State HIE Sued for Alleged “Unauthorized” Use of PHI for Research

State HIE Sued for Alleged “Unauthorized” Use of PHI for Research

by | Jan 31, 2025 | , ,

On January 3, 2025, a significant lawsuit was filed against a state HIE. The case was brought by a former employee and whistleblower who alleges that the HIE permitted unauthorized access and use of PHI for research purposes in violation of federal and state law, as well as operational policies. Although the facts that are currently known to the public are not sufficient to conclude whether or not HIPAA’s standards applicable to research were met, this case has the potential to influence not only the immediate parties involved but also broader interpretations of HIPAA compliance and enforcement in research settings. At a minimum, the case serves as a reminder that HIEs should be taking proactive steps to ensure that their internal policies, data use agreements, and HIPAA BAAs explicitly address research-related and similar activities in compliance with federal and state laws, including HIPAA.

read more
HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!

HIPAA Reproductive Health Care Privacy – Attestation Template, Policy Samples, updated HIPAA policies, a HIPAA-New Jersey Reproductive Health Care Law crosswalk, and more!

by | Jun 26, 2024 | ,

June 25, 2024 has arrived! This means that the Final Rule for HIPAA Privacy to Support Reproductive Health Care Privacy is officially in effect, and HIPAA covered entities and business associates may now begin implementing its new requirements! But there are still many questions about how some of the new requirements should be implemented. Among those giving covered entities and business associates the most angst is the new Attestation requirement.

read more
Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches (UPDATED)

Who’s On First? Confusion Continues About Who Should be Reporting the Change Healthcare PHI Breaches (UPDATED)

by | Jun 12, 2024 | , ,

What should covered entity healthcare providers be considering and doing, especially where Change Healthcare has yet to take any affirmative breach notification actions? In this post, I take a deeper dive into key issues and share suggestions on steps covered entities may wish to take in order to manage ongoing uncertainties and risks that continue to simmer as a result of the Change Healthcare incident.

read more
42 C.F.R. Part 2 Final Rule Amending Privacy of Substance Use Disorder Records Released.

42 C.F.R. Part 2 Final Rule Amending Privacy of Substance Use Disorder Records Released.

by | Feb 9, 2024 |

The Final Rule amending 42 CFR Part 2 finalizes changes that will align uses and disclosures of Part 2 information with HIPAA for treatment, payment & health care operations. Part 2 providers and others who must comply with Part 2 and this Final Rule have two (2) years to get into compliance. Read more about the changes and how we can help with compliance.

read more
Hefty Monetary Disincentives Proposed for Health Care Providers Engaged in Information Blocking – But Not Every Provider Is on the Hook.

Hefty Monetary Disincentives Proposed for Health Care Providers Engaged in Information Blocking – But Not Every Provider Is on the Hook.

by | Oct 31, 2023 | ,

The Proposed Rule for enforcement is out, and the potential financial “hit” that health care providers may face if the OIG finds them to have violated the Information Blocking Rule (IBR) could be substantial, but don’t get spooked. The reach of the proposed enforcement has limitations. Read more to find out why.

read more
Is Your Organization Paying for the Cost of Health Care? You Might be Responsible for a Health Plan with HIPAA Compliance Obligations.

Is Your Organization Paying for the Cost of Health Care? You Might be Responsible for a Health Plan with HIPAA Compliance Obligations.

by | Sep 21, 2023 | , , ,

OCR reaches a new $1.3 million dollar settlement with a health plan for HIPAA violations. OCR says, “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.” Employers that offer Employee Benefits must evaluate if they are responsible for a health plan with HIPAA compliance obligations.

read more
Penalties for Violation of the Information Blocking Rule Start Today!

Penalties for Violation of the Information Blocking Rule Start Today!

by | Sep 1, 2023 | ,

OIG’s authority to begin enforcement of the Information Blocking Rule begins September 1, 2023. Certain Actors subject to the Information Blocking Rule may be subject up to a $1 million penalty per violation! Actors need to be proactive in ensuring their compliance with the Information Blocking Rule and not wait for the OIG to discover them.

read more
Genetic Testing Company Violates Privacy and Security Policies, FTC Says.

Genetic Testing Company Violates Privacy and Security Policies, FTC Says.

by | Jun 19, 2023 | , , ,

Genetic testing companies, and those who partner with them, must take care to ensure that the scope of how consumers’ sensitive data is used and shared in the future aligns with the scope of consent that was granted by the consumer at the point of collection. The FTC found that a California-based genetic testing company informed consumers that it would only share consumers’ sensitive health and other personal information “in limited circumstances,” but then expanded sharing such information with new third parties, like supermarket chains. The FTC has now stepped up to protect consumers’ sensitive genetic information.

read more
AHA Writes Letter to HHS and Pushes Back on OCR’s Online Tracking Guidance

AHA Writes Letter to HHS and Pushes Back on OCR’s Online Tracking Guidance

by | May 30, 2023 | , , ,

After OCR created a Morton’s Fork for hospitals and health systems by publishing its HIPAA Guidance on the Use of Online Tracking Technologies, the American Hospital Association initially stayed out of the fray. Not any more. In its letter dated May 22, 2023, AHA makes its case to HHS as to why OCR’s Online Tracking Guidance should be suspended or amended.

read more
FTC Finds that Ovulation Tracking App Violated the Health Breach Notification Rule

FTC Finds that Ovulation Tracking App Violated the Health Breach Notification Rule

by | May 18, 2023 | , , ,

The FTC releases its second enforcement action under the Health Breach Notification Rule in just over 3 months. This time, the FTC found that a fertility app called Premom shared sensitive fertility information with third parties for unauthorized purposes. While Premom told its users that it would not share their health information with third parties without users’ consent, it used third-party automated tracking tools known as software development kits (SDKs) which shared highly sensitive health information (e.g., data about an individual user’s sexual & reproductive health, pregnancy status etc.) for advertising and marketing purposes.

read more
ONC Says “Vetting” Mobile Apps is Information Blocking

ONC Says “Vetting” Mobile Apps is Information Blocking

by | May 2, 2023 | ,

ONC says actors that require third-party apps to be “vetted” by them for security reasons before allowing patients to use such apps to receive EHI via API technology certified to the Standardized API certification criterion is likely to be information blocking. However, my concern with relying solely on the security criteria required for API certification is that it is too low of a bar to adequately protect patients and other individuals from developers of apps that fail to keep promises to keep individuals’ information confidential.

read more
ONC Publishes New FAQs on Information Blocking focused on the Privacy Exception.

ONC Publishes New FAQs on Information Blocking focused on the Privacy Exception.

by | Apr 2, 2023 | , ,

The Office of National Coordinator says it receives a lot of questions regarding how the Information Blocking Rule is supposed to work in tandem with the HIPAA Privacy Rule and other federal and state laws governing privacy and confidentiality. Their new FAQs aim to help clarify when actors can choose to not respond to a request for access, exchange, or use of electronic health information.

read more
ONC Vindicated. Patients Want Immediate Access to Test Results

ONC Vindicated. Patients Want Immediate Access to Test Results

by | Mar 24, 2023 | , ,

JAMA published a study earlier this week finding more than 95% wanted immediate access to test results. However, when speaking to ONC, the study’s lead researcher specifically noted that although 95.3% of patients who received abnormal test results responded that they still would like to continue to receive immediately released results, this was associated with nearly twice the likelihood of worry compared to respondents who received normal results.

read more

Archives