Irma over the Southeastern U.S. – Courtesy of NOAA

As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters.  OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.

OCR recently published a bulletin during Hurricane Harvey discussing how the HIPAA Privacy Rule applies to sharing protected health information (PHI) during natural disasters. Recirculated while Irma was looming, the guidance document reminds health care providers that HHS may waive sanctions and penalties against a covered hospital for certain activities (e.g., obtaining a patient’s agreement before speaking with family or friends involved in the patient’s care) during an emergency. However, the waiver is limited to certain hospitals located within an emergency area and for a specific period of time.  More importantly, OCR noted in the bulletin that the Privacy Rule still applies to covered entities and their business associates during such emergencies, but the Privacy Rule does allow the disclosure of PHI without the patient’s consent for the patient’s treatment or public health activities.  Covered entities may also share PHI with a patient’s family or friends identified by the patient as being involved in their care, but OCR recommends that the covered entities obtain verbal permission or otherwise confirm that the patient does not object to sharing the information with these individuals.

Similarly, OCR reminded covered entities and business associates that the HIPAA Security Rule is not suspended during a natural disaster or emergency. On the contrary, the Security Rule actually imposes additional requirements during emergencies to ensure that electronic PHI is available during and after the emergency.  Specifically, covered entities and their business associates must have contingency plans that include plans for data back-up, disaster recovery, and emergency mode operation.  Additional information on the HIPAA Security Rule can be found here.

Health care providers must remain vigilant that patient information is not compromised and that it remains secure and accessible at all times. Covered entities and their business associates should carefully review their policies and procedures to make sure that they can respond appropriately to such events.

Originally published in our sister blog, Health Law & Policy Matters

You’ve had your apple a day, but you can’t keep the subpoenas away…  

And, if your organization is facing a request seeking records or other materials that may contain patient health information (“PHI”), it bears repeating that while HIPAA provides a number of methods through which covered entities that hold records containing PHI may produce such records, these guidelines are closely enforced by courts.   Read on for your spring check-up. Continue Reading HIPAA Spring Check-up: Your Obligations to Safeguard Third-Party Patient Health Information in medical records produced in litigation

Written by Kimberly Gold

(Originally posted in Mintz Levin’s Health Law Policy Matters blog)

Understanding the complexities of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules is often a challenge for health care providers and consumers.  Recognizing  the widespread confusion surrounding the interpretation of the rules, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released new tools to educate providers and consumers about HIPAA.Many consumers regularly sign a HIPAA Notices of Privacy Practice with little to no understanding of what the form actually says or means.  To help consumers understand their rights under the HIPAA Privacy Rule, OCR has developed consumer guides about HIPAA, which are available in eight languages.  These materials include information about individuals’ health information privacy rights, understanding the HIPAA Notice of Privacy Practices, and sharing health information with family members and friends.  Along with these fact sheets, OCR released seven consumer-facing videos on its YouTube channel.But OCR has not forgotten about providers who may also be grappling with HIPAA.  OCR released videos on its YouTube channel specifically for providers, covering topics such as establishing safeguards to protect patient information and to comply with the Security Rule’s requirements.  OCR also launched three modules for providers on compliance with the HIPAA Privacy and Security Rules:

  1. Patient Privacy: A Guide for Providers;
  2. HIPAA and You: Building a Culture of Compliance ; and
  3. Examining Compliance with the HIPAA Privacy Rule.

While these guides are not a substitute for legal advice, they should be helpful to providers and consumers.  The new tools also demonstrate OCR’s recognition that understanding HIPAA sometimes requires a little bit of help.

Written by Dianne J. Bourque and Stephanie D. Willis

The HIPAA Omnibus Rule goes into effect today, which officially starts the clock for covered entities, business associates, and their subcontractors to begin updating their agreements, forms, policies, procedures, and practices to meet approaching compliance deadlines.

Business Associate Agreement (BAA) and Data Use Agreement (DUA) compliance deadlines depend on whether there is a current agreement in place that meets regulatory requirements.  New BAAs and DUAs must comply with Omnibus Rule requirements by September 23, 2013; otherwise, BAAs and DUAs that only became non-compliant after the Office for Civil Rights (OCR) released the Omnibus Rule may remain in effect until September 22, 2014 (or until the applicable agreement renewal date).  All parties must still comply with the Breach Notification interim final rule requirements under the HITECH Act during the 180-day transition period between March 26th and September 23rd of this year.

In the meantime, covered entities and business associates should be at least planning, if not undertaking, the following tasks:

  1. Preparing new, Omnibus Rule-compliant BAAs and DUAs in advance of contract renewal dates or the compliance deadline;
  2. Updating HIPAA policies and procedures and training materials;
  3. (Re)educating staff on their duties and responsibilities regarding protected health information and breach notification requirements; and
  4. Remaining alert for additional guidance from OCR.
Originally posted in Mintz Levin’s Health Law Policy Matters blog.

By Dianne J. Bourque, Kimberly J. Gold, Ellen L. Janos, Julie K. Lappas, James Sasso, Kate F. Stewart, and Stephanie D. Willis

Mintz Levin is pleased to provide this section-by-section analysis of the HIPAA Omnibus Rule.

The chart lists provisions of the proposed privacy, security, and enforcement rules mandated by the Health Information Technology for Electronic and Clinical Health Act (“HITECH”) published in a proposed rule on July 14, 2010; the interim final enforcement rule—including HITECH’s new, tiered penalty structure—published on October 30, 2009; and the interim final breach notification rule published pursuant to HITECH on August 24, 2009 (collectively, “Proposed Rules”) and compares them to the same regulatory provisions published on January 17, 2013 as part of the Omnibus Rule (“Final Rule”). Note that this summary does not include revisions under the Genetic Information Nondiscrimination Act (GINA), also published in the Final Rule.

For quick reference, our chart indicates whether or not there were changes between the Proposed Rules and the Final Rule and includes commentary on certain notable provisions.

We hope that this summary will serve as a useful tool as we all begin the process of understanding new requirements under HIPAA.

» View the chart.


The final regulations1 from Department of Health and Human Services Office of Civil Rights (OCR) containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (Omnibus Rule) have finally been released, but the hard work of interpreting them has just begun for covered entities, business associates, and downstream entities of business associates, all of whom are significantly affected by the rule.

OCR Director Leon Rodriguez declared that the new provisions in the Omnibus Rule “not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of [OCR] to vigorously enforce the HIPAA privacy and security protections.”2 The official press release announcing the Omnibus Rule confirms agency enforcement positions previously hinted at by HIPAA-related agency leaders, such as extending liability under HIPAA to business associates and subcontractors. But additionally, the press release gives the following preview to the other “sweeping changes” under the rule, including:

  • streamlined authorization requirements for the use of individuals’ health information for research purposes;
  • new limits on permissible uses of information for marketing and fundraising purposes; and
  • prohibitions on the sale of individuals’ health information without their permission.
Mintz Levin’s initial impressions of the Omnibus Rule include the following:
  • No Mercy for Business Associates:
    • As expected, business associates now have direct liability under HIPAA and must comply with all of its security and certain privacy standards. OCR did not provide business associates additional time to comply, despite requests for time submitted during the public comment period.
    • Business associate subcontractors (vendors of business associates) have identical compliance obligations, no matter how removed or how “downstream” their services are from a covered entity.
    • Existing business associate agreements must be updated for compliance with the revisions in the Omnibus Rule, but they can continue to operate under certain existing contracts until September 23, 2014 (one year after the date required for compliance with the Omnibus Rule).
  • Dramatic Changes to Marketing Activity Requirements: The Omnibus Rule now requires that prior to sending any marketing materials to an individual relating to a product or service paid for by a third party, the covered entity sending the communication must obtain individual authorization to receive such communications. OCR removed the distinctions between authorization requirements for communications relating to treatment versus those for health care operations included in its proposed rule.
  • Breach Analysis Changes: The Omnibus Rule requires a potential breaching party to perform a four-factor risk assessment to determine whether the breach must be reported, with the effect of significantly reducing a covered entity’s discretion regarding whether or not a breach must be disclosed to affected individuals, the government, and potentially the media.
  • Family Access to Decedents’ Personal Health Information (PHI): Family members of a decedent who were involved in the person’s care prior to his or her death may now access the decedent’s PHI.

Mintz Levin is actively preparing a variety of educational materials and resources for covered entities, business associates, and downstream entities affected by the Omnibus Rule. The first of these materials will be a chart comparing the differences between the proposed and final rules to be published early this week.

As we pore through the 562-page HITECH Omnibus Rule released by the Department of Health and Services late yesterday afternoon, here are some top line bullet points:

  • Effective Date:  Rule becomes effective on March 26, 2013.  Covered entities and business associates must comply by September 23, 2013.
  • Business Associates are now front and center — During its announcement yesterday, Leon Rodriguez, director of the HHS Office for Civil Rights (OCR) clearly pointed out that “some of the largest breaches” reported to the agency have involved business associates.    The Omnibus Rule applies all of the HIPAA Security Rule standards and implementation specifications and certain HIPAA Privacy Rule provisions directly to business associates and it adds “subcontractors” to the definition of “business associate” and requires business associates to enter into written contracts with subcontractors that are substantially similar to business associate agreements.   Although there is a bit of a runway before effectiveness of the provisions, there is no time to waste for companies to determine (a) whether they are indeed “business associates” under this new, expanded view (may be some surprises), and (b) if you are a BA, how far down your technology “stack” you may have to go under the Omnibus Rule to determine who are your “subcontractors.”   Also, this is a good time for covered entities to get busy to determine and catalog exactly who is a “business associate” for their purposes.   Risk assessments and gap analyses always take more time than estimated.   OCR’s comments yesterday are consistent with its view that business associate compliance with HITECH is poor, resulting in breaches and other security incidents jeopardizing patient privacy.  During the public comment period, entities filed comments requesting additional time and assistance for business associates and subcontractors.  In response, OCR provided a link to pre-existing compliance guidance.
  • Breach Notification:  Omnibus Rule replaces the current version of the HIPAA Breach Notification Rule with a new version stating that an acquisition, access, use, or disclosure of PHI not permitted under the Privacy Rule is presumed to be a breach unless a covered entity or business associate can demonstrate a low probability that the PHI has been compromised based on a four-factor risk assessment.
  • Enforcement:  The Omnibus Rule incorporates the increased and tiered civil money penalty structure provided by the HITECH Act with penalties based on the level of negligence with a maximum penalty of $1.5 million per violation.

Director Rodriguez was clear in his statement yesterday:  “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.  These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

More to come in the days and weeks ahead.

As originally posted in Mintz Levin’s Health Law & Policy Matters blog

Written by: Stephanie D. Willis The Department of Health and Human Services, Office for Civil Rights (OCR) reached its first settlement for a breach involving data regarding less than 500 individuals.  Under the December 2012 settlement, the Hospice of North Idaho (HONI) will pay OCR a $50,000 penalty to resolve allegations that it violated the HIPAA Security Rule.  The breach occurred in June 2010 with the theft of an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 HONI patients. OCR investigated the breach after HONI disclosed it in its annual report of breaches that involved less than 500 individuals required under the HITECH Act.The Resolution Agreement subjects HONI to a two-year Corrective Action Plan (CAP), whereby it must closely monitor and promptly investigate any potential violations of HIPAA Privacy and Security policies and procedures by its employees.  If HONI determines that a violation (Reportable Event) occurred, it must report the details of the investigation and all corrective action taken to address the Reportable Event to OCR within 30 days. (We note that it is unclear whether the 30-day countdown starts from the date the Reportable Event occurred or from the conclusion of the investigation.)  Within 30 days of the end of each year the CAP is in place, HONI must notify OCR if no Reportable Events have occurred during the preceding year.

Providers may learn three lessons from the HONI resolution:

  1. OCR pays attention to the annual reports of breaches required under the Breach Notification Rule;
  2. no breach is “too small” for OCR enforcement action; and
  3. mobile device and laptop security is a continued concern for OCR.

Again, the risks related to the use of mobile devices like laptops, PDAs, and smartphones are well-known and have been addressed in previous blog posts both here and in our Health Law & Policy Matters blog on “bring your own device” policies and the Massachusetts Eye and Ear Infirmary resolution (also stemming from a self-reported breach).    As OCR Director Leon Rodriguez emphasized in the HONI resolution press release, “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.” The HONI resolution shows that OCR will continue to address all breaches, large or small.


Originally posted by Dianne Bourque in Mintz Levin’s Health Law & Policy Matters blog

As the old saying goes, “no good deed goes unpunished….”    The most recent, published Office for Civil Rights (OCR) HIPAA enforcement action serves as an important reminder that self-reported breaches can and do lead to investigations and enforcement.

Massachusetts Eye and Ear Infirmary was following the HITECH breach notification rules when it reported the theft of an unencrypted laptop in 2010.  The laptop contained the protected health information of MEEI patients and research subjects, including prescription and health information.  OCR investigated the breach and brought an enforcement action, citing MEEI for a number of HIPAA security rule violations.  Not unexpectedly, OCR was focused on laptop security and the security of portable devices generally, which has been an enforcement priority of OCR.

The MEEI enforcement provides other important reminders for covered entities:

1. Avoid breaches and breach notifications which can lead to investigations.

2. Encrypt laptops and other portable devices.

3. Keep track of portable devices.

4. The OCR trend toward seven-figure fines is continuing (the MEEI settlement was $1.5 million).

The read the MEEI resolution agreement, click here.  The related OCR press release is here.

Written by:  Dianne Bourque and Stephanie Willis

As promised by the Department of Health and Human Services’ Office of Civil Rights (OCR) and as reported here on June 11th, OCR has released its HIPAA privacy and security audit protocols.  The audit protocols are intended to cover the three main areas of HIPAA privacy and security enforcement:

  1. Privacy Rule requirements, specifically:
  • notice of privacy practices for Protected Health Information (PHI);
  • rights to request privacy protection for PHI;
  • access of individuals to PHI;
  • administrative requirements;
  • uses and disclosures of PHI;
  • amendment of PHI; and
  • accounting of disclosures.
  1. Security Rule requirements for administrative, physical, and technical safeguards.
  2. Breach Notification Rule requirements.

The protocol addresses 165 performance criteria, 77 of which focus exclusively on compliance with the Security Rule, and 88 in combination that deal with Breach Notification and Privacy Rule requirements.

Senior Advisor David Mayer of OCR, during his presentation at the 2012 American Health Lawyers Association Annual meeting in Chicago, Illinois, stated that the protocol presently on the website is actually an updated version of the protocol used to audit the first 20 covered entities who were selected for examination during the HITECH audit pilot program period.  He also stated that there are ninety-five more covered entities that will be audited to meet the OCR’s goal of auditing 115 entities and that OCR did not open any additional reviews related to the 20 audits it has completed so far.  Last, he noted that once the HIPAA Omnibus Rule is published, OCR will likely audit business associates thereafter.

Mr. Mayer also provided some of his preliminary observations gathered during the audit pilot program period.  An audible gasp rose from the crowd when he recounted a story where, when the KPMG auditors arrived to complete the audit of the covered entity, the covered entity’s representatives essentially said, “We have nothing; we are so glad to see you because we need your help.”  The audit was a wake-up call to the covered entity to prioritize HIPAA privacy and security compliance programs.

Mr. Mayer announced that OCR plans to continue its audit program in 2013 and 2014, and that the agency has been appropriated the money to do so.  All covered entities, particularly small providers (who historically have constituted a high proportion of HIPAA violations), should take the opportunity to use the audit protocols as a guide to draft or revamp their HIPAA compliance policies and procedures as well as to devise a plan of action to respond to audits in an organized and comprehensive manner.

Mr. Mayer noted to the audience that they’d be “surprised” at how many covered entities do not have HIPAA compliance policies and procedures in place.  But, all covered entities should take this comment to mean that it is not too late to put some in place rather than as a signal that there is still time to do so.

If you have questions regarding HIPAA compliance or HIPAA audit response plans, please contact a member of your Mintz Levin service team or a Mintz Levin privacy attorney.

Originally posted at