Health Information Privacy & Security

As promised in the U.S. Department of Health and Human Services (HHS) concept paper in December 2023, the agency published voluntary health care and public health cybersecurity performance goals (HPH CPGs) in January 2024 and then proposed in the HHS FY 2025 Budget to establish certain HPH CPG compliance incentives and penalties for hospitals.

As we reflect on the flurry of activity in the health care data privacy and security space in 2023 and look ahead to what will continue to be a busy 2024, we are seeing the early stages of federal agency movement to align the regulatory environment with modern health care delivery, cutting-edge technologies, and innovative data-sharing techniques. Some of this work has been done in the form of federal agency guidance in which health care organizations will be looking for additional updates and there are also a handful of pending U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) proposals that call for substantial changes to the HIPAA Privacy Rule.

The U.S. Department of Health and Human Services (HHS) released a concept paper on December 6, 2023 outlining its action plan to enhance cyber resiliency in the health care sector by proposing certain voluntary cybersecurity actions and standards that may ultimately become requirements. For health care organizations such as hospitals, “cyber resiliency” generally means how organizations anticipate, operate during, respond to, and recover from cyber attacks such as ransomware attacks, cloud exploitations, phishing or spear-phishing attacks, software and zero-day vulnerabilities, or distributed denial of service attacks.

In coordination with the Centers for Medicare & Medicaid Services (CMS), the Department of Health and Human Services (HHS) and Office of the National Coordinator for Health Information Technology (ONC) proposed a much-anticipated framework to establish and manage “appropriate disincentives” for health care providers under the Information Blocking Rules. As described in more detail in the blog post, the proposed rule (Appropriate Disincentives Proposed Rule) includes proposed disincentives for (i) hospitals and critical access hospitals (CAHs) participating in the Medicare Promoting Interoperability Program; health care providers eligible for Merit-Based Incentive Payment System (MIPS) adjustments; and health care providers participating in the Medicare Shared Savings Program (MSSP).

The Office for Civil Rights (OCR) recently offered covered entities and business associates (Regulated Entities) not-so-subtle reminders in its October 2023 Cybersecurity Newsletter that effective sanction policies can encourage HIPAA compliance.​​​​​​​ Regulated Entities are required by HIPAA to implement sanction policies in which they impose “appropriate sanctions” against their respective workforce members who fail to comply with the Privacy Rule or Security Rule, the Regulated Entity’s privacy policies and procedures, and/or the Regulated Entity’s security policies and procedures, as applicable. These sanction policies are important administrative safeguards meant to ensure there are objective, documented consequences for HIPAA non-compliance among workforce members. The recent proliferation of social engineering attacks and increasingly sophisticated nature of external cybersecurity threats in health care underscore the importance of Regulated Entities consistently reviewing and applying sanction policies.

Governor Gavin Newsom recently signed multiple bills into law as part of California’s ongoing efforts to safeguard access to reproductive and gender affirming health care. The new laws are intended to increase protections for health care providers and patients, increase health care provider availability, and improve patient privacy. In a recent press release, California Legislative Women’s Caucus Vice Chair Assemblymember Cecilia Aguiar-Curry noted: “Last year, we enacted 14 bills and budget funding to expand and protect reproductive rights and services in our state. This year, we build on that momentum with legislation that ensures California remains a national leader in the fight for reproductive justice.”

Though there has been much speculation and commentary among industry stakeholders, the Office of Inspector General (OIG) and the Office of the National Coordinator for Health Information Technology (ONC) have not yet begun enforcing statutory penalties associated with violations of the Information Blocking Rules. On July 3, 2023, OIG and Department of Health and Human Services (HHS) took a significant step toward enforcement of these penalties when they published long-awaited civil monetary penalty (CMP) final rule (CMP Final Rule) for certain Information Blocking Actors in the Federal Register.

Washington greatly expanded the protection for consumers’ identifiable health information by enacting the “My Health My Data Act” (MHMDA), in an effort to close the gap between HIPAA protections and the laws protecting the privacy and security of other consumer health care data. While MHMDA resembles the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA) and the Illinois Biometric Information Privacy Act (BIPA), it broadly applies to health information outside of traditional health care settings. Regulated Entities should consider undertaking additional steps that we outline now to prepare for the March 31, 2024, and June 30, 2024 (small businesses) compliance deadlines.

In response to concerns about the confidentiality of protected health information (PHI) related to reproductive health care less than one year after Dobbs v. Jackson Women’s Health Organization decision, and the prospect of such PHI being weaponized by states and used against patients, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) has proposed amendments to the HIPAA Privacy Rule to protect that information.

