HIPAA News and Resources
HIPAA Privacy and Security for Beginners
This article by Kirk Nahra, CIPP/US, of Wiley Rein offers an overview of the Health Insurance Portability and Accountability Act from its inception. The article outlines the goals of the law, highlighting the principles found in the HIPAA privacy and security rules. Click To View ... Read More
Health Insurance Portability and Accountability Act, The
A U.S. law passed to create national standards for electronic healthcare transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations—although there are important exceptions such as for treatment, payment and healthcare operations. Link to text of law: Th... Read More
Who Does HIPAA Apply To?
This article, published by Compliance Junction, provides guidance on the application of the Health Insurance Portability and Accountability Act, with a focus on business associates, hybrid entities and preemption by state laws. Read More
HHS Guidance: HIPAA, Civil Rights, and COVID-19
The U.S. Department of Health & Human Services Office for Civil Rights (OCR) published this guidance page providing announcements, guidance, notifications and bulletins on civil rights laws and the HIPAA Privacy Rule during the COVID-19 outbreak. Read More
Covered Entity Guidance
This guidance from the Centers for Medicare & Medicaid Services helps determine whether an organization or individual is a covered entity under the Administrative Simplification provisions of HIPAA. Click To View ... Read More
Guide to Privacy and Security of Electronic Health Information
The intent of the guide from the U.S. Office of the National Coordinator for Health Information Technology is to help healthcare providers―especially HIPAA covered entities and Medicare Eligible Professionals from smaller organizations ―better understand how to integrate federal health information privacy and security requirements into their practices. Click To View ... Read More
Who Can Sue for A HIPAA Violation?
This guide, published by Compliance Junction, lays out what entitles someone to sue for a HIPAA violation and how one can take legal action over a HIPAA violation. Read More
HIPAA Basics for Providers: Privacy, Security, and Breach Notification Rules
This resource from the Center for Medicare & Medicaid Services offers an overview of the HIPAA privacy, security and breach notification rules, who needs to comply with them, and offers a list of resources for more information. Read More
Why the Fifth Circuit HIPAA case doesn't mean 'game over' for HHS data security enforcement
Last January, in University of Texas M.D. Anderson Cancer Center v. HHS, 985 F.3d 472, the Fifth Circuit Court of Appeals cast a pretty big shadow of doubt over data security enforcement by the Department of Health and Human Services. But it's not game over for HHS Health Insurance Portability and Accountability Act enforcement. Of the court's four rationales, one seems clearly wrong (although it highlights an important issue), one seems right, the third appears to require more care by HHS when ... Read More
Unpacking the proposed HIPAA Privacy Rule modifications
Only a month into 2021, and U.S. privacy professionals are already trying to keep up with fast-moving legislative developments and other privacy initiatives. The whirlwind of action spans across the privacy space, including some potential movement in the health care industry on the Health Insurance Portability and Accountability Act. The U.S. Department of Health and Human Services' Office for Civil Rights announced Dec. 10, 2020, that a Notice of Proposed Rulemaking was drafted to modify prov... Read More
Understanding HIPAA's security rule for telemedicine apps
The rapid growth in telehealth has predictably spawned the development of a variety of new software solutions to serve the needs of both doctors and patients. While the field is wide open for application developers, the area of telemedicine also presents some unique data privacy and security challenges. Of course, the principles of privacy by design tell us that data privacy concerns should be integrated into the entire design process, but this imperative becomes all the more important and chall... Read More
AMA HIPAA Guidance and Toolkit
The American Medical Association published this toolkit aiming to help physicians review and update their HIPAA policies and procedures. This web page includes a toolkit including a breakdown of the revised rule,FAQs, a sample notice of privacy practices and a sample business associate agreement. Read More
Social Media Rules for HIPAA
This article from Compliance Junction advises health care organizations on developing social media policies in order to abide by the U.S. Health Insurance Portability and Accountability Act and cultivate a social media presence. Read More
Perspectives on health data de-identification
A series of short articles by Khaled El Emam on the HIPAA Privacy Rule Safe Harbor de-identification standard, the difference between masking and de-identification, and how to protect data in the era of big data. Read More
HHS notice on telehealth penalties raises privacy concerns
The U.S. government just eased the path for doctors and nurses to do video chats with patients by lifting privacy and security compliance penalties and enforcement action against health care providers. The Office for Civil Rights at the U.S Department of Health and Human Services Tuesday said it will allow health care providers to use technology, such as Apple FaceTime, Facebook Messenger video chat or other video platforms, to communicate with patients. But, while federal response to the COVID... Read More
HIPAA Privacy Rule: Hybrid Entity Regulatory Reference Table
This table, published by The Network for Public Health Law, provides text, citations and summaries relative to the HIPAA Privacy Rule's hybrid entity provisions. Click To View ... Read More
