HIPAA and Health Information

This post was co-authored by Yelena Greenberg, a member Robinson+Cole’s Health Law Group.

On February 8, 2024, the U.S. Department of Health and Human Services (HHS) issued a final rule (Final Rule) updating federal “Part 2” regulations to more closely align the requirements applicable to substance use disorder (SUD) treatment records with

On April 12, 2023, the U.S. Department of Health & Human Services (HHS) released a Notice of Proposed Rulemaking (Proposed Rule) that seeks to enhance safeguards of reproductive health care information through changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The proposal is intended to align with President Biden’s Executive Order

On November 28, 2022, the Department of Health and Human Services (HHS) issued a proposed rule to modify the confidentiality protections of Substance Use Disorder (SUD) patient treatment records under 42 CFR Part 2 (Part 2) to implement statutory amendments passed under Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (42

On August 23, 2022, the Office for Civil Rights (OCR) issued a press release announcing that it had settled with New England Dermatology, P.C. (NED) for $300,640 “over the improper disposal of protected health information.”

The OCR’s investigation began after NED submitted a breach report stating that

“empty specimen containers with protected health information on

In the U.S. District Court for the Central District of California last week, SuperCare Health, Inc. was hit with another proposed class action based on a data breach that allegedly compromised the personal and health information of over 300,000 current and former patients. SuperCare Health is a respiratory-care provider.

Lead plaintiff, Hamid Shalviri, alleges that

In general, both state and federal laws apply to health information or protected health information that is in the possession of hospitals, health systems, and medical providers.

HIPAA requires that covered entities protect the confidentiality and integrity of protected health information in their possession and secure it from unauthorized access, use, or disclosure. In addition,

HIPAA requires covered entities and business associates to report to the Office for Civil Rights (OCR) all breaches of unsecured protected health information when the incident involves fewer than 500 individuals no later than 60 days following the calendar year in which the breach occurred.

This year, the deadline for reporting breaches that occurred in