The New HIPAA Reproductive Health Rule: What You Need to Know

By Kim Stanger

Healthcare providers must comply with the new HIPAA Reproductive Health Rule (the “Rule”) by December 23, 2024.1 Here is what you need to know and do before then.

Overview. In the wake of Dobbs v. Jackson Women’s Health Organization, the Biden Administration has been concerned about situations in which states that prohibit abortion try to investigate or prosecute their citizens who obtain abortions in other states where abortion is legal. The Rule generally prohibits providers from disclosing protected health information about reproductive healthcare (“RPHI” in this article) for investigative purposes if the reproductive care was legal in the state in which it was rendered.

The Rule faces an uncertain future. Texas has sued HHS to block the Rule.2 Although no substantive decision has yet been issued, federal courts in Texas have been willing to limit federal regulations concerning reproductive health. Perhaps more importantly, it is not clear whether the Trump administration will maintain the Rule. In the meantime, however, the regulation is on the books and providers should comply. Read more

Court Vacates HIPAA Online Tracking Guidance

By Kim Stanger

On June 20, 2024, a Texas federal court vacated the Office for Civil Rights’ (OCR’s) controversial guidance concerning Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, available here. While providers will welcome the decision, the decision does not allow providers, business associates, or vendors carte blanche license to use or disclose protected health information (PHI) for purposes not permitted by HIPAA.

Read more

Avoiding HIPAA Penalties: A Checklist for Covered Entities

by Kim C. Stanger

The HIPAA Privacy, Security, and Breach Notification Rules1 apply to healthcare providers who engage in certain electronic transactions, healthcare clearinghouses, and health plans, including employee group health plans with 50 or more participants or that are administered by a third party.2  Covered entities must comply with HIPAA for the following reasons:

1. Civil Penalties.  The Office for Civil Rights (OCR) may—and in some cases must—impose civil penalties against covered entities and their business associates who violate HIPAA. The following chart summarizes the tiered penalty structure currently in effect; the penalties are subject to annual cost of living increases.3 Read more

Idaho’s New Parental Access Law v. HIPAA

By Kim Stanger

As discussed in our prior health law update, New Limits on Minor Consents in Idaho, effective July 1, 2024, parents generally will have the right to access the medical records of their unemancipated minor children subject to very limited exceptions.  A parent who is denied access may sue the provider for damages and fees.1 Read more

To BAA or Not to BAA: Must You Have One?

By Kim Stanger

HIPAA applies to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity that “creates, receives, maintains or transmits” protected health information (PHI) in the course of performing services on behalf of the covered entity, e.g., consultants; management, billing, coding, transcription or marketing companies; information technology contractors; data storage or document destruction companies; data transmission companies or vendors who routinely access PHI; third party administrators; personal health record vendors; lawyers; accountants; malpractice insurers; etc.).1 “A covered entity may be a business associate of another covered entity” when it performs such functions on behalf of another covered entity.2  Also, with very limited exceptions, a subcontractor or other entity that creates, receives, maintains or transmits PHI on behalf of a business associate is also a business associate.3 To determine if an entity is a business associate, see our Business Associate Decision Tree. Read more