Paging all health care privacy pros: CCPA deserves your attention despite HIPAA exemption
We would understand if health care organizations have been ignoring the California Consumer Privacy Act of 2018. The act was signed June 28, just before the July 4 holiday, most privacy pros have a GDPR hangover, and there’s a HIPAA exemption, so who cares — right? Dear readers: It is our unfortunate duty to inform you that this act will significantly impact health care organizations. In a nutshell, the California Consumer Privacy Act requires “businesses” involved in the “processing” of “pers... Read More
HIPAA Audit Program Protocol
The U.S. Office for Civil Rights HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. The protocol covers Privacy Rule requirements for notice of privacy practices for PHI, rights to request privacy protection for PHI, access of individuals to PHI, administrative requirements, uses and disclosures of PHI, amendment of PHI, accounting of disclosures and requirements for the Breach Notification Rule. Read More
Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
Th U.S. Department of Health & Human Services offers guidance on protection of information in research including to whom the HIPAA Privacy Rule applies, what information is protected and ways to use protected information while complying with the rule. Click To View ... Read More
HIPAA - Covered Entities and Business Associates
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law passed to create national standards for electronic health care transactions, among other purposes. HIPAA required the U.S. Department of Health and Human Services to promulgate regulations to protect the privacy and security of personal health information. The basic rule is that patients have to opt in before their information can be shared with other organizations — although there are important exceptions such as for ... Read More
Sample Business Associate Agreement Provisions
This web page from the U.S. Department of Health and Human Services includes definitions, sample business associate agreement provisions and other information to help covered entities and business associates more easily comply with the business associate contract requirements. Read More
'Neurorights' and the next flashpoint of medical privacy
Another frontier in the privacy landscape is emerging, as countries like the U.S. address deficiencies with how sensitive medical data is processed by third parties outside Health Insurance Portability and Accountability Act and other legislative protections. Around the world, leading neuroscientists, neuroethicists, privacy advocates and legal minds are taking greater interest in brain data and its potential. Opinions vary widely on the long-term advancements in technology designed to measure... Read More
Digital transformation in the health care sector: Research and innovation as secondary use
Digital transformation is progressing in the health care sector, with electronic patient files, health apps, mobile health wearables, connected medical devices and even remote emergency doctors. Digital transformation generates large volumes of data, which offer a wide range of opportunities for research and innovation. When it comes to patient data, these opportunities may clash with the requirements under applicable data protection laws, particularly consent requirements. However, consent as l... Read More
Top takeaways from the FTC-GoodRx case: A chat with Kirk Nahra
In early February, the U.S. Federal Trade Commission published a proposed order that fines telehealth and discount prescription provider GoodRX $1.5 milllion. Though part of the case involves deception — one of two prongs under the FTC Act — the case also raises the first-of-its-kind use of the Health Breach Notification Rule. To help better understand the novel and complex issues embedded in the case, IAPP Editorial Director Jedidiah Bracy, CIPP, caught up with WilmerHale Partner Kirk Nahra, CI... Read More
A healthy dose of consent: Takeaways from the FTC’s GoodRx case
In what the U.S. Federal Trade Commission calls a "first-of-its-kind" enforcement action, the FTC filed a proposed order against GoodRx, a U.S. health care company, for violating the Health Breach Notification Rule and the FTC Act. The proposed order prohibits GoodRx from disclosing user health data for advertising purposes and requires payment of a $1.5 million civil penalty, 0.2% of the company's 2021 gross global revenue. This case signals an increase in the FTC's use of its unfairness author... Read More
Privacy and neurodiversity: Helping diverse minds navigate the digital age
For better or worse, digital technologies have undeniably transformed many aspects of daily life. Experiences interacting with the digital world can be different for everyone, especially neurodiverse people. Many neurodiverse people reap its benefits by connecting with other like-minded people through online communities, accessing plentiful knowledge about topics of interest, and learning different strategies for navigating a world built around the needs of neurotypical people. At the same time,... Read More
FTC releases updated interactive health care app compliance tool
The U.S. Federal Trade Commission released an updated Mobile Health App Interactive Tool. The application, first developed in conjunction with the HHS' Office for Civil Rights, Office of the National Coordinator for Health Information Technology, and the Food and Drug Administration, aims to help health care app developers determine if the app is compliant with federal laws and regulations. The interactive tool asks users questions about the app's functionality and the data it collects. It then ... Read More
OCR creates new guidance for HIPAA 'recognized security practices'
