Health Information Privacy & Security

One main principle among public health measures is to use the least restrictive method necessary to protect the population, or to do the greatest good. From the public health perspective, requiring COVID status credentials (“Credentials”) makes sense because it allows people who present a low risk to others to not be subject to unnecessary restrictions. However, implementation and use of Credentials will require careful consideration of individual privacy concerns, as well as the ethical questions related to access and additional privilege.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that it will exercise its enforcement discretion for health care providers’ and their business associates’ noncompliance with the HIPAA rules with respect to their good faith use of online or web-based scheduling applications for scheduling COVID-19 vaccination appointments. OCR will not impose penalties for such noncompliance during the COVID-19 nationwide public health emergency.

The Department of Health and Human Services (HHS) is pushing ahead in its Regulatory Sprint to Coordinated Care with a new proposed rule, announced by HHS’ Office for Civil Rights on December 10, to modify the HIPAA Privacy Rule. This proposed rule follows HHS’ 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, which sought to identify regulatory impediments to value-based care presented by HIPAA. With this proposed rule, HHS aims to “reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that [HHS] uphold[s] HIPAA’s promise of privacy and security,” according to HHS Deputy Secretary Eric Hargan. It would achieve these objectives through a variety of updates to the Privacy Rule, which we highlight in this blog post, along with initial reactions from our HIPAA privacy team.

In the inaugural episode of Mintz’s Health Law Diagnosed, Dianne Bourque (Member, Mintz Health Law Practice) discusses why HIPAA is so engrained in our collective consciousness, how it was already equipped to handle public health emergencies, and the important changes made over the last several months to address the COVID-19 outbreak.

As we discussed in our previous blog post, the Department of Health and Human Services’ Office for Civil Rights (OCR) released guidance this past June to address how health care providers could contact, in a HIPAA-compliant manner, recovered COVID-19 patients to provide them with information about donating blood and plasma to potentially help other COVID-19 patients. On August 24, OCR released an updated version of that guidance to address similar communications from health plans. The amended guidance provides that health plans may also reach out to recovered COVID-19 patients about blood and plasma donation, subject to the same restrictions applicable to health care providers.

On August 4, CMS posted a proposed rule on CY 2021 Payment Policies, which included important updates about the expansion of Medicare covered telehealth services due to the COVID-19 pandemic. Here, we cover this and other important developments related to telehealth access during the pandemic and beyond.

Late last week, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance aimed at “making sure misconceptions about HIPAA do not get in the way of a promising COVID-19 response,” according to OCR Director Roger Severino. That “promising response” relates to emerging evidence that plasma from recovered patients (often referred to as “convalescent plasma”) may contain antibodies to SARS-CoV-2, the virus that causes COVID-19. Those antibodies could be useful in treating individuals who are sick with COVID-19. The OCR’s guidance addresses how health care providers may contact, in a HIPAA-compliant manner, recovered COVID-19 patients to provide them with information about donating blood and plasma to potentially help other COVID-19 patients.

The ongoing COVID-19 pandemic has introduced uncertainty and unique challenges in nearly every aspect of life. During this unprecedented time, Mintz is working to keep our clients and community informed and empowered to navigate this new world. To that end, we’ve created a number of webinars on a variety of COVID-19-related topics of interest to health care industry stakeholders. In case you missed them, here’s a highlights reel of what we’ve covered so far – just click on the links below to access the webinar recordings.

Amidst the novel coronavirus (COVID-19) outbreak, the Secretary of the U.S. Department of Health and Human Services (HHS), Alex M. Azar, took steps on March 15, 2020, to waive sanctions and penalties related to certain provisions of the HIPAA Privacy Rule (the “Waiver”). However, the HIPAA Privacy Rule is not suspended, and the Waiver only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. To demonstrate how the Privacy Rule and Waiver provisions work in real life, let’s look at an example: A patient at a hospital reports contact with a confirmed COVID-19 diagnosis. How can this information be shared?

Artificial Intelligence is a growing part of our day-to-day life. And AI promises to improve our health care system. ML Strategies Vice President Christian Tomatsu Fjeld recently sat down with other experts for a panel discussion hosted by the San Francisco Business Times to discuss AI and some business and policy considerations across multiple industries. This viewpoint considers some of the impacts on health care specifically, and links out to the panel's discussion.

