On March 18, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) updated its guidance on the use of online tracking technology by covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates (together, “regulated entities”). While the updated guidance from OCR seems intended to clarify, and even narrow, the circumstances under which regulated entities’ use of websites and mobile app tracking technologies constitutes a disclosure of Protected Health Information (PHI), it fails to provide clarity on the exact scope, rendering compliance challenging. We summarize the updates to the guidance below and analyze briefly how these updates may impact the use of tracking technologies on unauthenticated and authenticated webpages, and what companies may explore in terms of compliance.Continue Reading OCR at HHS Updates Guidance on Use of Online Tracking Technology by HIPAA-Regulated Entities

 On June 29, 2016, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), settling charges that CHCS failed to comply
Continue Reading HHS Brings Landmark HIPAA Enforcement Action Against a Business Associate for Alleged Data Security Failures

 The U.S. Department of Health and Human Services (HHS) recently issued guidance to help mobile application developers analyze whether the Health Insurance Portability and Accountability Act of 1996 (HIPAA) may apply to them.1 Not every mobile application developer that handles personal health information is subject to HIPAA regulation, and determining whether HIPAA applies is situation-dependent and requires thoughtful analysis. The HHS guidance lists some of the factors to consider when assessing whether HIPAA applies to an app developer and analyzes several scenarios where apps handle health-related information.
Continue Reading HHS Issues HIPAA Guidance for Mobile Health Apps

 In late 2015, the U.S. Department of Health and Human Services (HHS) announced three settlements in which the agency will collect over $5 million in collective penalties for alleged non-compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In addition to the monetary penalties, each of the settlements requires compliance with a Corrective Action Plan (CAP), calling for the organizations to invest significant resources toward HIPAA compliance.
Continue Reading HHS Ends 2015 with Three HIPAA Enforcement Settlements

 Following the conclusion of the Health Insurance Portability and Accountability Act (HIPAA) pilot audit program in 2012, speculation began about the timing of the permanent program of periodic HIPAA audits. Originally, the Department of Health and Human Service’s Office of Civil Rights (OCR) scheduled the permanent audit program for 2014. However, personnel and budget limitations delayed the launch, and the year came and went without implementation of the program.

With 2015 nearing its close, advisors in the health data industry may have felt like they were crying wolf while encouraging clients to take this time to review and improve HIPAA compliance efforts given the impending audits. Finally, however, in late September 2015, the OCR announced that the permanent audit program will launch in early 2016. Reports indicate that the OCR has already sent out inquiries to covered entities confirming contact information for possible follow-up.
Continue Reading No More Crying Wolf—HIPAA Audits Coming in 2016