The Fifth Circuit Court of Appeals ruled that the Department of Health and Human Services (HHS) violated the Administrative Procedure Act in imposing a $4 million civil monetary penalty on M.D. Anderson Cancer Center. The case arose out of three incidents in 2012 and 2013, in which an unencrypted laptop was stolen, and two unencrypted USB thumb drives were lost.
HHS had determined that M.D. Anderson violated the requirement under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requiring HIPAA covered entities to implement a mechanism to encrypt electronic protected health information (ePHI) or adopt another appropriate method to limit access. HHS also determined that the hospital violated the HIPAA Privacy Rule prohibition on unpermitted disclosure of PHI. Finally, HHS found that the hospital had reasonable cause to know that it had violated these rules and assessed daily penalties of $1,348,000 for the Security Rule violation and $3,000,000 for the Privacy Rule violation. The court ruled that HHS was arbitrary and capricious in applying its regulations and calculating the penalty amounts.
- Published: 15 January 2021 15 January 2021
- Last Updated: 15 January 2021 15 January 2021
The Department of Health and Human Services Office for Civil Rights (OCR) published a report on audits of compliance with the privacy, security and breach notification rules of the Health Insurance Portability and Accountability Act (HIPAA) by HIPAA covered entities (CEs) and business associates (BAs). Most CEs complied with requirements for timely notification of breaches and prominent posting of the Notice of Privacy Practices (NPP) on their websites. However, many CEs failed to fully comply with requirements of the HIPAA Privacy Rule for providing access to Protected Health Information (PHI), and with regard to the required content of the NPP. Also, most CEs and BAs failed to demonstrate that they complied with the HIPAA Security Rule requirement for risk analysis and risk management. OCR noted that it provides extensive compliance resources for these areas.
- Published: 14 January 2021 14 January 2021
- Last Updated: 14 January 2021 14 January 2021
On December 18, 2020, the Office for Civil Rights (OCR) of the Department of Health and Human Services published a guidance document addressing circumstances in which a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) or its business associate may disclose protected information (PHI) to a public health authority through a health information exchange (HIE). Some circumstances in which PHI may be disclosed are in effect only during the COVID-19 public health emergency (PHE). Covered entities need to be aware of this limitation, and prepare to terminate or modify these arrangements when the PHE terminates. If a covered entity is using an HIE to transmit PHI to a public health agency, once the COVID-19 PHE ends the parties will need to discontinue this disclosure unless the BAA expressly permits it.
- Published: 29 December 2020 29 December 2020
- Last Updated: 29 December 2020 29 December 2020
The Office for Civil Rights (OCR) of the Department of Health and Human Services has announced that during the COVID-19 national emergency, health care providers may use audio or video communication technology to provide telehealth to patients via popular applications. Ordinarily, providers would need to comply with the HIPAA Security Standards and enter into a business associate agreement with the technology vendor in order to provide HIPAA-compliant telehealth services. However, to make health care services accessible to patients, OCR is allowing providers to use non-public facing remote communication, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom or Skype. Public facing applications such as Facebook Live should not be used for telehealth.
- Published: 11 May 2020 11 May 2020
- Last Updated: 11 May 2020 11 May 2020