Health Information Privacy & Security

As illustrated by a recent Office for Civil Rights (OCR) settlement with a dental practice, health care entities continue to struggle with how to respond to negative online reviews while maintaining compliance with the HIPAA Privacy Rule. Given the significant reputational harm that negative reviews on Yelp and other social media and public platforms (Platforms) can create, providers may be tempted to respond to such negative comments with patient specifics in an attempt to mitigate harm to their businesses.

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has been busy over the past month announcing new enforcement actions and settlement agreements related to violations of the Privacy Rule implemented under the Health Insurance Portability and Accountability Act (HIPAA).  OCR’s latest actions offer a reminder for HIPAA Covered Entities that Privacy Rule enforcement activity can come in a variety of types and sizes.

In this second of our two-part blog series on protecting health information post Roe, we discuss legal and practical strategies that health care providers can take to protect the information of their patients. State laws that restrict or criminalize abortions will require significant amounts of health information to enforce, putting new pressure on health care providers caught in the middle of  competing obligations to their patients and to regulatory and law enforcement authorities making lawful requests for this information.

The United States Department of Health and Human Services (HHS) and Centers for Medicare and Medicaid Services (CMS) leadership announced during last week’s HIMSS 2022 Conference that the agencies will be focusing on information blocking enforcement for the remainder of 2022. This blog post discusses the importance of closing the enforcement gap and the development of disincentives for health care providers. 

Health care providers, health information networks, health information exchanges, and health IT developers of certified health IT will want to take note of the information blocking claim submission trends recently published by the Office of the National Coordinator for Health Information Technology (ONC).

In our annual webinar, Mintz’s Health Care Enforcement Defense team reviewed the key health care fraud enforcement developments and trends from 2021, assessed their likely impact in 2022, and provided recommendations to avoid government scrutiny.

While the Office of the National Coordinator for Health Information Technology (ONC) issued the 21st Century Cures Act; Interoperability, Information Blocking, and the ONC Health IT Certification Program (Information Blocking Final Rule) back in May 2020, many entities are still parsing out compliance strategies and seeking additional regulatory guidance to understand how the rule will be enforced. Broadly-speaking, information blocking is a practice that is likely to interfere with, prevent, or discourage access, exchange, or use of electronic health information (EHI). For example, a health system might require patient written consent before sharing the patient’s EHI with unaffiliated providers. Another example of information blocking is that a health IT developer might charge a fee to a health care provider to perform an export of EHI so that the provider can switch to a different health IT platform.

Our previous blog post on pending California privacy legislation included a prediction that has since materialized: Governor Newsom signed the Genetic Information Privacy Act (“GIPA”) on October 6, 2021, and the law will go into effect on January 1, 2022. GIPA establishes a number of mechanisms to close the existing gap in the protection of genetic information under the current framework of federal and state privacy laws. As discussed in our earlier post, GIPA contains a robust penalty structure, but it includes a number of carve-outs and does not apply to entities already subject to regulation under other health information privacy laws. Notably, GIPA does not reduce or eliminate obligations under other laws, including California’s more broadly applicable consumer privacy laws, such as the CCPA and breach notification statute, as recently amended by AB 825. Given Governor Newsom’s former concern about GIPA’s interference with mandatory COVID-19 testing reporting, the law also does not apply to tests that are conducted exclusively to diagnose whether an individual has a specific disease.

When it comes to the privacy of health information, California belongs to the select group of states that have implemented broad consumer privacy protections above and beyond those provided by the federal Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act (FTCA). This year, the state’s ongoing legislative efforts to protect the health information of its residents included: Assembly Bill 1436 (AB 1436) which if enacted would have revised California’s existing Confidentiality of Medical Information Act (CMIA), and Senate Bill 41 (SB 41), which if enacted will create the new Genetic Information Privacy Act (GIPA). As further discussed below, only SB 41 is moving forward, and if signed by Governor Newsom GIPA will go into effect on January 1, 2022.

