Category: HHS



Page 2 of 3

Recent OCR Action Provides HIPAA Guidance Related to Opioid Crisis and Privacy Rule in Research

Share

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently released several new tools and guidance to ensure that patients and their family members can gain access to information needed to prevent and address opioid abuse and overdose, as well as mental health crises. The materials are focused on the Health Insurance Portability and Accountability Act (HIPAA) and also serve to fulfill certain clarification requirements on HIPAA and research under the 21st Century Cures Act (the “Cures Act”).  The Cures Act was passed by Congress in 2016 and requires, in part, that “health care providers, professionals, patients and their families, and others involved in mental [health] or substance use disorder treatment have adequate, accessible, and easily comprehensible resources relating to appropriate uses and disclosures of protected health information (PHI) under . . . [HIPAA].”

Continue reading

Investigation Continues After Massive Data Breach at Henry Ford Health System

Share

An unknown hacker gained access to 18,470 patients’ personal health information via employee emails at Detroit-based Henry Ford Health System (HFHS).

According to the press release, HFHS first learned of the incident on October 3, 2017, after becoming aware that the email credentials of a group of employees were compromised.  Even though the emails were name and password protected by encryption, they remained vulnerable to such illegal access.  The email accounts contained patient health information, including:

  • Patient name
  • Date of birth
  • Medical record number
  • Provider’s name
  • Date of service
  • Department’s name
  • Location
  • Medical condition
  • Health insurer

Continue reading

A Bipartisan Effort to Focus on Healthcare Cybersecurity

Share

House Energy and Commerce Committee members Reps. Billy Long (R-Mo.) and Doris Matsui (D-Calif.) introduced the HHS Cybersecurity Modernization Act earlier this month in a bipartisan effort to address cybersecurity threats to the Department of Health and Human Services (HHS).  Representatives Long and Matsui have both described the bill, H.R. 4191, as a stepping-stone towards improving cybersecurity at HHS and the health care industry at large. However, the bill does not authorize any additional appropriations to do so.

Continue reading

Latest OCR Reminder Regarding Mobile Device Security and PHI

Share

With the ever-increasing use of mobile devices in the workplace that create, receive, maintain, and transmit electronic protected health information (ePHI), the Department of Health and Human Services (HHS), Office for Civil Rights (OCR)’s latest Cybersecurity Newsletter issued an important reminder of the importance of mitigating the risks surrounding the use of mobile devices.

Mobile devices pose unique security risks because of their portability, small physical size, and capacity to store vast amounts of data. Both the Federal Trade Commission (FTC) and OCR frequently remind all organizations, but especially those entities that process ePHI, of the importance of protecting data on mobile devices.

Continue reading

OCR’s Guidance on HIPAA-Permissible Information Sharing During Patient Opioid Crisis

Share

In response to President Trump’s call to action on opioids, acting Department of Health and Human Services (HHS) Secretary Eric D. Hargan declared the opioid crisis a national public health emergency on October 26, 2017.  The next day, HHS-Office for Civil Rights (OCR) released new guidance on when and how health care providers can share a patient’s health information with the patient’s family and close friends during certain crisis situations, such as opioid overdoses, without violating the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations.

HIPAA prohibits health care providers from sharing protected health information about patients who have capacity to make their own health care decisions and object to information sharing, unless there is a serious and imminent threat of harm or safety.  However, health care professionals may disclose some health information without a patient’s permission under certain circumstances, including:

  • Sharing health information with family, close friends, or any other person identified by the patient, and involved in caring for the patient if the provider determines that doing so is in the incapacitated or unconscious patient’s best interests and the information is directly related to the family or friend’s involvement in the patient’s health care or payment for care. The provider may use professional judgment and experience with common practice to make reasonable inferences of the patient’s best interest.
  • Informing persons in a position to prevent or lessen a serious or imminent threat to the patient’s health or safety.

Continue reading

HHS Declares Public Health Emergency in California – HIPAA Waivers Apply

Share

In the aftermath of the California wildfires, the Department of Health and Human Services (HHS) has waived sanctions and penalties against covered entities that fail to comply with provisions of the HIPAA Privacy Rule.

The waiver is similar to HHS’ response to Hurricanes Harvey and Irma, which we discussed in a previous blog post. This waiver only applies (1) in the emergency area and for the emergency period identified in the public health emergency declaration, (2) to hospitals that have instituted a disaster protocol, and (3) for up to 72 hours from the time the hospital implements its disaster protocol. Continue reading

« Older posts Newer posts »

© 2018 Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

Disclaimer/Privacy Policy