By Kim Stanger
On June 20, 2024, a Texas federal court vacated the Office for Civil Rights’ (OCR’s) controversial guidance concerning Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, available here. While providers will welcome the decision, the decision does not allow providers, business associates, or vendors carte blanche license to use or disclose protected health information (PHI) for purposes not permitted by HIPAA.
The HIPAA Privacy, Security, and Breach Notification Rules1 apply to healthcare providers who engage in certain electronic transactions, healthcare clearinghouses, and health plans, including employee group health plans with 50 or more participants or that are administered by a third party.2 Covered entities must comply with HIPAA for the following reasons:
1. Civil Penalties. The Office for Civil Rights (OCR) may—and in some cases must—impose civil penalties against covered entities and their business associates who violate HIPAA. The following chart summarizes the tiered penalty structure currently in effect; the penalties are subject to annual cost of living increases.3 Continue reading
By Kim Stanger
As discussed in our prior health law update, New Limits on Minor Consents in Idaho, effective July 1, 2024, parents generally will have the right to access the medical records of their unemancipated minor children subject to very limited exceptions. A parent who is denied access may sue the provider for damages and fees.1 Continue reading
By Kim Stanger
HIPAA applies to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity that “creates, receives, maintains or transmits” protected health information (PHI) in the course of performing services on behalf of the covered entity, e.g., consultants; management, billing, coding, transcription or marketing companies; information technology contractors; data storage or document destruction companies; data transmission companies or vendors who routinely access PHI; third party administrators; personal health record vendors; lawyers; accountants; malpractice insurers; etc.).1 “A covered entity may be a business associate of another covered entity” when it performs such functions on behalf of another covered entity.2 Also, with very limited exceptions, a subcontractor or other entity that creates, receives, maintains or transmits PHI on behalf of a business associate is also a business associate.3 To determine if an entity is a business associate, see our Business Associate Decision Tree. Continue reading
By Kim Stanger
The HIPAA privacy rules (45 CFR § 164.501 et seq.) generally prohibit healthcare providers and their business associates from disclosing protected health information in response to subpoenas and other government demands unless certain conditions are satisfied. This outline summarizes HIPAA rules for responding to such demands. To the extent there is a more restrictive state or federal law that applies in a particular case, the more restrictive law will usually control. Continue reading
By Kim Stanger
The HIPAA privacy rules allow healthcare providers to disclose protected health information to the extent another state or federal law or regulation requires it:
A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.1
(45 C.F.R. § 164.512(a)(1)). Importantly, HIPAA only allows such disclosures if the other law requires the disclosure, not if the other law simply allows disclosures. (78 FR 5618). In cases where another law permits but does not require disclosure, HIPAA would preempt the other law and prohibit the disclosure unless another HIPAA exception applied. Continue reading
By Kim Stanger
Given the COVID-19 vaccine mandates, employers—including healthcare entities—will need to confirm their employees’ vaccination status. Employers and healthcare providers must ensure they comply with privacy rules relating to employee vaccination information, including those imposed by the Health Insurance Portability and Accountability Act (HIPAA) and Americans with Disabilities Act (ADA). Continue reading
By Kim Stanger
The HIPAA privacy and security rules impose significant requirements on covered entities and their business associates; violations may result in penalties ranging from $119 to $59,522 per violation. (45 CFR § 160.404; 45 CFR § 102.3; 85 FR 2879). “Business associates” are generally those entities that create, receive, maintain or transmit protected health information (“PHI”) on behalf of a covered entity (45 § CFR 160.103, definition of business associate); thus, most entities that handle data for healthcare providers or their business associates will become business associates and subject to HIPAA requirements, including data storage, data transmission, and cloud services providers unless an exception applies. Continue reading
By Kim Stanger
With limited exceptions,1 HIPAA generally gives individuals the right to access or obtain copies of their protected health information (“PHI”) from covered entities. (45 CFR § 164.524(a)). But the right of access does not apply to all PHI that a covered entity might have; instead, individuals only have a right to access information in their “designated record set”. This article summarizes relevant standards for determining which records patients have a right to access. Continue reading
On December 10, the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry. The Holland & Hart Healthcare Group shares this important update from HHS for your information:
Read the HHS Update.
We will continue to monitor this news and will provide more in-depth insights on the impacts of the proposed modifications.