Health Information Privacy & Security

As promised in the U.S. Department of Health and Human Services (HHS) concept paper in December 2023, the agency published voluntary health care and public health cybersecurity performance goals (HPH CPGs) in January 2024 and then proposed in the HHS FY 2025 Budget to establish certain HPH CPG compliance incentives and penalties for hospitals.

The U.S. Department of Health and Human Services (HHS) released a concept paper on December 6, 2023 outlining its action plan to enhance cyber resiliency in the health care sector by proposing certain voluntary cybersecurity actions and standards that may ultimately become requirements. For health care organizations such as hospitals, “cyber resiliency” generally means how organizations anticipate, operate during, respond to, and recover from cyber attacks such as ransomware attacks, cloud exploitations, phishing or spear-phishing attacks, software and zero-day vulnerabilities, or distributed denial of service attacks.

In coordination with the Centers for Medicare & Medicaid Services (CMS), the Department of Health and Human Services (HHS) and Office of the National Coordinator for Health Information Technology (ONC) proposed a much-anticipated framework to establish and manage “appropriate disincentives” for health care providers under the Information Blocking Rules. As described in more detail in the blog post, the proposed rule (Appropriate Disincentives Proposed Rule) includes proposed disincentives for (i) hospitals and critical access hospitals (CAHs) participating in the Medicare Promoting Interoperability Program; health care providers eligible for Merit-Based Incentive Payment System (MIPS) adjustments; and health care providers participating in the Medicare Shared Savings Program (MSSP).

The Office for Civil Rights (OCR) recently offered covered entities and business associates (Regulated Entities) not-so-subtle reminders in its October 2023 Cybersecurity Newsletter that effective sanction policies can encourage HIPAA compliance.​​​​​​​ Regulated Entities are required by HIPAA to implement sanction policies in which they impose “appropriate sanctions” against their respective workforce members who fail to comply with the Privacy Rule or Security Rule, the Regulated Entity’s privacy policies and procedures, and/or the Regulated Entity’s security policies and procedures, as applicable. These sanction policies are important administrative safeguards meant to ensure there are objective, documented consequences for HIPAA non-compliance among workforce members. The recent proliferation of social engineering attacks and increasingly sophisticated nature of external cybersecurity threats in health care underscore the importance of Regulated Entities consistently reviewing and applying sanction policies.

Governor Gavin Newsom recently signed multiple bills into law as part of California’s ongoing efforts to safeguard access to reproductive and gender affirming health care. The new laws are intended to increase protections for health care providers and patients, increase health care provider availability, and improve patient privacy. In a recent press release, California Legislative Women’s Caucus Vice Chair Assemblymember Cecilia Aguiar-Curry noted: “Last year, we enacted 14 bills and budget funding to expand and protect reproductive rights and services in our state. This year, we build on that momentum with legislation that ensures California remains a national leader in the fight for reproductive justice.”

Though there has been much speculation and commentary among industry stakeholders, the Office of Inspector General (OIG) and the Office of the National Coordinator for Health Information Technology (ONC) have not yet begun enforcing statutory penalties associated with violations of the Information Blocking Rules. On July 3, 2023, OIG and Department of Health and Human Services (HHS) took a significant step toward enforcement of these penalties when they published long-awaited civil monetary penalty (CMP) final rule (CMP Final Rule) for certain Information Blocking Actors in the Federal Register.

Washington greatly expanded the protection for consumers’ identifiable health information by enacting the “My Health My Data Act” (MHMDA), in an effort to close the gap between HIPAA protections and the laws protecting the privacy and security of other consumer health care data. While MHMDA resembles the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA) and the Illinois Biometric Information Privacy Act (BIPA), it broadly applies to health information outside of traditional health care settings. Regulated Entities should consider undertaking additional steps that we outline now to prepare for the March 31, 2024, and June 30, 2024 (small businesses) compliance deadlines.

In this second of our two-part blog series on protecting health information post Roe, we discuss legal and practical strategies that health care providers can take to protect the information of their patients. State laws that restrict or criminalize abortions will require significant amounts of health information to enforce, putting new pressure on health care providers caught in the middle of  competing obligations to their patients and to regulatory and law enforcement authorities making lawful requests for this information.

In our annual webinar, Mintz’s Health Care Enforcement Defense team reviewed the key health care fraud enforcement developments and trends from 2021, assessed their likely impact in 2022, and provided recommendations to avoid government scrutiny.

Our previous blog post on pending California privacy legislation included a prediction that has since materialized: Governor Newsom signed the Genetic Information Privacy Act (“GIPA”) on October 6, 2021, and the law will go into effect on January 1, 2022. GIPA establishes a number of mechanisms to close the existing gap in the protection of genetic information under the current framework of federal and state privacy laws. As discussed in our earlier post, GIPA contains a robust penalty structure, but it includes a number of carve-outs and does not apply to entities already subject to regulation under other health information privacy laws. Notably, GIPA does not reduce or eliminate obligations under other laws, including California’s more broadly applicable consumer privacy laws, such as the CCPA and breach notification statute, as recently amended by AB 825. Given Governor Newsom’s former concern about GIPA’s interference with mandatory COVID-19 testing reporting, the law also does not apply to tests that are conducted exclusively to diagnose whether an individual has a specific disease.

When it comes to the privacy of health information, California belongs to the select group of states that have implemented broad consumer privacy protections above and beyond those provided by the federal Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act (FTCA). This year, the state’s ongoing legislative efforts to protect the health information of its residents included: Assembly Bill 1436 (AB 1436) which if enacted would have revised California’s existing Confidentiality of Medical Information Act (CMIA), and Senate Bill 41 (SB 41), which if enacted will create the new Genetic Information Privacy Act (GIPA). As further discussed below, only SB 41 is moving forward, and if signed by Governor Newsom GIPA will go into effect on January 1, 2022.