New NPRM Makes Changes Geared to Reproductive Privacy Under HIPAA

NPRM relates to reproductive privacy under HIPAA

You’ve likely heard by now that the Office for Civil Rights (the OCR) published a Notice of Proposed Rulemaking (NPRM) on April 17, 2023, that makes changes to the HIPAA Privacy Rule to promote reproductive privacy (see the HHS Fact Sheet). The new NPRM makes changes related to uses and disclosures, and Notices of Privacy … Read more

Minimize Risk: Healthcare’s Need to Address the Unknown Unknowns

risk management

Government agencies – state and federal – have spent the past several months trying to get healthcare’s attention about cybersecurity and simple steps that organizations can take to reduce their risk of ransomware (aka minimize risk). “There are known knowns; there are things we know we know. We also know there are known unknowns; that … Read more

How the SHIELD Act Expands Legal Reach on Breaches

New York SHIELD Act image

Interested in some (thankfully) non-pandemic related news? New York State’s SHIELD Act is in effect as of March 21, 2020. The SHIELD Act (Stop Hacks and Improve Electronic Data Security Act) takes several actions, including: broadening the definition of “Private Information”, expanding the definition of breach, and expanding the reach of the law to include … Read more

Return from Remote Work: How do you secure remotely used data & devices?

return from remote work

As things ease up, and slowly people return to the office, what steps do you need to take to make sure data and devices are secure? It’s not quite a reversal of what covered entities (CE) and business associates (BA) went through when everyone who was non-essential was required to go to remote work, but … Read more

Attention Business Associates! New OCR Announcement re PHI during COVID-19 Relates to You

Business Associates HIPAA National Emergency

On April 2, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced that effective immediately, it will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the … Read more

Business Associate or Conduit? Why a BAA likely applies to you.

BAA protect PHI

Ever run into a vendor who claims to be a conduit versus a business associate (BA)? It happens all too often, in my experience. Here’s the problem: the conduit exception is a narrow one. If you’re storing PHI data, even encrypted PHI where you don’t have the encryption key, you’re a BA. Sign the Business … Read more

The CCPA and the Iffy Territory of the “HIPAA exemption”

CCPA HIPAA exemption

A brief recap: The California Consumer Privacy Act (CCPA) aims to give California consumers greater control over their personal information by imposing certain obligations on entities covered by the law. The CCPA takes effect January 1, 2020. And as we said in an earlier blog article, you don’t have to be a California-based business to … Read more

Privacy and Security Training: Less hype, less myth, more HIPAA realities.

HIPAA privacy and security training

I’m often taken aback by some of the marketing material I receive from privacy and security training vendors.  This is clearly a “buyer beware” moment.  The review of a training vendor’s material can give you some insight into their credibility. Particularly if you’re already somewhat knowledgeable of the material that needs to be covered in … Read more

Minor Privacy Rights: Where Feds & State Diverge

minor privacy laws

In most instances, HIPAA rules apply for adults and minors. That’s to say, the federal regulation sets the bar. HIPAA treats minors as adults when it comes to privacy rights if they’ve reached the age of informed consent except when state laws say otherwise. Some state laws permit or require disclosure to parents or guardians … Read more

When does State law trump HIPAA?

When State law requirements are tougher than HIPAA, then it’s likely that the State law is the one you need to follow. When does it not? When it’s “contrary.” Then, it may be submitted for exemption – in other words, may be up for consideration to “trump” the federal regulations. However, it’s rare that a … Read more