The pandemic of 2020 tested the mettle of our nation’s healthcare system in many unexpected and profound ways. As healthcare delivery was being rapidly restructured to accommodate COVID-19 diagnosis and treatment and socially-distanced care, bad actors simultaneously began to exploit the increased number of vulnerabilities in health information systems created by telehealth platforms, patient portals and the inattention of stressed, overworked staff. The result was an unprecedented number of cyberattacks culminating in an alert from the Cybersecurity and Infrastructure Security Agency (CISA) on October 28, 2020 addressing the plague of ransomware activity targeting the healthcare and public health sector.

On December 10, 2020, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released a proposed rule that would revise the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In its news release, OCR noted that the changes “seeks to promote value-based health care by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients.”  The proposed changes come on the heels of the recently delayed Information Blocking Rule, which seeks to prohibit interferences with access, exchange, or use of electronic health information (EHI).   The key proposed changes are discussed below.

The Centers for Medicare and Medicaid (CMS) expanded Medicare reimbursement for telehealth within the annual Physician Fee Schedule (PFS) final rule for 2021. During the pandemic Public Health Emergency (PHE), CMS has temporarily reimbursed many telehealth services. In light of the success of unprecedented telehealth utilization during the PHE, more than 60 services have been formally added to the Medicare telehealth list which will endure beyond the end of the PHE.

With all that 2020 has brought, the Information Blocking Rule that came out of the Cures Act was under the radar of many hospices. Thankfully, HHS extended the compliance date for the Rule to April 5, 2021, from November 2, 2020. With this additional time, hospices need to evaluate how they will achieve compliance; what

On October 29, 2020, HHS extended the effective date of compliance for the “Information Blocking” final rule promulgated as part of the 21st Century Cures Act (Information Blocking Rule). The Information Blocking Rule, which was set to take effect on November 2, 2020, prohibits health care providers, IT developers, and health information exchanges from unreasonably interfering with the access, exchange, or use of electronic health information (EHI). We previously discussed the practice of information blocking and the eight exceptions in our blog post Information Blocking: Ready or Not, Here it Comes!.

The combination of a significant increase in COVID-19 cases, political tensions in the final days of a national election season, and law enforcement’s focus on election security created an opportunity for cybercriminals to target the computer networks of America’s healthcare and public health (HPH) sector. That opportunity has come to fruition this week.

On October 28, 2020 the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) published Alert AA20-302A (Alert) describing ransomware activity that has targeted the HPH sector. In the Alert, CISA, FBI and HHS assess that cybercriminals are targeting the HPH sector with TrickBot and BazarLoader malware, which are frequently followed by ransomware attacks, data theft, and disruption of healthcare services.

On April 8, 2020, the U.S. Department of Health & Human Services (HHS) Office of the Assistant Secretary for Health released guidance authorizing pharmacists to order and administer COVID-19 tests.  Immediately following this guidance, on April 9, 2020, the HHS Office of Civil Rights (OCR) announced that it will exercise its enforcement discretion and will refrain from imposing penalties for violations of HIPAA for covered entities or business associates participating, in good faith, in the operation of COVID-19 Community-Based Testing Sites (CBTS) during the nationwide public health emergency.  The guidance regarding pharmacists testing for COVID-19 and the notice related to the relaxation of HIPAA rules comes on the heels of pharmacies, such as CVS and Walgreens, taking on a more active and critical role in the fight against the COVID-19 pandemic.

On March 27, 2020, President Trump signed the Coronavirus Aid, Relief and Economic Security Act (the CARES Act) into law. Section 3221 of the CARES Act ratified fundamental changes to the Public Health Service Act, codified at 42 U.S.C. § 290dd-2 and associated regulations, which govern the confidentiality requirements of substance use disorder records, commonly known as 42 C.F.R. Part 2, or simply, “Part 2.” Substance use disorder (SUD) records are defined broadly as “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research.” The changes are significant and align with the increasing movement to align the Part 2 rules with the Health Insurance Portability and Accountability Act (HIPAA). The CARES Act requires the Department of Health and Human Services (HHS) to revise the Part 2 regulations within 12 months to comply with the CARES Act.

On March 17, 2020, the Department of Health and Human Services, Office of Civil Rights (OCR) issued guidance related to how Covered Entities can comply with HIPAA and the Privacy Rule and still disclose protected health information (PHI) about individuals infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities (Essential Providers).

With the New Year underway, the deadline is quickly approaching for HIPAA covered entities to file their annual breach reports with the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”).

While breaches involving 500 or more individuals must be reported no later than 60 calendar days from the date of discovery,