The Centers for Medicare & Medicaid Services (CMS) recently published the Advancing Interoperability and Improving Prior Authorization Processes Proposed Rule (Prior Authorization Proposed Rule), and, if certain components are finalized, impacted payors will be required to be in compliance by January 1, 2026. The Prior Authorization Proposed Rule is meant to build upon the CMS Interoperability and Patient Access Final Rule (Patient Access Final Rule) and includes five proposals aimed at, according to CMS, increasing efficiency, reducing overall payor and provider burden, and improving patient access to electronic health information (EHI). Impacted health care payors include Medicare Advantage (MA) Organizations, Medicaid Managed Care Plans and Children’s Health Insurance Program (CHIP) Managed Care Entities, State Medicaid and CHIP Fee-for-Service (FFS) Programs, and Qualified Health Plan (QHP) Issuers on the Federally Facilitated Exchanges (FFEs). Among the more significant changes in the rule was the inclusion of MA Organizations as impacted payors.

As illustrated by a recent Office for Civil Rights (OCR) settlement with a dental practice, health care entities continue to struggle with how to respond to negative online reviews while maintaining compliance with the HIPAA Privacy Rule. Given the significant reputational harm that negative reviews on Yelp and other social media and public platforms (Platforms) can create, providers may be tempted to respond to such negative comments with patient specifics in an attempt to mitigate harm to their businesses.

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has been busy over the past month announcing new enforcement actions and settlement agreements related to violations of the Privacy Rule implemented under the Health Insurance Portability and Accountability Act (HIPAA).  OCR’s latest actions offer a reminder for HIPAA Covered Entities that Privacy Rule enforcement activity can come in a variety of types and sizes.

In this second of our two-part blog series on protecting health information post Roe, we discuss legal and practical strategies that health care providers can take to protect the information of their patients. State laws that restrict or criminalize abortions will require significant amounts of health information to enforce, putting new pressure on health care providers caught in the middle of  competing obligations to their patients and to regulatory and law enforcement authorities making lawful requests for this information.

The United States Department of Health and Human Services (HHS) and Centers for Medicare and Medicaid Services (CMS) leadership announced during last week’s HIMSS 2022 Conference that the agencies will be focusing on information blocking enforcement for the remainder of 2022. This blog post discusses the importance of closing the enforcement gap and the development of disincentives for health care providers. 

While the Office of the National Coordinator for Health Information Technology (ONC) issued the 21st Century Cures Act; Interoperability, Information Blocking, and the ONC Health IT Certification Program (Information Blocking Final Rule) back in May 2020, many entities are still parsing out compliance strategies and seeking additional regulatory guidance to understand how the rule will be enforced. Broadly-speaking, information blocking is a practice that is likely to interfere with, prevent, or discourage access, exchange, or use of electronic health information (EHI). For example, a health system might require patient written consent before sharing the patient’s EHI with unaffiliated providers. Another example of information blocking is that a health IT developer might charge a fee to a health care provider to perform an export of EHI so that the provider can switch to a different health IT platform.

Our previous blog post on pending California privacy legislation included a prediction that has since materialized: Governor Newsom signed the Genetic Information Privacy Act (“GIPA”) on October 6, 2021, and the law will go into effect on January 1, 2022. GIPA establishes a number of mechanisms to close the existing gap in the protection of genetic information under the current framework of federal and state privacy laws. As discussed in our earlier post, GIPA contains a robust penalty structure, but it includes a number of carve-outs and does not apply to entities already subject to regulation under other health information privacy laws. Notably, GIPA does not reduce or eliminate obligations under other laws, including California’s more broadly applicable consumer privacy laws, such as the CCPA and breach notification statute, as recently amended by AB 825. Given Governor Newsom’s former concern about GIPA’s interference with mandatory COVID-19 testing reporting, the law also does not apply to tests that are conducted exclusively to diagnose whether an individual has a specific disease.

When it comes to the privacy of health information, California belongs to the select group of states that have implemented broad consumer privacy protections above and beyond those provided by the federal Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act (FTCA). This year, the state’s ongoing legislative efforts to protect the health information of its residents included: Assembly Bill 1436 (AB 1436) which if enacted would have revised California’s existing Confidentiality of Medical Information Act (CMIA), and Senate Bill 41 (SB 41), which if enacted will create the new Genetic Information Privacy Act (GIPA). As further discussed below, only SB 41 is moving forward, and if signed by Governor Newsom GIPA will go into effect on January 1, 2022.

One main principle among public health measures is to use the least restrictive method necessary to protect the population, or to do the greatest good. From the public health perspective, requiring COVID status credentials (“Credentials”) makes sense because it allows people who present a low risk to others to not be subject to unnecessary restrictions. However, implementation and use of Credentials will require careful consideration of individual privacy concerns, as well as the ethical questions related to access and additional privilege.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that it will exercise its enforcement discretion for health care providers’ and their business associates’ noncompliance with the HIPAA rules with respect to their good faith use of online or web-based scheduling applications for scheduling COVID-19 vaccination appointments. OCR will not impose penalties for such noncompliance during the COVID-19 nationwide public health emergency.