Health Law Advisor

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The updated guidance replaced OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such as cookies and pixels, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of HIPAA, including “individually identifiable health information” (“IIHI”). The guidance explained that covered entities’ HIPAA obligations are triggered where an online tracking technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers (the “Proscribed Combination”).

On August 5, 2024, the Office of the National Coordinator for Health Information Technology— now known as the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”)—issued a proposed rule titled “Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability” (the “HTI-2 Proposed Rule”), as part of its ongoing efforts to enhance health care interoperability and data sharing. The HTI-2 Proposed Rule builds on the January 2024 “Health Data, Technology, and Interoperability” final rule (the “HTI-1 Final Rule”). Comments on the HTI-2 Proposed Rule are due October 4.

Through the proposed changes, ASTP/ONC would (1) make sweeping changes to its Health Information Technology Certification Program (“HIT Certification Program”); (2) make revisions to the information blocking regulation, including implementing two new information blocking exceptions; and (3) codify and implement the statutory provisions regarding the Trusted Exchange Framework and Common Agreement (“TEFCA”) requirements.

New and Revised HIT Certification Criteria

The proposed changes in the HTI-2 Proposed Rule would significantly expand the scope of the HIT Certification Program to introduce additional functionality and new technology for developers of HIT used by health care providers and HIT that is intended to be used by payers and for public health agencies. The certification criteria introduced in HTI-2 for payers is the first time that the health IT certification program is being extended beyond the certified electronic health record (EHR) technology developers. Some notable changes include the following:

The Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country. On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance ...

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Notably, the updated guidance replaces OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such ...