HIPAA

HHS Proposed Rule Aligns Regulation on Confidentiality of Substance Use Disorder Treatment Records with HIPAA

Kathie McDonald-McClure data breach; notification, Data Privacy & Security, Health Information Technology, HIPAA , , , , , , , ,

by Kathie McDonald-McClure

On November 28, 2022, the Secretary for the United States Department of Health & Human Services (HHS) released a Proposed Rule to amend the requirements in Title 42, Part 2, on confidentiality of substance use disorder (SUD) patient records in federally assisted Part 2 Programs.  Part 2 protects the confidentiality of SUD patient records (which generally include alcoholism, alcohol abuse, and drug abuse treatment and prevention records) by restricting the circumstances under which Part 2 Programs or other lawful holders can disclose such records.

Section 3221 of the CARES Act of 2020, enacted by Congress on March 27, 2020, in response to the COVID-19 pandemic, in effect, had amended Title 42, Part 2, to align it with HIPAA but also required HHS to implement these amendments in the Part 2 regulation through the rule-making process. The 260-page Proposed Rule, in sum, would incorporate requirements and definitions from the HIPAA rules into the 40-year-old Part 2 regulation, including HIPAA’s consent, disclosure, de-identification, unsecured PHI and breach notification requirements, as well as HIPAA penalties for noncompliance.

Part 2 Compliance Challenges. For years, providers who are subject to both HIPAA and Part 2’s separate privacy requirements for SUD records have had to grapple with identifying and segregating SUD records that are subject to Part 2 from records that are subject only to HIPAA. In the Proposed Rule, HHS acknowledges that this has contributed to ongoing operational and compliance challenges for providers. HHS notes several examples of this challenge, including the following:  

For example, once a HIPAA covered entity or business associate disclosed PHI to a person who was not a covered entity or business associate, the information was no longer protected by the Privacy Rule, and thus the Privacy Rule’s limitations on uses and disclosures did not apply. In contrast, Part 2 strictly limited the re-disclosure of Part 2 records by any individual or entity that received a Part 2 record directly from a Part 2 program or other “lawful holder” of patient identifying information, absent written patient consent or as otherwise permitted under the regulations.

(Proposed Rule, pp. 19-20.)

SUD Treatment De-Stigmatization & Coordination. HHS additionally notes that the continued segregation of Part 2 Program SUD records sets these records apart in ways that perpetuate the stigma surrounding a person with SUDs.

Prior to passage of the CARES Act, Congressional hearings on the Opioid Crisis had already highlighted the need for HHS to promulgate regulations modifying the confidentiality requirements for Part 2 records to align with HIPAA. Testimony before Congress was that SUD records were being withheld in ways that inhibit care coordination between providers of a person’s mental health and physical health, conditions that are inextricably linked. In the HHS Announcement of the Proposed Rule, Secretary Becerra says, “This proposed rule would improve coordination of care for patients receiving treatment while strengthening critical privacy protections to help ensure individuals do not forego life-saving care due to concerns about records disclosure.” 

Summary of Changes. Some of the most significant changes would include:

Continue reading

OCR Issues Guidance on HIPAA, COVID-19 Vaccination and the Workplace

Margaret Young Levi HIPAA, Privacy & Security , ,

By: Margaret Young Levi

On September 30, 2021, the Office for Civil Rights (OCR) issued welcome guidance concerning when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine—and when it does not apply.

The guidance aims to clear up misperceptions about who can ask questions about vaccination. In general, OCR reminds that HIPAA only applies to HIPAA covered entities, such as health care providers (physicians, hospitals, etc.) and health plans, and it does not apply to employers or employment records. The guidance addresses common workplace situations, provides helpful examples, and answers frequently asked questions for HIPAA covered entities, businesses, and the public.

HIPAA does not prohibit businesses, individuals, or HIPAA covered entities from asking whether their customers or clients have received a COVID-19 vaccine. HIPAA does not prohibit any person, whether an individual or a business or a HIPAA covered entity, from asking individuals whether they have received a COVID-19 vaccine. First, OCR makes it clear that HIPAA only applies to HIPAA covered entities, and it does not apply to other individuals or entities. Second, even though HIPAA regulates how and when HIPAA covered entities may use or share information about COVID-19 vaccinations, it does not limit the ability of covered entities to ask patients or visitors whether they have been vaccinated.

The guidance clarifies that HIPAA does not apply when an individual:

  • Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
  • Asks another individual, their doctor, or a service provider whether they are vaccinated.
  • Asks a company, such as a home health agency, whether its workforce members are vaccinated.
Continue reading

HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

Kathie McDonald-McClure Data Privacy & Security, HIPAA, HITECH Law , , , , ,

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021.  This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA). 

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule. 

Continue reading

Audio-Video Conferencing Risks and Tips for Healthcare Providers

Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, HIPAA , , , , ,

by Margaret Young Levi and Kathie McDonald-McClure

Federal and state governments have relaxed restrictions on telehealth to encourage and empower medical providers to serve patients at home during the novel coronavirus (COVID-19) national public health emergency (PHE). Both medical providers and patients have embraced this new way of connecting due to its convenience and, as a result, the expanded use of telehealth is likely here to stay.  The use of audio and video conferencing for patient care, while convenient, risks an unauthorized disclosure of sensitive information if it is used without due regard for whether the connections are secure. 

Following expansion by the U.S. Department of Human Health Services’ Office for Civil Rights (OCR) and the Centers for Medicare and Medicaid Services (CMS) of federal telehealth services and relaxation of certain requirements during the COVID-19 PHE, Kentucky Medicaid followed suit.  See our previous post about Kentucky Medicaid’s expansion of coverage for telehealth. 

OCR Relaxes HIPAA enforcement for telehealth during COVID-19 PHE.  OCR, the agency responsible for enforcement of HIPAA, issued guidance on its enforcement discretion with regard to certain telehealth practices under HIPAA.  This guidance makes it clear that OCR will not enforce penalties for the use of technology that is not HIPAA compliant, when used in the good faith provision of telehealth services.

Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 PHE. 

Continue reading

Kentucky Medicaid Further Expands Telehealth Coverage

WyattLLP Data Privacy & Security, Health Information Technology, HIPAA , , , , ,

By Lindsay K. Scott

Following expansion by the Department of Human Health Services’ Office for Civil Rights (“OCR”) and the Centers for Medicare and Medicaid Services (“CMS”) of federal telehealth services and relaxation of certain requirements, Kentucky Medicaid is following suit.

On March 17, 2020, the Centers for Medicare and Medicaid Services published guidance expanding the use of telehealth and relaxing restrictions on its use. The Office for Civil Rights, the agency responsible for enforcement of HIPAA, followed up with guidance making it clear that it will not enforce penalties for the use of technology that is not HIPAA compliant, when used in the good faith provision of telehealth services:

Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Continue reading