’s Right of Access initiative, which investigates claims of patients and related parties that they have been denied access to their health records. Under the Health Insurance Portability and Accountability Act (HIPAA), HIPAA covered entities, including health care providers, are required to respond to a request for access to records within thirty days.

The Banner Health settlement is the third six-figure settlement, following settlements in October 2020 with Dignity Health ($160,000) and NY Spine ($100,000). The remaining eleven settlements have been for less than $100,000, with five $25,000 or less. However, the ongoing compliance reporting required by the settlement agreements may be a more substantial burden than the upfront settlement payment, especially for smaller providers. Generally, the settlement agreements require the provider to revise its policies and procedures, train employees, and provide reports to OCR for a two-year period.

Excellus Health Plan settles data breach for $5.1 million

The Department of Health & Human Services Office for Civil Rights (OCR) announced a $5.1 million settlement with Excellus Health Plan, Inc. relating to a data breach that affected over 9.3 million persons. The breach arose out of a cyberattack that began in December 2013, in which hackers installed malware and conducted reconnaissance activities within the health plan’s information technology system. The attack was not ended until May 2015. In addition to the settlement payment, the health plan agreed to a two-year corrective action plan that requires it to conduct a comprehensive information security risk analysis; adopt an enterprise-wide risk management plan; and update its policies and procedures, including providing for regular review of audit logs, access reports and security incident reports, and adoption of access control measures, including network or portal segmentation and password management.

Read more ...

View LinkedIn Profile

Shack Cookies Restrict

This website uses cookies to properly administer the site and improve your experience. Continuing to use this website indicates your acceptance. Please click "accept" to remove this message.