At the close of 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (the Proposed Rule) to amend the Security Rule regulations established for protecting electronic health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The updated
HIPAA and Health Information
Massachusetts Supreme Court Rules Online Tracking Technologies Do Not Violate State Wiretap Law
In a highly anticipated decision on an issue facing courts across the country, the Massachusetts Supreme Judicial Court held in late October that Massachusetts hospitals’ use of online tracking technologies that collect and transmit browsing activities of website visitors does not violate the Massachusetts Wiretap Law.
The Court determined that online interactions between visitors and…
OCR Active with Settlements and Enforcement Actions in November and Early December
The Office for Civil Rights of the Department of Health and Human Services (OCR) was busy negotiating and settling enforcement actions in November and early December. Since October 31, 2024, the OCR has settled five separate cases of alleged HIPAA violations. The settlements include resolution agreements and civil monetary penalties.
One of the settlements and…
OCR Settles Fourth Ransomware Investigation
The Office for Civil Rights of the Department of Health and Human Services (OCR) announced on September 26, 2024, that it had entered a settlement with Cascade Eye and Skin Centers (together, Cascade) for $250,000 following an investigation of a ransomware attack against them.
This is the fourth settlement against a victim of a ransomware…
HHS Drops Appeal of Tracking Technology Case
Last year, the American Hospital Association (AHA) sued the U.S. Department of Health and Human Services (HHS) in the U.S. District Court of the Northern District of Texas, requesting that HHS be barred from enforcing a new rule adopted by the Office for Civil Rights entitled “Use of Online Tracking Technologies by HIPAA Covered Entities…
OCR Issues Final Rule for Reproductive Privacy
The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently issued its Final Rule to modify HIPAA “to support reproductive health care privacy.” The Final Rule is in response to Executive Order 14076, where President Biden directed HHS to take actions to protect reproductive health information following Dobbs v.
HHS Finalizes Updates to “Part 2” Regulations to Align Disclosure Rules with HIPAA and Promote More Coordinated Substance Use Disorder Care
This post was co-authored by Yelena Greenberg, a member Robinson+Cole’s Health Law Group.
On February 8, 2024, the U.S. Department of Health and Human Services (HHS) issued a final rule (Final Rule) updating federal “Part 2” regulations to more closely align the requirements applicable to substance use disorder (SUD) treatment records with…
HHS Seeks to Strengthen Protections of Reproductive Health Information with Proposed Changes to HIPAA
On April 12, 2023, the U.S. Department of Health & Human Services (HHS) released a Notice of Proposed Rulemaking (Proposed Rule) that seeks to enhance safeguards of reproductive health care information through changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The proposal is intended to align with President Biden’s Executive Order…
OCR Reminder: Pandemic-Era HIPAA Flexibilities Will End May 11, 2023
On April 11, 2023 – one month in advance of the end of the COVID-19 public health emergency (PHE) on May 11, 2023 – the federal Office for Civil Rights (OCR) confirmed that various Notifications of Enforcement Discretion issued under HIPAA during the PHE will expire at the end of the day on May 11…
Annual Breach Notification Deadline to OCR Looming
HIPAA requires that covered entities notify the Office for Civil Rights (OCR) of any breaches of unsecured protected health information that affects less than 500 individuals in a calendar year within 60 days following the end of the calendar year.
Therefore, all breaches that affected less than 500 individuals that occurred in 2022 and have…