On August 22, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) announced a new proposed rule (the “Proposed Rule”) amending 42 CFR part 2 (“Part 2”), which is aimed at protecting patient records created by federally funded programs for the treatment of substance use disorder (“SUD”). The Proposed Rule is aimed at alleviating these concerns within the constraints of the underlying statute, while also addressing the increasingly urgent need to streamline SUD services in light of the opioid epidemic. Here we’ll discuss some of the major changes under the Proposed Rule while highlighting the challenges that remain.

In June 2019, the Delaware Supreme Court issued a decision reaffirming a risk of director liability where there is no board-level reporting process for essential compliance matters.  The facts of the case arise from a 2015 listeria outbreak at Blue Bell manufacturing which resulted in the death of three people. The Delaware case reaffirmed the position that directors may be subject to liability if the director “(1) completely fail[ed] to implement any reporting or information system or controls, or (2) having implemented such a system or controls, consciously fail[ed] to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”  

There are reports that HHS plans to issue a proposed rule next month, which would again amend 42 CFR Part 2 (“Part 2”) and modify how the medical records of patients with substance abuse disorders are currently shared between providers. Part 2 amendments, especially amendments to align Part 2 with the Health Insurance Portability and Accountability Act (“HIPAA”), would be welcome news to the many stakeholders in the industry who have repeatedly voiced their concerns regarding the regulatory hurdles that surround the disclosure of drug and alcohol treatment records.

The HHS Office for Civil Rights (OCR) released a new guidance document regarding which HIPAA violations business associates (BAs) can and cannot be held directly liable for.  In the guidance, OCR states that BAs can be held directly liable for a list of 10 violations but notes that certain other violations, like the reasonable cost requirement for a patient’s access to their PHI, cannot be enforced directly by OCR against a BA.  The covered entity (CE) is still on the hook for violations of this type, however, so CEs should carefully review their BAAs to ensure that it covers requirements that don’t directly apply to BAs but are still enforceable against CEs.  Large data breaches also continue to dominate the press.

Medical Informatics Engineering, Inc. (Medical Informatics) and its wholly-owned subsidiary, NoMoreClipboard, LLC, an electronic medical record and software services provider is now liable for a combined total of $1 million to both the federal and state governments after hackers accessed approximately 3.5 million patients’ health records in 2015. The breach, reported to OCR on July 23, 2015, occurred through a compromised user ID and password. Compromised patient information included social security numbers, names, email addresses, health insurance policy information, addresses, dates of birth, and clinical information.

The adoption of connected medical devices and the Internet of Medical Things (IoMT) has both enhanced the quality of patient care and increased the vulnerability of health care organizations. Sophisticated cyberattacks on hospitals and health systems threaten patient safety and impose substantial financial costs.

On June 28, 2018, California passed the California Consumer Privacy Act (CCPA) and then further amended it on September 23, 2018. CCPA breaks new state law privacy ground, and this post addresses some of the confusion surrounding the exemptions for health information.

AltaMed Health Services (AltaMed) and California Physicians Services (doing business as Blue Shield of California (BSC)) recently received notice from their business associate, Sharecare Health Data Services (SHDS), of a hack of SHDS’s network that stores patients’ medical records.  The hacker was able to acquire and/or access patients’ protected health information (PHI) contained in the medical records kept by SHDS on behalf of AltaMed and BSC. The breach of AltaMed’s data was discovered on June 22, 2018, and the breach for BSC was discovered a few days later on June 26, 2018. Upon investigation, however, officials determined that both breaches went undetected for over a month and actually began on May 21, 2018.

Today, we’re looking back at HIPAA and other privacy and security developments in 2018.  This past year saw continued HIPAA enforcement (including the largest ever fine for a HIPAA breach), reminders from the OCR on best practices for HIPAA compliance, and updates to state and international privacy and security laws.  We’ll also look ahead to 2019, which could bring several significant changes to HIPAA, such as reducing the burdens for sharing patient information in order to promote care coordination and better patient outcomes.

It has been a busy few weeks for HIPAA enforcement. On Tuesday, the Office for Civil Rights announced its third resolution of a HIPAA breach in as many weeks. In this latest matter, OCR announced that Pagosa Springs Medical Center (PSMC), a critical access hospital in Colorado, has agreed to both pay $111,400 to the Office for Civil Rights (OCR) as well as adopt a comprehensive, two-year corrective action plan (CAP) to address and settle potential HIPAA violations.