E-mailing and Texting PHI: Beware HIPAA

/in

By Kim Stanger

The HIPAA Privacy and Security Rules require covered entities (including healthcare providers and health plans) and their business associates to protect patient information stored or transmitted electronically, including protected health information (“PHI”) sent in unsecure texts or e-mails.

E-mails and Texts to Patients. The HIPAA Privacy Rule not only allows but requires covered entities to communicate with patients via e-mail or text if requested by the patient (see 45 CFR § 164.522(b)), but the Privacy Rule requires covered entities to implement appropriate safeguards when e-mailing or texting e-PHI to patients. The Office for Civil Rights (“OCR”) explained:

The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. (See 45 CFR § 164.530(c)). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 CFR Part 164, Subpart C.

(OCR FAQ dated 12/15/08, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html). Read more

The New HIPAA Reproductive Health Rule: What You Need to Know

/in

By Kim Stanger

Healthcare providers must comply with the new HIPAA Reproductive Health Rule (the “Rule”) by December 23, 2024.1 Here is what you need to know and do before then.

Overview. In the wake of Dobbs v. Jackson Women’s Health Organization, the Biden Administration has been concerned about situations in which states that prohibit abortion try to investigate or prosecute their citizens who obtain abortions in other states where abortion is legal. The Rule generally prohibits providers from disclosing protected health information about reproductive healthcare (“RPHI” in this article) for investigative purposes if the reproductive care was legal in the state in which it was rendered.

The Rule faces an uncertain future. Texas has sued HHS to block the Rule.2 Although no substantive decision has yet been issued, federal courts in Texas have been willing to limit federal regulations concerning reproductive health. Perhaps more importantly, it is not clear whether the Trump administration will maintain the Rule. In the meantime, however, the regulation is on the books and providers should comply. Read more

Court Vacates HIPAA Online Tracking Guidance

/in

By Kim Stanger

On June 20, 2024, a Texas federal court vacated the Office for Civil Rights’ (OCR’s) controversial guidance concerning Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, available here. While providers will welcome the decision, the decision does not allow providers, business associates, or vendors carte blanche license to use or disclose protected health information (PHI) for purposes not permitted by HIPAA.

Read more

Avoiding HIPAA Penalties: A Checklist for Covered Entities

/in

by Kim C. Stanger

The HIPAA Privacy, Security, and Breach Notification Rules1 apply to healthcare providers who engage in certain electronic transactions, healthcare clearinghouses, and health plans, including employee group health plans with 50 or more participants or that are administered by a third party.2  Covered entities must comply with HIPAA for the following reasons:

1. Civil Penalties.  The Office for Civil Rights (OCR) may—and in some cases must—impose civil penalties against covered entities and their business associates who violate HIPAA. The following chart summarizes the tiered penalty structure currently in effect; the penalties are subject to annual cost of living increases.3 Read more

Idaho’s New Parental Access Law v. HIPAA

/in ,

By Kim Stanger

As discussed in our prior health law update, New Limits on Minor Consents in Idaho, effective July 1, 2024, parents generally will have the right to access the medical records of their unemancipated minor children subject to very limited exceptions.  A parent who is denied access may sue the provider for damages and fees.1 Read more