The American Hospital Association, joined by a few others, has sued the federal government to enjoin them from enforcing their published Guidance on “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.”
The Proposed Rule for enforcement is out, and the potential financial “hit” that health care providers may face if the OIG finds them to have violated the Information Blocking Rule (IBR) could be substantial, but don’t get spooked. The reach of the proposed enforcement has limitations. Read more to find out why.
OCR reaches a new $1.3 million dollar settlement with a health plan for HIPAA violations. OCR says, “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.” Employers that offer Employee Benefits must evaluate if they are responsible for a health plan with HIPAA compliance obligations.
OIG’s authority to begin enforcement of the Information Blocking Rule begins September 1, 2023. Certain Actors subject to the Information Blocking Rule may be subject up to a $1 million penalty per violation! Actors need to be proactive in ensuring their compliance with the Information Blocking Rule and not wait for the OIG to discover them.
Attorneys at Oscislawski LLC together with the New Jersey Hospital Association present this highly informational Webinar on compliance steps hospitals can take to attempt to manage the risks associated with use of technologies that include online tracking tools.
After OCR created a Morton’s Fork for hospitals and health systems by publishing its HIPAA Guidance on the Use of Online Tracking Technologies, the American Hospital Association initially stayed out of the fray. Not any more. In its letter dated May 22, 2023, AHA makes its case to HHS as to why OCR’s Online Tracking Guidance should be suspended or amended.
The FTC releases its second enforcement action under the Health Breach Notification Rule in just over 3 months. This time, the FTC found that a fertility app called Premom shared sensitive fertility information with third parties for unauthorized purposes. While Premom told its users that it would not share their health information with third parties without users’ consent, it used third-party automated tracking tools known as software development kits (SDKs) which shared highly sensitive health information (e.g., data about an individual user’s sexual & reproductive health, pregnancy status etc.) for advertising and marketing purposes.
The FTC issued a proposed order requiring BetterHelp to pay $7.8 million to consumers to settle charges that it shared consumers’ health data with Facebook, Pinterest, Snapchat, and Criteo after promising to keep such data private and claiming it is “certified” as “HIPAA compliant.” The real juice of this case is in the FTC compliant — and HIPAA-covered providers, facilities & organizations can learn a lot about what to watch out for with health data Apps as we continue to march towards the FHIR.
The forecast for Arizona is thunderstorms, at least for at least one health care system. Last week, OCR announced a $1.25 settlement for HIPAA Security Rule violations brought to light by a cybersecurity hacking incident that took place over five years ago.
The chickens have come home to roost for GoodRx. The FTC has assessed a $1.5 Million penalty against the telehealth and prescription drug discount provider for failing to report unauthorized disclosures as required by the Health Breach Notification Rule.
On December 1, 2022, OCR released a “guidance” Bulletin re: “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.” From it, we learned (among other things) that OCR believes that an individual’s IP addresses and geo location, collected by a regulated entity’s website, is protected by HIPAA. Now, we have come to learn that HIPAA compliance investigations by OCR are already underway concerning this topic. Are you ready?
The Court of Appeals for the Fifth Circuit vacated the $4.3M penalty imposed on M.D. Anderson as arbitrary, capricious and contrary to law.
Yesterday, all at once, OCR announced that it has entered into five new Resolution Agreements — each of them stemming from one or more violations of HIPAA’s right of access afforded to individuals. There are several interesting observations about these new cases that are worth taking note of.
At the last hour, CMS extended the deadline for publishing much anticipated changes to the Stark Law. Originally expected for publication this past August, CMS extended the deadline to August 2021, noting that “… we are still working through the complexity of the issues raised by comments received on the proposed rule and therefore we are not able to meet the announced publication target date.” Together with the OIG’s counterpart rule, the proposed rules contain the potential for significant modernization of the Stark Law and Anti-kickback Statute as part of the “Regulatory Spring to Coordinated Care” as well as increased alignment and coordination between the two sets of laws.
After over almost four months of no new HIPAA Resolution Agreements or Civil Money Penalties, OCR quietly posted two new HIPAA settlement agreements at the end of July. At first glance, both appear to be “run-of-the-mill” cases with nothing much new to learn with the first one resulting in OCR finding that the covered entity failed to even complete a basic Security Risk Analysis and training of workforce, and the other involving – yes, yet again – a stolen unencrypted laptop. However, the second case in particular deserves closer examination where it has embedded in it more complex corporate structure and liability issues where it actually involved two legally separate covered entities that elected to designated themselves as a single covered entity for purposes of HIPAA. Let’s look at each case separately.