Recent HIPAA Updates from Office for Civil Rights
Tuesday, March 8, 2016
Privacy Policy, Recent HIPAA Updates from Office for Civil Rights
Print Mail Download i

The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services has been busy lately, issuing three news releases on the HIPAA Privacy and Security Rules.

On February 24th, OCR published a crosswalk between the HIPAA Security Rule and the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The document outlines the safeguards required by the Security Rule and maps them to the applicable subcategory in the Cybersecurity Framework and other commonly used frameworks. The Security Rule does not require healthcare organizations to follow the Cybersecurity Framework, but OCR points out that many organizations already follow the Cybersecurity Framework and that the crosswalk can help organizations discover gaps in their security policies. OCR released the crosswalk less than a week after Hollywood Presbyterian reported that it paid hackers to end a malware attack on the hospital’s computer systems.

Shortly after releasing the crosswalk, OCR published its monthly update on cyber awareness. This month’s update provides tips for safeguarding protected health information and shares lessons learned from the National Security Agency (NSA) at the Usenix Enigma security conference about security vulnerabilities used by hackers and best practices to strengthen security systems. OCR also highlighted security threats to medical devices, such as malware attacks that could render the device unusable or nonfunctional despite remaining usable. FDA has been working to raise awareness of these issues with draft guidance released in January.

On the privacy side, OCR published additional guidance this week to clarify how much providers may reasonably charge for copies of health information and when individuals may request to send their health information to third parties under the HIPAA Privacy Rule. The information is organized as frequently asked questions (FAQs), which accompany a fact sheet on patients’ rights to access their health information and a first set of FAQs on sharing medical records with patients. OCR’s intention in publishing these guidance documents is to help providers understand when and how protected health information may be shared with patients, providers, hospitals, and health insurance plans after hearing confusion from many individuals.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Current Legal Analysis

More from Mintz

Canada’s 2024 Federal Budget: The Time Is Now ... to Lock in Lower Tax Rates
by: Katy Pitch
American Privacy Rights Act – Another Shot at a Comprehensive Federal Privacy Law
by: Cynthia J. Larose , Christopher J. Buontempo
Tony Bennett May Have Left His Heart in San Francisco but the City's Appeal of Its NPDES Permit is on its Way to the United States Supreme Court.
by: Jeffrey R. Porter
Navigating Health Tech: Regulations for AI/ML in Medical Devices and Software [Video]
by: Benjamin M. Zegarelli , Pat G. Ouellette
Supreme Court Narrows the Reach of Omission Liability Claims Under Section 10(b) of the Exchange Act
by: Douglas P. Baumstein , Jason C. Vigna
Office of the Level Playing Field
by: Jennifer B. Rubin
The Sun is About to Set on Temporary CCPA/CPRA Exemptions: Employers Get Ready
by: Cynthia J. Larose
New Jersey Adopts a Comprehensive Data Privacy Law
by: Cynthia J. Larose , Jon Taylor
Important Updates to the New York LLC Transparency Act
by: Daniel I. DeWolf
Live Free and Protect: New Hampshire Joins the Growing List of States to Adopt a Comprehensive Data Privacy Law in 2024
by: Cynthia J. Larose , Jon Taylor

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins