News & Analysis as of September 17, 2024

Office of Civil Rights

+ Follow

Business Associates can refer broadly to individuals engaged in business relationships with one another. However, in the HIPAA context, the term has a specific statutory meaning and those characterized as business associates have expanded data protection obligations and duties. Essentially, a business associate under HIPAA is a person or entity that performs certain functions or services which necessitates exposure to protected health information on behalf of a covered entity. Typical business associate functions include: claims processing or administration, data analysis, billing, etc. less -

‘I Will Not Rest’; ‘I Am All In’: Remarkable Breach Hearing Sees Pledges by UHG CEO, Sen. Wyden

Health Care Compliance Association (HCCA) on 5/13/2024

United Healthcare Group (UHG) CEO Andrew Witty was in a board meeting on Feb. 21 when officials interrupted with the news that Change Healthcare—a clearinghouse UHG subsidiary Optum had purchased for $1.3 billion in October...more

Privacy Briefs: May 2024

Health Care Compliance Association (HCCA) on 5/13/2024

Kaiser Permanente is notifying 13.4 million current and former members that their personal information may have been compromised when it was transmitted to tech giants Google, Microsoft Bing and X (formerly Twitter) when...more

OCR at HHS Updates Guidance on Use of Online Tracking Technology by HIPAA-Regulated Entities

Wilson Sonsini Goodrich & Rosati on 3/26/2024

On March 18, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) updated its guidance on the use of online tracking technology by covered entities regulated by the Health...more

OCR Updates Guidance on Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

Katten Muchin Rosenman LLP on 3/22/2024

On March 18, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) updated its guidance on the use of online tracking technologies by covered entities and business associates (regulated...more

Updated OCR guidance does not solve HIPAA’s tracker uncertainty

Hogan Lovells on 3/21/2024

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) updated its guidance concerning compliance obligations for HIPAA covered entities and business associates using online tracking...more

Business Associate Victim of Ransomware Attack Pays $100,000 to HHS OCR

Brooks Pierce on 12/6/2023

Is your organization a business associate? You could be subject to enforcement action if you fail to protect health information within your control from ransomware attacks. In October, for the first time, the U.S....more

New Washington Law Has Broad Implications For Protecting Consumer Health Data - Landmark ‘My Health My Data’ Act Reaches Beyond...

Davis Wright Tremaine LLP on 5/2/2023

On April 27, 2023, Washington Governor Jay Inslee signed into law the My Health My Data Act (the "Act"), which will regulate the collection, use, and disclosure of "consumer health data" ("Consumer Health Data" or "CHD"). The...more

Office of Civil Rights Guidance on Recognized Security Practices Under the 2021 HITECH ‎Act Amendment

Locke Lord LLP on 12/14/2022

Last year, Congress enacted an amendment to the HITECH Act in January 2021 (“HITECH Amendment”) to require that the Department of Health and Human Services (“HHS”) consider whether a covered entity or business associate has...more

OCR releases YouTube Addressing “Recognized Security Practices” in HIPAA Enforcement Context

BakerHostetler on 11/14/2022

As a Halloween treat for HIPAA-covered entities and business associates, on October 31, the Department of Health and Human Services Office for Civil Rights (OCR) released a new video on its YouTube channel, in which senior...more

The Potential Impact of State Abortion Laws on Reproductive Health Apps

Goodwin on 7/19/2022

Millions of women use reproductive health applications (or “apps”) to track menstrual cycles, ovulation, and pregnancy. These apps provide women that use the rhythm method for birth control and women seeking to become...more

OCR: Current Fines Too Low to Spur Compliance; Agency Also Seeks Funding Boost, Injunctive Relief

Health Care Compliance Association (HCCA) on 5/6/2022

Report on Patient Privacy 22, no. 5 (May, 2022) - Compared to other agencies, the HHS Office for Civil Rights (OCR) is a little fish in the big federal pond, but it has an outsize effect on HIPAA covered entities (CEs) and...more

Recent OCR HIPAA Enforcement Actions and Request for Information on HITECH Implementation

Arnall Golden Gregory LLP on 4/20/2022

Enforcement Actions - In its first announcement of enforcement actions in 2022, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) simultaneously announced the resolution of three...more

Any Port in a Storm? OCR Seeks Comments on HIPAA “Safe Harbor” for Recognized Security Practices

Wyrick Robbins Yates & Ponton LLP on 4/20/2022

Earlier this month, HHS’s Office for Civil Rights (OCR) issued a Request for Information (RFI) seeking comments on a statutory provision adopted last year that provides a quasi-safe harbor for entities that have voluntarily...more

After a Breach Is Too Late: Ensure BA, Subcontractor Compliance Now

Health Care Compliance Association (HCCA) on 3/25/2021

Report on Patient Privacy 21, no. 3 (March 2021) - Sometime during the fall, a worker for a subcontractor of Humana Inc. decided to share actual member information from medical records via a Google document with people he...more

Pending Proposed Rule Would Make Far-Reaching Changes to HIPAA Privacy Regime

Akin Gump Strauss Hauer & Feld LLP on 3/3/2021

On January 21, 2020, the far-reaching HIPAA Privacy Proposed Rule, initially released on December 10, 2020, was published in the Federal Register. Despite speculation that the publication timeline would be altered when the...more

HHS Issues HIPAA Guidance on Contacting Survivors of COVID-19 About Plasma Donation

Ballard Spahr LLP on 8/28/2020

The Office of Civil Rights of the U.S. Department of Health and Human Services has issued guidance clarifying how HIPAA’s Privacy Rule permits covered entities (in particular, health care providers and health plans) or their...more

4 Ways to Protect ePHI Beyond HIPAA Compliance

NAVEX on 8/14/2020

Given the choice between credit card data and digital health records, cybercriminals prefer the latter. A stolen credit card can be canceled. Electronic protected health information (ePHI) with its treasure-trove of...more

As Covered Entities Inch Toward Normalcy, Thorny Worker, Patient Privacy Issues Arise

Health Care Compliance Association (HCCA) on 6/15/2020

Report on Patient Privacy 20, no. 6 (June 2020): Being a health care provider in the midst of a pandemic is complicated enough, between offering telehealth services, perhaps for the first time, and helping workers continue...more

COVID-19 and Data Protection Compliance in the US

White & Case LLP on 4/15/2020

Irrespective of your industry, the current COVID-19 pandemic poses a new and unique challenge to organizations, their employees, and their customers. The emergence of COVID-19 has prompted organizations to collect and process...more

Solo Practitioner Agrees to $100,000 Settlement for HIPAA Security Rule Violations

Saul Ewing LLP on 3/9/2020

On March 3, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a $100,000 settlement and corrective action plan with Steven A. Porter, M.D. to resolve potential...more

Modified HIPAA Rules for Sending Records to Third Parties

Holland & Hart - Health Law Blog on 2/10/2020

Thanks to a federal judge, the Office for Civil Rights has modified its rules for sending records to third parties. Covered entities are no longer required by HIPAA to send non-electronic protected health information (“PHI”)...more

Business Associates’ Use of Information for Their Own Purposes

Holland & Hart - Health Law Blog on 9/6/2019

Business associates may want to use a covered entity’s protected health information (“PHI”) for the business associates’ own purposes, e.g., for their own product development, data aggregation, marketing, etc. However, with...more

Massive Data Breach Underscores Importance of Business Associate Security

Manatt, Phelps & Phillips, LLP on 6/28/2019

It is no surprise that healthcare data breaches are on the rise. The number of annual health data breaches increased 70% the past seven years, with 75% of the breached, lost or stolen records—132 million—being breached by a...more

Understanding When Business Associates Are Directly Liable Under HIPAA

Miller Canfield on 6/4/2019

New guidance issued by the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) reaffirms that business associates must have proper HIPAA compliance practices, safeguards and documentation in place...more

OCR Clarifies Direct Liability for Business Associates under HIPAA

Foley & Lardner LLP on 5/31/2019

On May 24, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) issued a new fact sheet which lists the provisions of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA)...more

92 Results

View per page

Page: of 4

Business Associates › Data Protection › Office of Civil Rights

"My best business intelligence, in one easy email…"