Articles and Blogs

The U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently released updated guidance in its October 2023 Cybersecurity Newsletter emphasizing the importance of sanction policies in maintaining HIPAA compliance. This guidance builds upon a threat brief previously issued in August 2022 by HHS’ Health Sector Cybersecurity Coordination Center (“HC3”).... READ MORE

On December 7, 2022, the Federal Trade Commission (“FTC”) in conjunction with the U.S. Department of Health & Human Services (“HHS”) updated the Mobile Health App Interactive Tool (the “Tool”) to include new questions and new use cases. The Tool is a result of collaborative efforts between the FTC, HHS Office for Civil Rights... READ MORE

On December 2, 2022, the Department of Health and Human Services (“HHS”) Substance Abuse and Mental Health Services Administration (“SAMHSA”) released a proposed rule modifying the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR Part 2 (“Part 2”). The goal of the proposed rule is to implement changes necessary to conform... READ MORE

On December 1, 2022, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued a Bulletin on the obligations of covered entities and business associates (regulated entities) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies, such... READ MORE

The United States Department of Health and Human Services Office for Civil Rights (“OCR”) announced a $300,640 settlement and corrective action plan with a dermatology provider over the improper disposal of protected health information (“PHI”). Background In May of 2021, the dermatology provider reported a breach to OCR when empty specimen containers with PHI on... READ MORE

The United States Department of Health and Human Services Office for Civil Rights (“OCR”) announced a settlement with a research university (“University”) which has agreed to pay $875,000 to settle potential violations of the HIPAA Privacy, Security and Breach Notification Rules, as well as to take corrective action after an unauthorized third party gained... READ MORE

The United States Department of Health and Human Services Office for Civil Rights (“OCR”) announced a settlement with a dental practice (“Practice”) which has agreed to pay $62,500 to settle potential violations of the HIPAA Privacy Rule, as well as to take corrective action after impermissibly disclosing patient PHI to a political campaign manager... READ MORE

A North Carolina dental practice (“Practice”) has been fined $50,000 following a Notice of Final Determination regarding a violation of the HIPAA Privacy Rule. In the Notice of Proposed Determination, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) stated that a patient visited the Practice in 2013 and... READ MORE

New cyber incident reporting requirements are forthcoming from the Cybersecurity and Infrastructure Security Agency. Part of the just-signed Consolidated Appropriations Act of 2022 (H.R. 2471) that we wrote about here, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) gives covered entities 72 hours to report to the Agency that a covered... READ MORE

The Information Blocking Rule (45 CFR part 171) is only a month into effect, and improved access to medical records, particularly concurrent delivery of lab results to the provider and patient and increased access to provider notes through patient portals, already has led to scrutiny of accurate encounter notes and complicated patient satisfaction issues... READ MORE