Deadline Approaching to Revise HIPAA Policies

November 21, 2024November 22, 2024 Wyatt Data Privacy & Security, HIPAA cybersecurity, data privacy, final rule, health care law, health care providers, HIPAA Compliance, ocr guidelines, privacy, privacy practices, protected health information (PHI), regulatory changes, reproductive health

By: Margaret Young Levi

The December 23, 2024 deadline is fast approaching for HIPAA covered entities, including health care providers and health plans, to revise their HIPAA policies and procedures relating to reproductive health.

Earlier this year, the Office for Civil Rights (OCR) issued a Final Rule prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. This will require HIPAA covered entities to amend their policies and procedures, as well as their Notice of Privacy Practices (NPP). While updates to policies and procedures must be completed by December 23, 2024, the new NPP requirements will not go into effect until February 16, 2026. Some covered entities will need to amend their business associate agreements if the agreements permit an activity no longer permitted under the revised Privacy Rule.

For additional information about this Final Rule, please check out our previous article on this topic.

Looking for assistance in this area? We regularly work with our clients regarding their policies and procedures related to compliance with HIPAA and other data privacy and security laws and regulations. If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Levi Young at (859) 288-7469. To learn more about Wyatt’s health care, data privacy and cyber security practice, visit the following Wyatt website pages: Wyatt Data Privacy & Cyber Security and Wyatt Health Care.

Changes to the Health Breach Notification Rule Include Regulations for Health Apps

June 11, 2024July 2, 2024 Wyatt Data Breach & Notification, Data Privacy & Security, Electronic Health Records, FTC Enforcement, Health Information Technology, HIPAA Breach Notification, cybersecurity, Electronic Health Records, FTC Final Rule, HBNR, healthcare, personal health record, PHR, PHR identifiable health information, privacy, security, technology

Written by: Margaret Young Levi and Casey Parker-Bell (Wyatt Summer Associate)

Vendors who maintain personal health records will soon be subject to amended rules for notifying customers of data breaches. The Federal Trade Commission (“FTC”) has issued a Final Rule, finalizing changes to the Health Breach Notification Rule (“HBNR“) first issued in 2009 (the “2009 Rule”). The Final Rule clarifies the HBNR’s application to apps and other new technologies in the healthcare industry.

New technology, like fitness trackers and other direct-to-consumer health tech and wearable apps, have increased the amount of health data collected from consumers. There is a growing concern that some companies are disclosing or selling individuals’ personal health data for marketing and other purposes, while not subject to protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information.” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the new rule will allow it to keep up with marketplace trends, and respond to development and changes in technology.” The FTC has announced this Final Rule to address these new technologies.

The Final Rule’s Changes to the HBNR

The HBNR requires vendors of personal health records (“PHRs”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured PHR identifiable health information. The HBNR also requires third-party service providers of personal health records to provide notifications. After seeking comments on proposed changes to better protect consumer who use PHRs, the FTC finalized the following changes to the HBNR:

Continue reading →

Kentucky Enacts New Consumer Data Privacy Act

June 5, 2024June 13, 2024 Wyatt Data Privacy & Security, FTC Enforcement, Privacy & Security, State Consumer Privacy Protection Laws ad trackers, consumer online privacy, cybersecurity, data privacy, geolocation data, KCDPA, privacy, security, technology

Written by: Margaret Young Levi, Kathie McDonald-McClure and Drayden Burton (Wyatt Summer Associate)

On April 4, 2024, Governor Andy Beshear added Kentucky to the growing list of states with comprehensive data privacy legislation by signing House Bill 15 into law. The Kentucky Consumer Data Protection Act (“KCDPA”) will become effective on January 1, 2026. The KCDPA creates rights for Kentucky consumers as well as imposes requirements on certain businesses that handle consumer data.

What rights does the KCDPA create for consumers?

The KCDPA provides “consumers,” which it defines as natural persons residing in Kentucky who are acting solely in an individual context, with a swathe of rights concerning their personal data. These rights mirror the laws of other states that have passed similar legislation. These rights include:

Office of Civil Rights Launches Privacy and Security Audits

November 9, 2011August 14, 2012 Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security audits, covered entity, Federal Law Resources, HITECH Act, linkedin, privacy, security

Section 13411 of the the Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires United States Department of Health & Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. The HHS Office of Civil Rights (OCR) announced yesterday, November 8, 2011, the launch of long-expected privacy and security audits.

In our blog on July 13, 2011, we posted information concerning OCR’s hiring of contractors to conduct new periodic audits of covered entities and business associates to ensure compliance with the Privacy and Security Standards found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the HITECH Act. Yesterday, OCR announced a pilot program to perform up to 150 audits to assess privacy and security compliance. Audits conducted during the pilot phase will begin in November 2011 and conclude by December 2012.

The initial 150 audits will focus on covered entities, and the audits will begin this month and end by December 2012. Business Associates may have a brief respite but should expect to be the target of future audits.

OCR’s stated goals of the audits are to “examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.” OCR will “share best practices gleaned through the audit process and guidance targeted to observed compliance challenges.”

Covered entities will be notified in writing if selected for an audit and should be on the lookout for these notices because selected entities have only a short period of time, 10 business days, in which to respond and provide any requested information. After the initial request for information, auditors may conduct onsite audits at an organization. Covered entities will receive 30 to 90 days advance notice of an onsite visit, and auditors expect to spend three to ten days onsite reviewing records, policies and practices. Prior to an auditor’s submission of a final report to OCR, the covered entity will have an opportunity to provide written comments on the auditor’s findings.

Click here to link to OCR’s website with additional details concerning the OCR HIPAA Audit Program.