The New HIPAA Reproductive Health Rule: What You Need to Know

/in

By Kim Stanger

Healthcare providers must comply with the new HIPAA Reproductive Health Rule (the “Rule”) by December 23, 2024.1 Here is what you need to know and do before then.

Overview. In the wake of Dobbs v. Jackson Women’s Health Organization, the Biden Administration has been concerned about situations in which states that prohibit abortion try to investigate or prosecute their citizens who obtain abortions in other states where abortion is legal. The Rule generally prohibits providers from disclosing protected health information about reproductive healthcare (“RPHI” in this article) for investigative purposes if the reproductive care was legal in the state in which it was rendered.

The Rule faces an uncertain future. Texas has sued HHS to block the Rule.2 Although no substantive decision has yet been issued, federal courts in Texas have been willing to limit federal regulations concerning reproductive health. Perhaps more importantly, it is not clear whether the Trump administration will maintain the Rule. In the meantime, however, the regulation is on the books and providers should comply. Read more

OCR Provides Guidance to the Healthcare Industry to Combat Ransomware Attacks

/in

By Allison (Ally) Kjellander

In the spirit of National Cybersecurity Awareness Month, the Office of Civil Rights (“OCR”) released a new video on October 17, 2024, to promote awareness on ransomware trends in the healthcare industry and how HIPAA subject entities can combat ransomware. OCR’s video covers breach and ransomware trend analysis, reviews OCR’s ransomware guidance and materials, analyzes ransomware attack chains, and discusses how compliance with the HIPAA Security Rule can combat ransomware. Read more

Court Vacates HIPAA Online Tracking Guidance

/in

By Kim Stanger

On June 20, 2024, a Texas federal court vacated the Office for Civil Rights’ (OCR’s) controversial guidance concerning Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, available here. While providers will welcome the decision, the decision does not allow providers, business associates, or vendors carte blanche license to use or disclose protected health information (PHI) for purposes not permitted by HIPAA.

Read more

Avoiding HIPAA Penalties: A Checklist for Covered Entities

/in

by Kim C. Stanger

The HIPAA Privacy, Security, and Breach Notification Rules1 apply to healthcare providers who engage in certain electronic transactions, healthcare clearinghouses, and health plans, including employee group health plans with 50 or more participants or that are administered by a third party.2  Covered entities must comply with HIPAA for the following reasons:

1. Civil Penalties.  The Office for Civil Rights (OCR) may—and in some cases must—impose civil penalties against covered entities and their business associates who violate HIPAA. The following chart summarizes the tiered penalty structure currently in effect; the penalties are subject to annual cost of living increases.3 Read more

Idaho’s New Parental Access Law v. HIPAA

/in ,

By Kim Stanger

As discussed in our prior health law update, New Limits on Minor Consents in Idaho, effective July 1, 2024, parents generally will have the right to access the medical records of their unemancipated minor children subject to very limited exceptions.  A parent who is denied access may sue the provider for damages and fees.1 Read more