On March 18, 2024, the US Department of Health and Human Services (HHS) issued an updated, 17-page Bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (the Bulletin). Our readers may recall that HHS had
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.
This week, the US Department of Health and Human Services HHS Office for Civil Rights published a January 2018 newsletter focusing on cyber extortion.
Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may foreshadow additional FTC action, building upon a developing trend of US regulators engaging in pre-breach enforcement action.
The Department of Health and Human Services and its Office of Civil Rights (OCR) are capping off a very active 2016. In the last 6 months, the OCR has released a new audit protocol, announced new rounds of HIPAA audits, and stepped up enforcement. The flurry of activity comes after a prolonged period of anticipation in which Covered Entities and Business Associates were working to ensure that their data protection practices comply with the new set of HIPAA Omnibus rules. The OCR has made clear that it is not focused merely on large institutions or hospital systems. In August, the OCR announced that breaches affecting fewer than 500 individuals will be subject to investigation by its regional offices. Thus, even entities with small incidents or small amounts of protected health information (PHI), such as employee health plans, could see a higher rate of enforcement and a higher possibility of major fines if they fail to comply with HIPAA. Also within the OCR’s sights are Business Associates, as the Omnibus rule empowered the OCR to directly investigate and enforce Business Associates’ compliance with HIPAA’s requirements that the Omnibus rule extended to these entities.
On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised or stolen during a ransomware attack. OCR’s view is that compliance with HIPAA’s information security requirements assists healthcare entities in preventing and recovering from ransomware attacks.
As we reported on the Health Law Pulse blog, the HHS Office of Civil Rights (OCR) has unveiled a new resource to provide mobile health developers guidance on complying with applicable Health Information Portability and Accountability Act (HIPAA) requirements.