Last week, the Office for Civil Rights (“OCR”) issued two pieces of guidance on the privacy and security of protected health information (“PHI”) when using telehealth services. One of the documents is intended to help health care providers explain to patients, in plain language, the privacy and security risks of using remote communication technologies for telehealth (the “Provider Telehealth Guidance”). The other provides tips to patients on how to safeguard their PHI when using video apps and other technologies for telehealth (the “Patient Telehealth Guidance”).Continue Reading OCR Issues Guidance to Providers and Patients on Telehealth Privacy and Security

On July 13, 2022, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued guidance to the nation’s retail pharmacies about their nondiscrimination obligations to ensure access to reproductive health care services, including medications used to terminate pregnancies. As we previously discussed, the Biden Administration and OCR have been taking action as some states seek to restrict or criminalize abortion services in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization.  Continue Reading OCR Issues Anti-Discrimination Guidance for Pharmacies Related to Reproductive Health Care Services

The Russia-Ukraine conflict is increasing the risk of ransomware attacks and other cyber threats for U.S. companies, and those in the health care industry may be targeted. In a recent analyst note from the Department of Health & Human Services (“HHS”), HHS describes the cyber capabilities of Russia, one of the world’s major cyberpowers, and analyzes two malware variants most likely to impact the U.S. health care and public health sector.
Continue Reading Increased Cyber Risk for Health Care Organizations Due to the Russia-Ukraine Conflict

On Monday, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) announced an enforcement action against Bayfront Health St. Petersburg (“Bayfront”) for allegedly failing to provide a mother timely access to her unborn child’s prenatal medical records. The enforcement action is noteworthy in that it marks OCR’s first

The HHS Office of Civil Rights (“OCR”) closed out the month of April with some updates to HIPAA civil monetary penalty (“CMP”) limits and clarifications to OCR’s stance on the Privacy Rule’s application to transfers of electronic protected health information (“ePHI”) to third-party applications and application programming interfaces (“APIs”).

Differential CMP Caps Based on Enforcement Discretion

Under the current HIPAA Enforcement Rule, HHS employs a four-tier level of culpability scale in line with the HITECH Act. These four tiers correspond to appropriate CMPs ranges for violations by covered entities and business associates of the HIPAA Privacy and Security Rules. These penalty tiers are adjusted for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

For instance, if a person did not know and, by exercising reasonable diligence, would not have known that the person violated the applicable HIPAA provision, the CMP range the person could be levied was $100-$50,000 for each identical violation, up to a maximum of $1.5 million for all such violations annually (before adjusted for inflation). The $1.5 million annual cap on CMPs for HIPAA violations applied across all four tiers, even though the minimum penalties for each tier increased in amount.

Since HHS began using this four-tier structure, however, there has been debate about whether the HITECH Act mandates different annual CMP caps for each of the tiers. OCR’s April 30, 2019 Federal Register Notice changes HHS’s prior position on this, and now imposes the following annual caps on CMPs for HIPAA violations:.Continue Reading HIPAA Spring Cleaning! Tidying Up Penalty Limits and FAQs on Patients’ Right of Access

On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed

Two district courts[1] have recently stayed cases alleging that sex discrimination under ACA Section 1557 includes discrimination on the basis of gender identity and denial of coverage for gender transition, pending the Supreme Court’s decision in G.G. v. Gloucester County School Board.[2]  The Supreme Court accepted certiorari in Gloucester in October 2016 to determine the validity of recent Department of Education Title IX guidance regarding gender identity.  Briefing is currently under way.  The district courts stayed the Section 1557 cases, reasoning that the Supreme Court’s decision would likely determine the validity of the Department of Health & Human Services’ Section 1557 regulations on gender identity as well.

ACA Section 1557 and Title IX rules on sex discrimination

Section 1557 (42 U.S.C. § 18116) prohibits entities that receive federal funds for health activities or programs from discriminating on the grounds prohibited by Title IX.  Title IX generally prohibits discrimination on the basis of sex by recipients of federal education assistance.[3]  Title IX, however, permits federal fund recipients to set up “separate living facilities for the different sexes.”[4]  DOE and HHS regulations for Title IX, originally issued by the Department of Health, Education and Welfare, define sex in binary terms – “one sex” versus “the other sex”  —  and permit recipients to set up comparable but separate housing and “toilet, locker room, and shower facilities on the basis of sex.”[5]

The federal agency shift on sex discrimination:  from biological sex to gender identity

In the years prior to the enactment of the ACA, courts reached opposite conclusions as to whether Title IX and comparable sex discrimination laws, such as Title VII, prohibit discrimination based on gender identity.[6]  With the enactment of the ACA and Section 1557, suits began to be brought against health plans and providers which claimed that refusal to treat or cover services for transgender persons based on their gender identity constituted sex discrimination.  In one early Section 1557 decision from 2015, Rumble v. Fairview Health Services, a district court held that Section 1557 does provide a cause of action for discrimination based on gender identity.[7]
Continue Reading Waiting for the Supremes: High Court’s Decision in Gloucester County to Determine Validity of ACA Section 1557 Gender Identity and Transgender Services Rules

On December 31, 2016, in Franciscan Alliance v. Burwell, Case No. 7:16-cv-00108-O, the District Court for the Northern District of Texas  issued a nationwide injunction finding that portions of the U.S. Department of Health & Human Services, Office for Civil Right’s (OCR) Final Rule for ACA Section 1557 violated the Administrative Procedures Act and cannot be enforced. The case was brought by eight States, three private healthcare providers and the Christian Medical & Dental Society.

U.S. District Court Judge Reed O’Connor found that OCR’s interpretation of Section 1557 to prohibit discrimination against transgender persons wrongly construed both Title IX and Section 1557. He found that these statutes only prohibit discrimination on the basis of biological sex. He also found that OCR’s Final Rule failed to properly incorporate the exceptions for religious institutions and for abortion services found in Title IX – which he said that Section 1557’s language was intended to incorporate. See 20 USC § 1681(a)(3); § 1688.Continue Reading District Court Issues Nationwide Injunction on ACA 1557 Regulations on Gender Identity and Abortion

The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:

  • An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
  • An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
  • A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
  • A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.

OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.Continue Reading Blocking Access to Health Information May Violate HIPAA

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes,