HealthBlawg

David Harlow's Health Care Law Blog

  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

HIPAA News from OCR: FAQs and Fines

April 30, 2019

In the past week, OCR has released two new issuances touching on HIPAA interpretation and enforcement. On the one hand, the regulated community eagerly awaits and devours these morsels as they are doled out. On the other hand, these particular morsels are unremarkable sub-regulatory issuances; one restates and interprets regulations in a manner that comes as no surprise to those of us immersed in HIPAA and the other announces an approach to exercising enforcement discretion that may well change again in the future.

Here are the specifics:

First: Five new FAQs on HIPAA — The HIPAA access right, health apps, & APIs. The questions center on whether apps not developed and delivered by a covered entity or a business associate or a downstream contractor of a business associate are covered by HIPAA and whether upstream regulated parties (CEs and BAs) are liable for inappropriate releases of data by such third parties. Unsurprisingly, the answer is no — a patients may direct a CE to release their PHI in whatever manner or format a patient desires, so long as the CE is set up to do so. Secure API to an app, insecure email at the patient’s direction so long as the patient is aware of the potential issues — all OK; it’s up to the patient. A couple of the FAQs focus on the slightly more complicated situation where an app developer may be acting on behalf of a CE or BA, in which case the delivery of the PHI via the app is subject to HIPAA, and any potential breach could yield liability up and down the food chain.

Of course, breaches not covered by HIPAA are covered by the FTC health data breach notification rule issued under the HITECH Act.

(Some of us would rather see OCR using its capital to insist that CEs release PHI at the direction of patients — something that is still much harder for many patients than it should be — or to issue a FAQ confirming that sending PHI via SMS should be seen in the same light as sending PHI via email.)

Second: OCR has adjusted downward the maximum fines that it will assess for HIPAA breaches under the HIPAA Enforcement Rule. Whether or not OCR makes such an announcement in advance, it has the discretion to impose fines lower than the maximum. However, the agency has announced that it erred (in its incarnation under the previous Administration) in interpreting an internally inconsistent statute and that it has now identified the corect interpretation, which leads to permitting fines of $1.5 million only in extensive cases of uncorrected willful neglect.

Given this retrenchment, I expect the regulated community will breathe easier, knowing that it is unlikely to face multi-million-dollar fines for lower levels of culpability. However, the agency has been measured in assessing fines and — quite frankly — fines (low, high, or indifferent) don’t seem to be having a significant effect on the frequency or severity of breaches in the wild. In any event, signaling that fines will be lower is not likely to improve compliance.

Despite these announcements, covered entities, business associates and app developers not covered by HIPAA must all remain vigilant and hew to a higher standard in order to maintain the privacy and security of sensitive data.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Related Posts

  • Waiting for HIPAA Clarity? Who Has Time?

    I recently read that the App Association (aka ACT) is lobbying Congress to promote clarity…

  • OCR Cloud Computing HIPAA Guidance

    The latest OCR HIPAA guidance -- on cloud computing -- will probably not satisfy those…

  • News of first HIPAA security audit trickles out

    While neither the federales nor the hospital in question has confirmed the story, an Atlanta…

Filed Under: Compliance, FTC, Health care policy, Health Law, HIPAA, OCR, Privacy, Security

« Live at HIMSS 2019 with CTG – Harlow On Healthcare
The 340B Saga Continues »

Trackbacks

  1. HIPAA News from OCR: FAQs and Fines - HITECH Answers: HIPAA, MIPS, EHR, Cybersecurity News says:
    May 21, 2019 at 2:12 pm

    […] article was originally published on HealthBlawg and is republished here with […]

Threads

Follow me on: Threads

Mastodon

Follow me on: Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2025
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]