Office of Civil Rights Further Relaxes HIPAA Enforcement Due to COVID-19 Pandemic

Last night, the Office of Civil Rights Division of the United States Department of Health and Human Services (“OCR”) issued further guidance regarding enforcement of the Privacy Rule and related regulations due to the COVID-19/novel coronavirus pandemic as it relates to business associates of covered entities. Under the Privacy Rule and related regulations, business associates of covered entities may disclose private health information for public health and oversight activities only with prior authorization from patients. In light of the pandemic, OCR has declared that it will exercise its discretion and not enforce this requirement until the Secretary of the Department of Health and Human Services decides that the public emergency has passed. Attorneys like the members of the Healthcare practice group of CSKL who provide legal services directly to healthcare providers and facilities fall within the class of business associates to whom this wavier of action applies. The waiver is limited to the use for public health and oversight activities only and not to broader litigation, to which the existing rules, regulations, and laws still apply.

The guidance can be found by clicking here.

Stay tuned for more information about HIPAA and other healthcare related legal news in the ever evolving world of the COVID-19 pandemic.

Practice Group Pays $125k to Settle HIPAA Claim

A Connecticut physician group recently agreed to pay $125,000 to settle a claim of “reckless disregard” for a patient’s privacy rights. The group contacted the local television station to give a statement about a dispute between its patient and one of its doctors. A reporter contacted the doctor, who “impermissibly disclosed the patient’s protected health information.” The Office of Civil Rights investigated and concluded that the doctor had shown “reckless disregard” after the doctor was instructed by the group’s privacy officer to respond with “no comment.” The group failed to discipline the doctor or take corrective action.

Take-home: while a patient has an unfettered right to disclose their private health information in public and to the media, a covered entity does not. There is no “media exception” to the Privacy Rule.

To read the report and corrective action plan, please click here.