HIPAA

Deadline Approaching to Revise HIPAA Policies

Wyatt Data Privacy & Security, HIPAA , , , , , , , , , , ,

By: Margaret Young Levi

The December 23, 2024 deadline is fast approaching for HIPAA covered entities, including health care providers and health plans, to revise their HIPAA policies and procedures relating to reproductive health.

Earlier this year, the Office for Civil Rights (OCR) issued a Final Rule prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. This will require HIPAA covered entities to amend their policies and procedures, as well as their Notice of Privacy Practices (NPP). While updates to policies and procedures must be completed by December 23, 2024, the new NPP requirements will not go into effect until February 16, 2026. Some covered entities will need to amend their business associate agreements if the agreements permit an activity no longer permitted under the revised Privacy Rule.

For additional information about this Final Rule, please check out our previous article on this topic. 

Looking for assistance in this area? We regularly work with our clients regarding their policies and procedures related to compliance with HIPAA and other data privacy and security laws and regulations.  If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Levi Young at (859) 288-7469. To learn more about Wyatt’s health care, data privacy and cyber security practice, visit the following Wyatt website pages: Wyatt Data Privacy & Cyber Security and Wyatt Health Care.

Changes to the Health Breach Notification Rule Include Regulations for Health Apps

Wyatt Data Breach & Notification, Data Privacy & Security, Electronic Health Records, FTC Enforcement, Health Information Technology, HIPAA , , , , , , , , , , ,

Written by: Margaret Young Levi and Casey Parker-Bell (Wyatt Summer Associate)

Vendors who maintain personal health records will soon be subject to amended rules for notifying customers of data breaches. The Federal Trade Commission (“FTC”) has issued a Final Rule, finalizing changes to the Health Breach Notification Rule (“HBNR“) first issued in 2009 (the “2009 Rule”). The Final Rule clarifies the HBNR’s application to apps and other new technologies in the healthcare industry.

New technology, like fitness trackers and other direct-to-consumer health tech and wearable apps, have increased the amount of health data collected from consumers. There is a growing concern that some companies are disclosing or selling individuals’ personal health data for marketing and other purposes, while not subject to protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information.” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the new rule will allow it to keep up with marketplace trends, and respond to development and changes in technology.” The FTC has announced this Final Rule to address these new technologies.

The Final Rule’s Changes to the HBNR

The HBNR requires vendors of personal health records (“PHRs”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured PHR identifiable health information. The HBNR also requires third-party service providers of personal health records to provide notifications. After seeking comments on proposed changes to better protect consumer who use PHRs, the FTC finalized the following changes to the HBNR:

Continue reading

New HIPAA Final Rule Supporting Reproductive Health Care Privacy Also Requires Amending Notices of Privacy Practices

Wyatt Data Privacy & Security, HIPAA, Privacy & Security , , , , , , , ,

By: Margaret Young Levi

On April 22, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a Final Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This Final Rule not only bolsters the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA) by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances, but also requires HIPAA covered entities (health care providers, health plans, and health care clearinghouses) to amend their Notices of Privacy Practices (NPPs).

HIPAA and Reproductive Health Care Privacy

HHS is issuing this Final Rule because of concerns that officials in states with more extreme abortion bans, like Kentucky, will seek medical records from states where abortion is legal (or even from their own states) in order to prosecute individuals who cross state lines to seek an abortion. To prevent those medical records from being used against people for providing or obtaining lawful reproductive health care, the Final Rule prohibits the use or disclosure of PHI by a covered entity—or their business associate—for the following activities:

Continue reading

CMS Issues Updated Guidance on Texting Patient Orders

Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology, HIPAA, Privacy & Security , , , , , , , , , ,

By: Margaret Young Levi

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors.  This 2024 Memo now permits the texting of patient orders among members of the hospital care team—if the texting is accomplished on a secure platform that protects the privacy and integrity of the patient information. 

This new guidance updates CMS’ previous memorandum entitled Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) (the 2017 Memo), which permitted texting patient information if done through a secure platform, but prohibited texting of patient orders regardless of the platform utilized.

Even though texting of patient orders through a secure platform is now permitted by CMS, that does not mean it is recommended.  CMS still prefers that providers enter their orders into the medical record via computerized provider order entry (CPOE) or even a handwritten order because of concerns about medical record retention, accuracy, privacy and security, etc. as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare Conditions of Participation (CoPs), and, if applicable, The Joint Commission (TJC) standards discussed below.

Continue reading

HHS Proposed Rule Aligns Regulation on Confidentiality of Substance Use Disorder Treatment Records with HIPAA

Kathie McDonald-McClure data breach; notification, Data Privacy & Security, Health Information Technology, HIPAA , , , , , , , ,

by Kathie McDonald-McClure

UPDATE: On February 16, 2024, HHS published a Final Rule (89 Fed Reg 12472) to amend Part 2 rules on patient confidentiality of SUD records. While the Final Rule’s effective date is April 16, 2024, the deadline for compliance is February 16, 2026. Based on public comments to the Proposed Rule, HHS included further substantive modifications in the Final Rule, which HHS outlines in a Fact Sheet on the Part 2 Final Rule.

On November 28, 2022, the Secretary for the United States Department of Health & Human Services (HHS) released a Proposed Rule to amend the requirements in Title 42, Part 2, on confidentiality of substance use disorder (SUD) patient records in federally assisted Part 2 Programs.  Part 2 protects the confidentiality of SUD patient records (which generally include alcoholism, alcohol abuse, and drug abuse treatment and prevention records) by restricting the circumstances under which Part 2 Programs or other lawful holders can disclose such records.

Continue reading