HHS Office of Civil Rights

Subscribe to HHS Office of Civil Rights via RSS

A recent decision from the Northern District of Texas has upended the Department of Health and Human Services’ 2024 amendments to the HIPAA Privacy Rule (the 2024 Rule), which were intended to bolster privacy protections for reproductive health care information.

The court’s ruling in Purl v. HHS vacates almost all of these amendments, finding that HHS overstepped its statutory authority and improperly interfered with state law.Continue Reading HIPAA’s Reproductive Health Shake-Up:  What the Purl Ruling Means for Health Plans and Covered Entities

Special thanks to Taft summer associates Tanner Wilburn and Lizzie Dobbins for their contributions to this post. 

On June 20, 2024, the U.S. District Court for the Northern District of Texas vacated a portion of guidance issued by the Department of Health and Human Services (HHS) regarding the use of online tracking technologies. This decision is beneficial to healthcare providers and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) which use third-party tracking tools on their public-facing websites, but such entities should be cautious to not read the case too broadly.Continue Reading Federal Court Strikes Down HHS Rule on Website Tracking Technologies… To an Extent

Special thanks to Taft summer associate Tanner Wilburn for his significant contributions to this post. 

Earlier this year, we provided a law bulletin on changes coming to the Health Insurance Portability and Accountability Act (HIPAA). To recap briefly, in April 2024, the Department of Health and Human Services (HHS) issued a final regulation that modified the HIPAA Privacy Rule to safeguard individuals’ protected health information (PHI) concerning reproductive health care.

The regulations go into effect on June 25, 2024, and those subject to the regulations must comply with the requirements by December 23, 2024. HHS also set a special compliance date of February 16, 2026, for the regulations’ changes involving HIPAA notices of privacy practices (NPPs).

With the law going into effect this week and the compliance deadline coming in six months, we’ve put together a breakdown of what must happen, and when. Continue Reading Six Months to Go: HIPAA Privacy Rule Changes Require Additional Diligence

On Dec. 7, 2023, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing. The settlement resolves an investigation following a phishing attack that affected the electronic protected health information (PHI) of approximately 34,862 individuals. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) Rules. Additionally, this settlement comes just a handful of weeks after OCR announced a settlement with a Massachusetts medical management company in connection with a large breach report regarding a ransomware attack that affected the PHI of 206,695 individuals – becoming the first ransomware agreement OCR has reached as well.Continue Reading OCR Doubles Down: Two Settlements in Two Months for Two Common Cybersecurity Issues

Following the publication of the U.S. Supreme Court opinion in Dobbs v. Jackson Women’s Health Organization, on June 29, 2022, the U.S. Department of Health and Human Services’ Office for Civil Rights (HHS) issued guidance regarding disclosures of protected health information (PHI) concerning reproductive health procedures such as abortion. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule governs the disclosure of PHI by most health care providers, as well as employer-sponsored health plans, (Covered Entities), generally restricting the use or disclosure of PHI without the individual’s authorization other than in specifically excepted circumstances. Specifically, HIPAA does permit Covered Entities to disclose PHI without a patient’s authorization (or in some instances, notice and an opportunity to object), including 1) Disclosures required by law; 2) Disclosures for law enforcement purposes; and 3) Disclosures to avert a serious threat to health or safety. In the guidance, HHS notes that under each of these exceptions, HIPAA permits but does not require disclosure of PHI by a Covered Entity. HHS further reasserts that any disclosure made pursuant to one of the above permitted disclosures must be limited to the minimum PHI necessary to respond to the permitted disclosure request.
Continue Reading A HIPAA Right to Privacy Remains: Federal Government Issues Guidance and Orders Following Supreme Court Decision in Dobbs