One main principle among public health measures is to use the least restrictive method necessary to protect the population, or to do the greatest good. From the public health perspective, requiring COVID status credentials (“Credentials”) makes sense because it allows people who present a low risk to others to not be subject to unnecessary restrictions. However, implementation and use of Credentials will require careful consideration of individual privacy concerns, as well as the ethical questions related to access and additional privilege.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that it will exercise its enforcement discretion for health care providers’ and their business associates’ noncompliance with the HIPAA rules with respect to their good faith use of online or web-based scheduling applications for scheduling COVID-19 vaccination appointments. OCR will not impose penalties for such noncompliance during the COVID-19 nationwide public health emergency.

The Department of Health and Human Services (HHS) is pushing ahead in its Regulatory Sprint to Coordinated Care with a new proposed rule, announced by HHS’ Office for Civil Rights on December 10, to modify the HIPAA Privacy Rule. This proposed rule follows HHS’ 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, which sought to identify regulatory impediments to value-based care presented by HIPAA. With this proposed rule, HHS aims to “reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that [HHS] uphold[s] HIPAA’s promise of privacy and security,” according to HHS Deputy Secretary Eric Hargan. It would achieve these objectives through a variety of updates to the Privacy Rule, which we highlight in this blog post, along with initial reactions from our HIPAA privacy team.

In the inaugural episode of Mintz’s Health Law Diagnosed, Dianne Bourque (Member, Mintz Health Law Practice) discusses why HIPAA is so engrained in our collective consciousness, how it was already equipped to handle public health emergencies, and the important changes made over the last several months to address the COVID-19 outbreak.

As we discussed in our previous blog post, the Department of Health and Human Services’ Office for Civil Rights (OCR) released guidance this past June to address how health care providers could contact, in a HIPAA-compliant manner, recovered COVID-19 patients to provide them with information about donating blood and plasma to potentially help other COVID-19 patients. On August 24, OCR released an updated version of that guidance to address similar communications from health plans. The amended guidance provides that health plans may also reach out to recovered COVID-19 patients about blood and plasma donation, subject to the same restrictions applicable to health care providers.

On August 4, CMS posted a proposed rule on CY 2021 Payment Policies, which included important updates about the expansion of Medicare covered telehealth services due to the COVID-19 pandemic. Here, we cover this and other important developments related to telehealth access during the pandemic and beyond.

Late last week, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance aimed at “making sure misconceptions about HIPAA do not get in the way of a promising COVID-19 response,” according to OCR Director Roger Severino. That “promising response” relates to emerging evidence that plasma from recovered patients (often referred to as “convalescent plasma”) may contain antibodies to SARS-CoV-2, the virus that causes COVID-19. Those antibodies could be useful in treating individuals who are sick with COVID-19. The OCR’s guidance addresses how health care providers may contact, in a HIPAA-compliant manner, recovered COVID-19 patients to provide them with information about donating blood and plasma to potentially help other COVID-19 patients.

The ongoing COVID-19 pandemic has introduced uncertainty and unique challenges in nearly every aspect of life. During this unprecedented time, Mintz is working to keep our clients and community informed and empowered to navigate this new world. To that end, we’ve created a number of webinars on a variety of COVID-19-related topics of interest to health care industry stakeholders. In case you missed them, here’s a highlights reel of what we’ve covered so far – just click on the links below to access the webinar recordings.

Amidst the novel coronavirus (COVID-19) outbreak, the Secretary of the U.S. Department of Health and Human Services (HHS), Alex M. Azar, took steps on March 15, 2020, to waive sanctions and penalties related to certain provisions of the HIPAA Privacy Rule (the “Waiver”). However, the HIPAA Privacy Rule is not suspended, and the Waiver only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. To demonstrate how the Privacy Rule and Waiver provisions work in real life, let’s look at an example: A patient at a hospital reports contact with a confirmed COVID-19 diagnosis. How can this information be shared?

Artificial Intelligence is a growing part of our day-to-day life. And AI promises to improve our health care system. ML Strategies Vice President Christian Tomatsu Fjeld recently sat down with other experts for a panel discussion hosted by the San Francisco Business Times to discuss AI and some business and policy considerations across multiple industries. This viewpoint considers some of the impacts on health care specifically, and links out to the panel's discussion.