Health Law Advisor

As Cyberattacks targeting the health care sector have continued to intensify over the past year, including ransomware attacks that have resulted in major data breaches impacting health care organizations, the protection of health data has gained the focus of regulators and prompted bipartisan legislative efforts to strengthen cybersecurity requirements in the health care sector.

OIG Report on OCR’s HIPAA Audit Program

Under the Health Information Technology for Economic and Clinical Health Act (HITECH), the HHS Office for Civil Rights (OCR) is required to perform periodic audits of covered entities and business associates (collectively, Regulated Entities) to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules (collectively, “HIPAA Rules”).

Last month, the HHS Office of Inspector General (OIG) released a new report assessing OCR’s HIPAA audit program, raising concerns about the effectiveness of current oversight and the need for enhanced measures to address growing cybersecurity risks in the sector. In its assessment of OCR’s HIPAA audit program, OIG reviewed OCR’s final HIPAA audit reports of Regulated Entities, guidance, and enforcement activities from January 2016 to December 2020.

On January 8, 2025, Massachusetts Governor Maura Healey signed into law House Bill No. 5159, “An Act enhancing the health care market review process” (“H. 5159”), which was passed by the Massachusetts legislature in the last few days of 2024. The bill, which takes effect April 8, will implement greater scrutiny of certain health care entities and affiliated companies—including private equity sponsors, significant equity investors, health care real estate investment trusts (“REITs”), and management services organizations (“MSOs”)—as well as pharmaceutical companies and pharmacy benefit management companies (“PBMs”) in the Commonwealth. 

The passage of H. 5159 follows debate between the House and Senate earlier in 2024 over similar bills, which failed to pass during the summer legislative session. Notably, similar bills included debt limitations on certain private investor-backed entities and bans of certain private equity investments, as well as significant restrictions on the MSO business model. However, these restrictions (among various others) were stripped from H. 5159.

Although H. 5159 has widespread implications for health care entities in the Commonwealth, a significant portion of the bill is clearly aimed at increasing regulatory oversight of for-profit-backed health care organizations through increased regulatory oversight of certain health care transactions and expanded reporting obligations. The bill also seeks to contain health care costs, including by increasing oversight of pharmaceutical company and PBM arrangements.

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The updated guidance replaced OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such as cookies and pixels, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of HIPAA, including “individually identifiable health information” (“IIHI”). The guidance explained that covered entities’ HIPAA obligations are triggered where an online tracking technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers (the “Proscribed Combination”).

On August 5, 2024, the Office of the National Coordinator for Health Information Technology— now known as the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”)—issued a proposed rule titled “Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability” (the “HTI-2 Proposed Rule”), as part of its ongoing efforts to enhance health care interoperability and data sharing. The HTI-2 Proposed Rule builds on the January 2024 “Health Data, Technology, and Interoperability” final rule (the “HTI-1 Final Rule”). Comments on the HTI-2 Proposed Rule are due October 4.

Through the proposed changes, ASTP/ONC would (1) make sweeping changes to its Health Information Technology Certification Program (“HIT Certification Program”); (2) make revisions to the information blocking regulation, including implementing two new information blocking exceptions; and (3) codify and implement the statutory provisions regarding the Trusted Exchange Framework and Common Agreement (“TEFCA”) requirements.

New and Revised HIT Certification Criteria

The proposed changes in the HTI-2 Proposed Rule would significantly expand the scope of the HIT Certification Program to introduce additional functionality and new technology for developers of HIT used by health care providers and HIT that is intended to be used by payers and for public health agencies. The certification criteria introduced in HTI-2 for payers is the first time that the health IT certification program is being extended beyond the certified electronic health record (EHR) technology developers. Some notable changes include the following:

The Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country. On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance ...

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Notably, the updated guidance replaces OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such ...