On June 12, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), issued guidance confirming HIPAA permits a covered healthcare provider (Provider) to use protected health information (PHI) to identify and contact recovered COVID-19 patients to inform them of how they can donate their blood and plasma.  As background, HIPAA

Two new federal rules will make it easier for consumers to access, use and transmit their personal healthcare information using an app on their smartphone or tablet.  The regulations implement prior legislation and advance the current Administration’s intent to empower patients to be better consumers and transform the healthcare industry.

The two final rules were released on March 9 by the Department of Health and Human Services (DHHS):  from the Office of the National Coordinator for Health Information Technology (ONC), the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program final rule; and, from the Centers for Medicare and Medicaid Services (CMS), the final rule on Interoperability and Patient Access.
Continue Reading New Rules Promotes Patient Access to Personal Healthcare Information

On April 8, 2020, the U.S. Department of Health & Human Services (HHS) Office of the Assistant Secretary for Health released guidance authorizing pharmacists to order and administer COVID-19 tests.  Immediately following this guidance, on April 9, 2020, the HHS Office of Civil Rights (OCR) announced that it will exercise its enforcement discretion and will refrain from imposing penalties for violations of HIPAA for covered entities or business associates participating, in good faith, in the operation of COVID-19 Community-Based Testing Sites (CBTS) during the nationwide public health emergency.  The guidance regarding pharmacists testing for COVID-19 and the notice related to the relaxation of HIPAA rules comes on the heels of pharmacies, such as CVS and Walgreens, taking on a more active and critical role in the fight against the COVID-19 pandemic.
Continue Reading OCR to Waive Penalties for Community-Based COVID-19 Testing Sites

On March 17, 2020, the Department of Health and Human Services, Office of Civil Rights (OCR) issued guidance related to how Covered Entities can comply with HIPAA and the Privacy Rule and still disclose protected health information (PHI) about individuals infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities (Essential Providers).
Continue Reading OCR Issues Guidance Related to Disclosures to Law Enforcement, Paramedics, Other First Responders and Public Health Authorities for COVID-19 Related Purposes

Husch Blackwell’s Wakaba Tessier and Erica Ash have published a post on Husch Blackwell’s Byte Back privacy blog detailing a new announcement from the Office of Civil Rights of the U.S. Department of Health and Human Services that relaxes the HIPAA Security Rule in response to the COVID-19 crisis, expanding on our previous discussion on

With the New Year underway, the deadline is quickly approaching for HIPAA covered entities to file their annual breach reports with the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”).

While breaches involving 500 or more individuals must be reported no later than 60 calendar days from the date of discovery,

cellphone137457731Today kicks-off one of Austin’s largest and best-known events, the South by Southwest Interactive Conference. In the spirit of Husch Blackwell’s involvement in several aspects of the conference, this post will touch on emerging health technology and pushing the limits of HIPAA.

New technology is being developed to be used in healthcare settings on a

dataLocks148650499Backing up electronic health record data may become an important aspect of complying with and mitigating risk under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) if the U.S. Health and Human Services Office of Civil Rights (OCR) heeds legislators’ recommendations.
Continue Reading Congress’ suggestions for ransomware treatment under HIPAA

Image copyright Catherine Lane 2015My New Year’s resolutions will likely be broken early and often in 2016. My consequences are mostly non-monetary: a few more pounds, a little less savings, and not winning the triathlon in my age group. Your consequences, as a HIPAA-covered entity or business associate, for not complying with the Privacy and Security Rules could be much greater, and could put you into serious debt to the HHS Office of Civil Rights (OCR). Therefore, we propose that you resolve now to become fully HIPAA compliant in 2016.

OCR delivered an early holiday gift, wrapped in the Director’s Sept. 23, 2015, report to the Office of Inspector General. In that report, she disclosed that OCR will launch Phase 2 of its HIPAA audit program in early 2016, focusing on noncompliance issues for both covered entities and business associates.

So, grab that cup of hot cocoa and peruse this review of 2014-2015 HIPAA enforcement actions, which should help identify noncompliance issues on which OCR will focus in 2016.
Continue Reading HIPAA compliance: another year older, but hopefully not deeper in debt