As Cyberattacks targeting the health care sector have continued to intensify over the past year, including ransomware attacks that have resulted in major data breaches impacting health care organizations, the protection of health data has gained the focus of regulators and prompted bipartisan legislative efforts to strengthen cybersecurity requirements in the health care sector.
OIG Report on OCR’s HIPAA Audit Program
Under the Health Information Technology for Economic and Clinical Health Act (HITECH), the HHS Office for Civil Rights (OCR) is required to perform periodic audits of covered entities and business associates (collectively, Regulated Entities) to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules (collectively, “HIPAA Rules”).
Last month, the HHS Office of Inspector General (OIG) released a new report assessing OCR’s HIPAA audit program, raising concerns about the effectiveness of current oversight and the need for enhanced measures to address growing cybersecurity risks in the sector. In its assessment of OCR’s HIPAA audit program, OIG reviewed OCR’s final HIPAA audit reports of Regulated Entities, guidance, and enforcement activities from January 2016 to December 2020.
On January 5, 2020, HR 7898, became law amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, to require that “recognized cybersecurity practices” be considered by the Secretary of Health and Human Services (HHS) in determining any Health Insurance Portability and Accountability Act (HIPAA) fines, audit results or mitigation remedies. The new law provides a strong incentive to covered entities and business associates to adopt “recognized cybersecurity practices” and risk reduction frameworks when complying ...
On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).
As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties. In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.
Blog Editors
Recent Updates
- Recent Developments in Health Care Cybersecurity and Oversight: 2024 Wrap Up and 2025 Outlook
- Massachusetts Governor Maura Healey Signs into Law a Sweeping Health Care Market Oversight Bill
- Second Circuit Adopts “At Least One Purpose” Rule for False Claims Act Cases Premised on Anti-Kickback Statute Violations
- Supreme Court of Ohio Decides on a Peer-Review Privilege Issue in Stull v. Summa
- Unpacking Averages: Exploring Data on FDA’s Breakthrough Device Program Obtained Through FOIA