The U.S. Department of Health and Human Services’ Office for Civil Rights issued new guidance for “recognized security practices” for enforcing the Health Insurance Portability and Accountability Act, InfoSecurity reports. The guidance clarifies a 2021 rule added into the Health Information Technology for Economic and Clinical Health Act of 2009 which required OCR to evaluate “regulated entities’ implementation of ‘recognized security practices’" over the prior year “when the agency makes certai... Read More
P.S.R. 2022 keynote: Roe v. Wade reversal a 'wake-up' across privacy spectrum
More than three months have passed since the U.S. Supreme Court rendered its decision to reverse Roe v. Wade and remove the constitutional right to an abortion. Implications for individual privacy rights and data privacy stemming from the decision are clear and continue to be worked through. But simply working toward a solution won't suffice for arriving at concrete fixes, according to participants in a keynote panel at the opening general session of the IAPP Privacy. Security. Risk. 2022 confe... Read More
Privacy and digital health data: The femtech challenge
The Dobbs v. Jackson Women's Health Supreme Court decision has raised the stakes for privacy protections of health data in the U.S. By the end of the year, the femtech market — that is, digital tools such as mobile applications related to women's health — is estimated to be a $51.6 billion global market, more than a third of the total valuation of digital health. While the repercussions of gaps in U.S. digital health data protections extend well beyond women's health, the post-Dobbs privacy conc... Read More
Keynote: Panel on the implications of the Supreme Court's Dobbs decision (IAPP Privacy. Security. Risk. 2022)
From Austin City Limits Live at the Moody Theater, this panel analyzes how the Supreme Court’s Dobbs decision affects the long-recognized United States’ constitutional right to privacy, the concept of bodily autonomy, and the connection between privacy, liberty, and equality. Moderated by The New Yorker staff writer and “Trick Mirror” author Jia Tolentino, the panel features U.S. Department of Health and Human Services Office for Civil Rights Director Melanie Fontes Rainer, Center for Democracy & Technology President and CEO Alexandra Reeve Givens, and Jill Morrison, executive director of the Women’s Law and Public Policy Fellowship Program, and the Leadership and Advocacy for Women in Africa Program. Read More
Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks
The U.S. Government Accountability Office published recommendations to improve oversight over telehealth appointments. The recommendations are for the Centers for Medicare & Medicaid Services within the U.S. Department of Health and Human Services. Read More
Tips for Protecting Privacy Post-Dobbs v. Jackson Women’s Health Organization
These resources, published by Morrison Foerster, provide guidance on protecting privacy for individuals, health care providers and technology companies in light of the U.S. Supreme Court's decision in Dobbs v. Jackson Women's Health Organization to overturn Roe v. Wade and a woman's constitutional right to abortion. Read More
A view from DC: Considering what is defined as genetic data
Definitions can be messy, especially when they move from dictionaries to law books. Just look at the idea of genetic data and ponder this riddle: When is a medical test result genetic information? The National Institute of Standards and Technology definition of “genomic information” says it is limited to information based on an individual’s genome, such as a sequence of DNA or the results of genetic testing. Privacy laws broaden the scope of covered data within such a functional definition — pe... Read More
Roe v. Wade’s overturn: The impact on data protection and law enforcement
On June 24, the U.S. Supreme Court overturned Roe v. Wade, confirming the understanding contained in the draft decision leaked in early May. Roe v. Wade is a paradigmatic decision that secured the constitutional right to abortion in the country in 1973. After 49 years, it came to an end. The recent decision allows a number of U.S. states to adopt laws criminalizing abortion in a short time. It is thought that approximately half of the U.S. states will ban or severely restrict the practice. This... Read More
Defining health data: A major challenge for any privacy law
The draft American Data Privacy and Protection Act that is the focus of current attention raises many complex issues. I want to focus on one detail from the bill. My basic objective is to illustrate some of the difficulties of regulating health information that exists outside the health care system. The bill defines sensitive covered data to include “Any information that describes or reveals the past, present, or future physical health, mental health, disability, diagnosis, or healthcare treatm... Read More
Roe v. Wade reversal sends ripples through privacy world
The U.S. Supreme Court's recent decision to overturn Roe v. Wade dealt a blow to women's rights with the constitutional right to an abortion nullified and individual state legislatures now ultimately in charge of deciding if, when and for what reason a woman is allowed to have the procedure. The 6-3 ruling from Supreme Court Justices was expected after a draft opinion leaked in May. The issue cuts largely at the heart of women's civil rights, but the privacy implications of the reversal are bei... Read More
Commission proposal for a regulation on the European health data space
Earlier this month a draft of the proposal for the European Health Data Space Regulation was released. The EHDS is one of nine European data spaces identified in the European Commission's 2020 European Strategy for Data, and very much a priority for the commission. It builds on the Data Governance Act and the recently released proposal for the Data Act. Those acts are horizontal in nature; the EHDS Regulation would provide more specific sectoral measures in the area of health. The draft proposa... Read More
