On Monday, the Office for Civil Rights (“OCR”) at the U.S. Department of Health & Human Services (“HHS”) announced an enforcement action against Bayfront Health St. Petersburg (“Bayfront”) for allegedly failing to provide a mother timely access to her unborn child’s prenatal medical records. The enforcement action is noteworthy in that it marks OCR’s first
The HHS Office of Civil Rights (“OCR”) closed out the month of April with some updates to HIPAA civil monetary penalty (“CMP”) limits and clarifications to OCR’s stance on the Privacy Rule’s application to transfers of electronic protected health information (“ePHI”) to third-party applications and application programming interfaces (“APIs”).
Differential CMP Caps Based on Enforcement Discretion
Under the current HIPAA Enforcement Rule, HHS employs a four-tier level of culpability scale in line with the HITECH Act. These four tiers correspond to appropriate CMPs ranges for violations by covered entities and business associates of the HIPAA Privacy and Security Rules. These penalty tiers are adjusted for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.
For instance, if a person did not know and, by exercising reasonable diligence, would not have known that the person violated the applicable HIPAA provision, the CMP range the person could be levied was $100-$50,000 for each identical violation, up to a maximum of $1.5 million for all such violations annually (before adjusted for inflation). The $1.5 million annual cap on CMPs for HIPAA violations applied across all four tiers, even though the minimum penalties for each tier increased in amount.
Since HHS began using this four-tier structure, however, there has been debate about whether the HITECH Act mandates different annual CMP caps for each of the tiers. OCR’s April 30, 2019 Federal Register Notice changes HHS’s prior position on this, and now imposes the following annual caps on CMPs for HIPAA violations:.
On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed …
Two district courts have recently stayed cases alleging that sex discrimination under ACA Section 1557 includes discrimination on the basis of gender identity and denial of coverage for gender transition, pending the Supreme Court’s decision in G.G. v. Gloucester County School Board. The Supreme Court accepted certiorari in Gloucester in October 2016 to determine the validity of recent Department of Education Title IX guidance regarding gender identity. Briefing is currently under way. The district courts stayed the Section 1557 cases, reasoning that the Supreme Court’s decision would likely determine the validity of the Department of Health & Human Services’ Section 1557 regulations on gender identity as well.
ACA Section 1557 and Title IX rules on sex discrimination
Section 1557 (42 U.S.C. § 18116) prohibits entities that receive federal funds for health activities or programs from discriminating on the grounds prohibited by Title IX. Title IX generally prohibits discrimination on the basis of sex by recipients of federal education assistance. Title IX, however, permits federal fund recipients to set up “separate living facilities for the different sexes.” DOE and HHS regulations for Title IX, originally issued by the Department of Health, Education and Welfare, define sex in binary terms – “one sex” versus “the other sex” — and permit recipients to set up comparable but separate housing and “toilet, locker room, and shower facilities on the basis of sex.”
The federal agency shift on sex discrimination: from biological sex to gender identity
In the years prior to the enactment of the ACA, courts reached opposite conclusions as to whether Title IX and comparable sex discrimination laws, such as Title VII, prohibit discrimination based on gender identity. With the enactment of the ACA and Section 1557, suits began to be brought against health plans and providers which claimed that refusal to treat or cover services for transgender persons based on their gender identity constituted sex discrimination. In one early Section 1557 decision from 2015, Rumble v. Fairview Health Services, a district court held that Section 1557 does provide a cause of action for discrimination based on gender identity.…
On December 31, 2016, in Franciscan Alliance v. Burwell, Case No. 7:16-cv-00108-O, the District Court for the Northern District of Texas issued a nationwide injunction finding that portions of the U.S. Department of Health & Human Services, Office for Civil Right’s (OCR) Final Rule for ACA Section 1557 violated the Administrative Procedures Act and cannot be enforced. The case was brought by eight States, three private healthcare providers and the Christian Medical & Dental Society.
U.S. District Court Judge Reed O’Connor found that OCR’s interpretation of Section 1557 to prohibit discrimination against transgender persons wrongly construed both Title IX and Section 1557. He found that these statutes only prohibit discrimination on the basis of biological sex. He also found that OCR’s Final Rule failed to properly incorporate the exceptions for religious institutions and for abortion services found in Title IX – which he said that Section 1557’s language was intended to incorporate. See 20 USC § 1681(a)(3); § 1688.
The HHS Office of Civil Rights published a new FAQ response (OCR FAQ) detailing the agency’s position that generally information blocking will violate the HIPAA Privacy and Security Rules if it affects a covered entity’s access to its own protected health information (PHI) or its ability to respond to requests for access to PHI from patients. This follows a series of similar policy documents from HHS over the past 18 months that focus on preventing business arrangements or practices that would be defined as information blocking, and thereby, frustrating the goal of interoperability. Specifically, according to the OCR FAQ:
- An electronic health records (EHR) vendor or cloud provider’s actions to terminate a covered entity’s access to its own electronic PHI (ePHI) (e.g., in a payment dispute) would violate the HIPAA Privacy Rule because those actions would constitute an impermissible use of PHI.
- An EHR vendor or cloud provider’s refusal to ensure the accessibility and usability of a covered entity’s ePHI upon demand by the covered entity or to return a covered entity’s ePHI upon termination of the agreement, in the form and format that is reasonable in light of the agreement, would violate the HIPAA Security Rule.
- A business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if necessary to provide individuals with access to their PHI under the HIPAA Privacy Rule.
- A covered entity that agrees to terms within a business associate agreement (BAA) that would prevent the covered entity from ensuring the availability of its own PHI as required would not be in compliance with the HIPAA Privacy and Security Rules.
OCR has increasingly ramped up its enforcement of violations of the HIPAA Privacy and Security Rules related to noncompliant BAAs, so the new OCR FAQ signals that information blocking provisions could be the source of future enforcement actions.
The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches. Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people. As OCR recognizes, …
Our colleagues at Data Law Insights have written about the HHS Office of Civil Rights’ $750,000 settlement with the University of Washington Medicine (“UWM”) announced this week. This third settlement in as many weeks confirms that the security risk analysis continues to be a linchpin of OCR enforcement under the HIPAA Security Rule. Indeed, the …
Last week, the HHS Office of Civil Rights (OCR) announced a settlement that has far-reaching implications on the importance of complying with the HIPAA Security Rule where medical devices create and maintain electronic protected health information (ePHI). See Data Law Insights for a post authored by Jodi Daniel, Elliot Golding, and Stephanie Willis for more…
On September 8, 2015, the Department of Health and Human Services Office for Civil Rights promulgated proposed regulations implementing Affordable Care Act Section 1557’s anti-discrimination provisions. Section 1557 applies federal anti-discrimination laws that prohibit discrimination based on race, color and national origin, sex, disability, and age to health care programs that receive federal funds, such …