HHS Office of Civil Rights

On Dec. 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information (PHI) of approximately 34,862 individuals. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. Additionally, this settlement comes just a handful of weeks after OCR announced a settlement with a Massachusetts medical management company in connection with a large breach report regarding a ransomware attack that affected the PHI of 206,695 individuals – becoming the first ransomware agreement OCR has reached as well.Continue Reading OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

Following the publication of the U.S. Supreme Court opinion in Dobbs v. Jackson Women’s Health Organization, on June 29, 2022, the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS) issued guidance regarding disclosures of protected health information (PHI) concerning reproductive health procedures such as abortion. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule governs the disclosure of PHI by most health care providers, as well as employer-sponsored health plans, (Covered Entities), generally restricting the use or disclosure of PHI without the individual’s authorization other than in specifically excepted circumstances. Specifically, HIPAA does permit Covered Entities to disclose PHI without a patient’s authorization (or in some instances, notice and an opportunity to object), including 1) Disclosures required by law; 2) Disclosures for law enforcement purposes; and 3) Disclosures to avert a serious threat to health or safety. In the guidance, HHS notes that under each of these exceptions, HIPAA permits but does not require disclosure of PHI by a Covered Entity. HHS further reasserts that any disclosure made pursuant to one of the above permitted disclosures must be limited to the minimum PHI necessary to respond to the permitted disclosure request.
Continue Reading A HIPAA Right to Privacy Remains: Federal Government Issues Guidance and Orders Following Supreme Court Decision in Dobbs