Web Conference: Building an Effective and Strategic Healthcare Privacy Program
Original broadcast date: 19 January 2022 This web conference is an in-depth, practical discussion regarding the build out of a healthcare privacy program. Panelists describe key privacy and related laws that are relevant to global healthcare organizations, core pillars of work to consider in building out a healthcare privacy program and discuss key recommendations based on these pillars that can help to make a privacy program a competitive differentiator. Read More
Privacy as a competitive differentiator: Building an effective and strategic healthcare privacy program
This white paper provides a comprehensive framework for building and managing a health care privacy program (also referred to throughout this paper as a health care privacy function) based on the collective insights from in-house and external privacy counsel. Read More
European Health Data Space: Repairing the trans-Atlantic data relationship through biotech R & D
That the trans-Atlantic data relationship needs some healing and repair is well-understood. The highly innovative biotechnology sector delivers breakthrough innovations that transform health care, promote public health and cure once incurable diseases. Perhaps a remedy to the trans-Atlantic data relationship is not beyond the sector's reach as well. Data flows between the United States and the European Union are critical for advancing biomedical research. Collaborations between researchers on b... Read More
A public service announcement about the HIPAA Privacy Rule
HIPAA and COVID-19 have been in the news together a lot lately. Most of what you see is wrong. Here’s a refresher — for yourself, and your strange friend who read something on the internet and is now a HIPAA expert or, all too frequently, a “HIPPA” expert. First, HIPAA is not an overall health information privacy rule. The name of the statute may give some clues — the Health Insurance Portability and Accountability Act. The single “P” in the name is for portability, not privacy. Neither privac... Read More
Profiles in Privacy — A conversation with Patrice Ettinger
Original Broadcast Date: June 2021 Join IAPP President and CEO J. Trevor Hughes, CIPP, as he sits down with Pfizer Chief Privacy Officer Patrice Ettinger, CIPP/US, to discuss her career path and lessons learned along the way. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn profile... Read More
Pfizer CPO: 'You really feel the enormity of what we are doing'
IAPP CEO and President J. Trevor Hughes, CIPP, hosted Pfizer's Chief Privacy Officer Patrice Ettinger during the IAPP's "Profiles in Privacy" series June 17 on LinkedIn Live. The mission of multi-national biopharmaceutical company Pfizer is to deliver “breakthroughs that change patients’ lives.” Chief Privacy Officer Patrice Ettinger, CIPP/US, said she may never have understood that more than she has over the past 18 months. “In 2020, I and probably everybody else were able to relate to that i... Read More
Web Conference: The Future of HIPAA
Original broadcast date: May 24, 2021 The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules were written in a period where health information was concentrated in the hands of traditional health care institutions such as doctors, hospitals and health plans. Almost two decades later, this is no longer the case. With revolutionary advances in technology, an increasing number of variety of organizations are generating and collecting sensitive health information largely outside the bounds of HIPAA. This panel discussed whether HIPAA is still up to the task of protecting health information. They investigated the supporting principles for any legislation that might modify how health information is treated and assess specific proposals for updating the current sector-specific framework. They also assessed the capacity of those proposals to better embrace the advantages and threats posed by recent changes to the health privacy landscape. Read More
Web Conference: Advancing Data-Driven Health Research and Innovation Responsibly
Original broadcast date: April 7, 2021 Despite a common misconception, privacy and healthcare research (including innovation) are not polarizing forces. Join privacy experts from the life sciences and healthcare field as they discuss how data is really used in research and development. You will hear their views on bridging the perceived gap between healthcare research and privacy, and how to apply those ideas to current challenges, such as innovating responses to COVID-19. The panel will also discuss types of research, what makes data use in drug development and medtech different from other industries, effective anonymization/deidentification, lawful data use and how to build public trust within the industry. Read More
The status quo of health data inferences
Who would have predicted a pandemic? And yet, it seems that somehow, we have learned to live with COVID-19. But have we also learned or reinforced "hidden" data-processing techniques? Always relevant, but in the last year more than ever, is the discussion on data and privacy protection. EU data protection authorities agree personal data protection must be ensured even in these exceptional times, especially when it comes to the generally prohibited processing of health data (Article 9 of the EU... Read More
Privacy in the Wake of COVID-19
The IAPP and EY launched a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. The initial phase of the project included a survey of privacy professionals, taking a deeper look at how organizations, in general, and privacy programs, in particular, are handling the privacy and data protection issues that have emerged alongside COVID-19, such as privacy and security issues related to working from home, monitoring the health of employees, and sharing data with governments, researchers and public health authorities. Read More