On June 20, 2024, the United States District Court for the Northern District of Texas ordered the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to vacate its guidance that had restricted HIPAA-covered entities’ use of third party online tracking technologies, such as common website advertising and analytics tools. In vacating the guidance, the court held that the agency exceeded its authority by redefining what is considered protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While this order is a defeat for OCR’s guidance on online tracking technologies, regulated companies should react cautiously. The order could be appealed and potentially reversed, OCR could still bring enforcement actions in other circuits advancing their interpretation of PHI, and the Federal Trade Commission’s (FTC’s) laws and state privacy laws could still apply.Continue Reading Texas District Court Vacates OCR’s HIPAA Bulletin on Online Tracking Technologies, But Issues Mixed Decision
HIPAA
OCR at HHS Updates Guidance on Use of Online Tracking Technology by HIPAA-Regulated Entities
On March 18, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) updated its guidance on the use of online tracking technology by covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates (together, “regulated entities”). While the updated guidance from OCR seems intended to clarify, and even narrow, the circumstances under which regulated entities’ use of websites and mobile app tracking technologies constitutes a disclosure of Protected Health Information (PHI), it fails to provide clarity on the exact scope, rendering compliance challenging. We summarize the updates to the guidance below and analyze briefly how these updates may impact the use of tracking technologies on unauthenticated and authenticated webpages, and what companies may explore in terms of compliance.Continue Reading OCR at HHS Updates Guidance on Use of Online Tracking Technology by HIPAA-Regulated Entities
FTC Announces Proposed Amendments to the Health Breach Notification Rule
On May 18, 2023, the Federal Trade Commission (FTC) announced a number of proposed amendments to the Health Breach Notification Rule (the Rule), the latest in a series of actions taken by the agency to…
Continue Reading FTC Announces Proposed Amendments to the Health Breach Notification RuleHHS Proposes Purpose Limitation on Disclosures of PHI Related to Reproductive Health
On April 12, 2023, the Biden administration announced a notice of proposed rulemaking (NPRM) from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the agency responsible for enforcing the Health…
Continue Reading HHS Proposes Purpose Limitation on Disclosures of PHI Related to Reproductive HealthHHS Brings Landmark HIPAA Enforcement Action Against a Business Associate for Alleged Data Security Failures
On June 29, 2016, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), settling charges that CHCS failed to comply…
Continue Reading HHS Brings Landmark HIPAA Enforcement Action Against a Business Associate for Alleged Data Security Failures
HHS Issues HIPAA Guidance for Mobile Health Apps
The U.S. Department of Health and Human Services (HHS) recently issued guidance to help mobile application developers analyze whether the Health Insurance Portability and Accountability Act of 1996 (HIPAA) may apply to them.1 Not every mobile application developer that handles personal health information is subject to HIPAA regulation, and determining whether HIPAA applies is situation-dependent and requires thoughtful analysis. The HHS guidance lists some of the factors to consider when assessing whether HIPAA applies to an app developer and analyzes several scenarios where apps handle health-related information.
Continue Reading HHS Issues HIPAA Guidance for Mobile Health Apps
HHS Ends 2015 with Three HIPAA Enforcement Settlements
In late 2015, the U.S. Department of Health and Human Services (HHS) announced three settlements in which the agency will collect over $5 million in collective penalties for alleged non-compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In addition to the monetary penalties, each of the settlements requires compliance with a Corrective Action Plan (CAP), calling for the organizations to invest significant resources toward HIPAA compliance.
Continue Reading HHS Ends 2015 with Three HIPAA Enforcement Settlements