For years, law enforcement has bypassed traditional means of securing evidence by informal requests for documents from witnesses of crimes. At some point, that practice bled over into informal requests for healthcare providers’ documents, including documents reflecting protected health information (PHI). Healthcare providers, for the most part, have complied with these informal requests because, as the logic goes, law enforcement couldn’t possibly prosecute me for complying with law enforcement, right? Isn’t that entrapment?

This cooperative, well-intentioned practice by healthcare providers now appears to be drawing scrutiny from Congress. On December 12, 2023, members of Congress sent a letter to Health & Human Services Secretary Xavier Becerra announcing the results of a Congressional inquiry into the practice of pharmacies handing over patient information without legal process. In the face of that new scrutiny, which is sure to extend beyond pharmacies to all healthcare providers, what are healthcare providers to do when asked for PHI through informal means?Continue Reading Should Healthcare Providers Give Law Enforcement Protected Health Information When Informally Requested? Congress Says No.

In today’s episode of our Hospice Privacy Series, Husch Blackwell’s Meg Pekarske is joined by colleagues Wakaba Tessier and Erin Burns, who share insights on the ins and outs of HIPAA breaches. They break down what a HIPAA breach really is, the types of breaches most often experienced by hospices and what to do when you think you have discovered a breach.
Continue Reading Privacy Series: HIPAA Breaches – When It Is, and When It Is Not a Breach

Since last year, the Husch Blackwell privacy attorneys have been working with various healthcare providers—from hospitals to hospices, to independent physician groups—to comply with the Information Blocking rule (the Rule) implemented by the Office of the National Coordinator for Health Information Technology (ONC) as part of the 21st Century Cures Act.  Recently, Education clients have been asking, “We’re a university – does the Information Blocking rule apply to our student health center?”  We discuss the answer to that question, along with practice tips, in this blog post.
Continue Reading Information Blocking: College & University Student Health Centers – Does the Rule Apply to Us?

On May 1, 2020, the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology (ONC) released its final rule (Final Rule) on “Information Blocking” as part of the 21st Century Cures Act. The Final Rule applies to the following (ONC refers to each one as an “Actor”): (i) healthcare providers, (ii) health IT developers subject to ONC’s Health IT Certification Program, (iii) health information networks (HIN) or (iv) health information exchanges (HIE). With the initial enforcement date fast approaching (November 2), we explain the rule below.
Continue Reading Information Blocking: Ready or Not, Here it Comes!

On June 12, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), issued guidance confirming HIPAA permits a covered healthcare provider (Provider) to use protected health information (PHI) to identify and contact recovered COVID-19 patients to inform them of how they can donate their blood and plasma.  As background, HIPAA

Two new federal rules will make it easier for consumers to access, use and transmit their personal healthcare information using an app on their smartphone or tablet.  The regulations implement prior legislation and advance the current Administration’s intent to empower patients to be better consumers and transform the healthcare industry.

The two final rules were released on March 9 by the Department of Health and Human Services (DHHS):  from the Office of the National Coordinator for Health Information Technology (ONC), the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program final rule; and, from the Centers for Medicare and Medicaid Services (CMS), the final rule on Interoperability and Patient Access.
Continue Reading New Rules Promotes Patient Access to Personal Healthcare Information

On April 8, 2020, the U.S. Department of Health & Human Services (HHS) Office of the Assistant Secretary for Health released guidance authorizing pharmacists to order and administer COVID-19 tests.  Immediately following this guidance, on April 9, 2020, the HHS Office of Civil Rights (OCR) announced that it will exercise its enforcement discretion and will refrain from imposing penalties for violations of HIPAA for covered entities or business associates participating, in good faith, in the operation of COVID-19 Community-Based Testing Sites (CBTS) during the nationwide public health emergency.  The guidance regarding pharmacists testing for COVID-19 and the notice related to the relaxation of HIPAA rules comes on the heels of pharmacies, such as CVS and Walgreens, taking on a more active and critical role in the fight against the COVID-19 pandemic.
Continue Reading OCR to Waive Penalties for Community-Based COVID-19 Testing Sites

On March 17, 2020, the Department of Health and Human Services, Office of Civil Rights (OCR) issued guidance related to how Covered Entities can comply with HIPAA and the Privacy Rule and still disclose protected health information (PHI) about individuals infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities (Essential Providers).
Continue Reading OCR Issues Guidance Related to Disclosures to Law Enforcement, Paramedics, Other First Responders and Public Health Authorities for COVID-19 Related Purposes

Husch Blackwell’s Wakaba Tessier and Erica Ash have published a post on Husch Blackwell’s Byte Back privacy blog detailing a new announcement from the Office of Civil Rights of the U.S. Department of Health and Human Services that relaxes the HIPAA Security Rule in response to the COVID-19 crisis, expanding on our previous discussion on

With the New Year underway, the deadline is quickly approaching for HIPAA covered entities to file their annual breach reports with the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”).

While breaches involving 500 or more individuals must be reported no later than 60 calendar days from the date of discovery,