On December 19, 2019, the U.S. Department of Health and Human Services (HHS) and the U.S. Department of Education (ED) issued an updated version of its “Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records” (the Joint Guidance, available here). Educational institutions at both the K-12 and postsecondary level can be subject to FERPA or HIPAA, and in certain circumstances, both. The Joint Guidance, which was first issued in November 2008 and has not been previously updated, seeks to assist educational institution administrators, health care professionals, and others in navigating what can be a complex intersection between FERPA and HIPAA as applied to health-related records maintained on students. It also addresses certain disclosures that are allowed without the written consent of the parent or eligible student under FERPA or without authorization under the HIPAA Privacy Rule, especially when those disclosures are related to emergency health or safety situations.
Continue reading “ED and HHS Issue Updated Joint Guidance Regarding Student Health Records Privacy”
The Department of Health and Human Services (HHS) issued a notice, effective immediately, that it is exercising its enforcement discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS currently applies the same annual CMP limit across four separate tiers of violations based on the level of culpability surrounding the HIPAA violation. HHS will reduce the annual CMP limit for each of the four penalty tiers, pending further rulemaking, to better reflect the text of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Continue reading “HHS Immediately Reduces Annual Limits Across HIPAA Violations”
Health care is one of the most complex and socially impactful areas of digitalization. Ensuring cybersecurity of health care operations, therefore, is of paramount importance – because potential vulnerabilities may lead not only to financial or technical exposures, but to lapses in life-or-death situations for patients.
To assist practitioners with education and guidelines, and in pursuance of Cybersecurity Act of 2015 (Public Law 114-113), Section 405(d), the Department of Health and Human Services created a “405(d) Task Group” in May 2017, involving, more than 150 health care and cybersecurity experts. The result of their collaborative work became a voluntary guideline entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” which was released at the end of 2018.
Continue reading “HHS Task Group Releases Cybersecurity Guidelines for the Health Care Industry”
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $125,000 no-fault settlement and two-year corrective action plan with Allergy Associates of Hartford, P.C. (Allergy Associates) stemming from an incident involving a physician who impermissibly released protected health information (PHI) to the media.
Continue reading “Physician Provided PHI to Media When “No Comment” Would Have Sufficed”
The Department of Health and Human Services, Office for Civil Rights (OCR) announced three separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH), respectively, over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule totaling $999,000. According to the settlements, the potential violations were the result of the alleged disclosure of patient protected health information (PHI) to ABC News employees during the production and filming of the docuseries called “Save My Life: Boston Trauma,” at each hospital.
Continue reading “Three Separate OCR Settlements Resulting from Hospital Failures to Obtain Patient Authorization for Use of Protected Health Information Before Filming Television Docuseries”
The Senate Health, Education, Labor and Pensions Committee recently passed the Opioid Crisis Response Act of 2018 (OCRA) – a bipartisan package of more than 40 proposals designed to help families and entire communities affected by the nation-wide opioid crisis.
Continue reading “Continued Special Privacy Treatment for Substance Use Disorder Information”