HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

HIPAA News from OCR: FAQs and Fines

April 30, 2019

In the past week, OCR has released two new issuances touching on HIPAA interpretation and enforcement. On the one hand, the regulated community eagerly awaits and devours these morsels as they are doled out. On the other hand, these particular morsels are unremarkable sub-regulatory issuances; one restates and interprets regulations in a manner that comes as no surprise to those of us immersed in HIPAA and the other announces an approach to exercising enforcement discretion that may well change again in the future.

Here are the specifics:

First: Five new FAQs on HIPAA — The HIPAA access right, health apps, & APIs. The questions center on whether apps not developed and delivered by a covered entity or a business associate or a downstream contractor of a business associate are covered by HIPAA and whether upstream regulated parties (CEs and BAs) are liable for inappropriate releases of data by such third parties. Unsurprisingly, the answer is no — a patients may direct a CE to release their PHI in whatever manner or format a patient desires, so long as the CE is set up to do so. Secure API to an app, insecure email at the patient’s direction so long as the patient is aware of the potential issues — all OK; it’s up to the patient. A couple of the FAQs focus on the slightly more complicated situation where an app developer may be acting on behalf of a CE or BA, in which case the delivery of the PHI via the app is subject to HIPAA, and any potential breach could yield liability up and down the food chain.

Of course, breaches not covered by HIPAA are covered by the FTC health data breach notification rule issued under the HITECH Act.

(Some of us would rather see OCR using its capital to insist that CEs release PHI at the direction of patients — something that is still much harder for many patients than it should be — or to issue a FAQ confirming that sending PHI via SMS should be seen in the same light as sending PHI via email.)

Second: OCR has adjusted downward the maximum fines that it will assess for HIPAA breaches under the HIPAA Enforcement Rule. Whether or not OCR makes such an announcement in advance, it has the discretion to impose fines lower than the maximum. However, the agency has announced that it erred (in its incarnation under the previous Administration) in interpreting an internally inconsistent statute and that it has now identified the corect interpretation, which leads to permitting fines of $1.5 million only in extensive cases of uncorrected willful neglect.

Given this retrenchment, I expect the regulated community will breathe easier, knowing that it is unlikely to face multi-million-dollar fines for lower levels of culpability. However, the agency has been measured in assessing fines and — quite frankly — fines (low, high, or indifferent) don’t seem to be having a significant effect on the frequency or severity of breaches in the wild. In any event, signaling that fines will be lower is not likely to improve compliance.

Despite these announcements, covered entities, business associates and app developers not covered by HIPAA must all remain vigilant and hew to a higher standard in order to maintain the privacy and security of sensitive data.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: Compliance, FTC, Health care policy, Health Law, HIPAA, OCR, Privacy, Security

you might also like:

  1. HIPAA Audits: OCR Finally Announces Phase 2

  2. OCR Releases HIPAA Privacy and Security Audit Protocol

  3. OCR HIPAA Audits Finally Kick Off – Do They Matter?

« Live at HIMSS 2019 with CTG – Harlow On Healthcare
The 340B Saga Continues »

Trackbacks

  1. HIPAA News from OCR: FAQs and Fines - HITECH Answers: HIPAA, MIPS, EHR, Cybersecurity News says:
    May 21, 2019 at 2:12 pm

    […] article was originally published onΒ HealthBlawgΒ and is republished here with […]

Follow me on Twitter

David Harlow πŸ’‰πŸ˜· Follow 42,879 17,567

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
6h 1618627492033531906

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @EricTopol @raeannephd @MobiHealthNews #digitalhealth #healthtech

Image for twitter card

It's time for banks to get more intelligent about artificial intelligence

americanbanker.com Artificial intelligence now has the potential to fundamentally change customers' relationships with banks...

paper.li

Reply on Twitter 1618627492033531906 Retweet on Twitter 1618627492033531906 0 Like on Twitter 1618627492033531906 0 Twitter 1618627492033531906
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
6h 1618622524023095296

ICYMI> Stephen Sweriduk, CMO of Shields Health Care on the evolution of diagnostic imaging β€” Harlow on Healthcare https://healthblawg.com/2022/01/sweriduk-shields-healthcare.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Stephen Sweriduk, CMO Twitter feed image.
Reply on Twitter 1618622524023095296 Retweet on Twitter 1618622524023095296 0 Like on Twitter 1618622524023095296 0 Twitter 1618622524023095296
healthblawg avatar; David Harlow πŸ’‰πŸ˜· @healthblawg ·
13h 1618516629570174981

ICYMI> Jonathan Shannon, LexisNexis Risk Solutions, Talking Interoperability β€” Harlow on Healthcare https://healthblawg.com/2022/12/jonathan-shannon-lexisnexis.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Jonathan Shannon, LexisNexis Twitter feed image.
Reply on Twitter 1618516629570174981 Retweet on Twitter 1618516629570174981 1 Like on Twitter 1618516629570174981 1 Twitter 1618516629570174981
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]