Search the News Archive

HHS Office for Civil Rights Issues Letter and Opens Investigation of Change Healthcare Cyberattack

"[HHS'] Office for Civil Rights (OCR) issued a 'Dear Colleague' letter addressing the cybersecurity incident impacting Change Healthcare ... The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health care industry." [Also available: Fact Sheet]

Text of HHS Notice: Rescission of 'HHS Notice and Guidance on Gender Affirming Care, Civil Rights, and Patient Privacy' (PDF)

[Feb. 20, 2025; unnumbered] "[E]ffective immediately, the 2022 OCR Notice and Guidance no longer represents the views or policies of HHS OCR. Covered entities should no longer rely on the rescinded 2022 OCR Notice and Guidance. Pursuant to EO 14187 HHS shall, in consultation with the Attorney General, expeditiously issue new guidance protecting whistleblowers who take action related to ensuring compliance with this order."

Text of HHS OCR FAQs: HIPAA, COVID-19 Vaccination, and the Workplace

Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine? No.... Does the HIPAA Privacy Rule prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine? No.... Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties? No.... Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine? No.... Does the HIPAA Privacy Rule prohibit a doctor's office from disclosing an individual's protected health information (PHI), including whether they have received a COVID-19 vaccine, to the individual's employer or other parties? Generally, yes.

Text of OCR Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency

"This document is to inform the public that four Notifications of Enforcement Discretion issued by [OCR] regarding how the Privacy, Security, and Breach Notification Rules promulgated under [HIPPA and HITECH] will be applied to certain violations during the COVID-19 nationwide public health emergency, will expire upon expiration of the COVID-19 PHE, which is currently scheduled for 11:59 p.m. on May 11, 2023.... OCR will continue to exercise enforcement discretion consistent with the Notifications for violations of the HIPAA Rules that occurred during the period that each Notification was in effect. In addition, OCR is affording covered health care providers a 90-calendar day transition period to come into compliance with the HIPAA Rules with respect to their provision of telehealth using non-public facing remote communication technologies."

HHS Final Regulations: Protecting Statutory Conscience Rights in Health Care (PDF)

440 pages. "The United States has a long history of providing protections in health care for individuals and entities on the basis of religious beliefs or moral convictions. Congress has passed many such laws applicable to [HHS] and the programs or activities it funds or administers, some of which are the subject of existing HHS regulations ... This final rule revises existing regulations to ensure vigorous enforcement of Federal conscience and anti-discrimination laws applicable to the Department, its programs, and recipients of HHS funds, and to delegate overall enforcement and compliance responsibility to the Department's Office for Civil Rights ('OCR'). In addition, this final rule clarifies OCR's authority to initiate compliance reviews, conduct investigations, supervise and coordinate compliance by the Department and its components, and use enforcement tools otherwise available in existing regulations to address violations and resolve complaints. In order to ensure that recipients of Federal financial assistance and other Department funds comply with their legal obligations, this final rule requires certain recipients to maintain records; cooperate with OCR's investigations, reviews, or other proceedings; and submit written assurances and certifications of compliance to the Department. The final rule also encourages the recipients of HHS funds to provide notice to individuals and entities about their right be free from coercion or discrimination on account of religious beliefs or moral convictions."

Text of HHS RFI: Considerations for Implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act

"[OCR] is issuing this Request for Information (RFI) to solicit public comment on certain provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, namely: The consideration of recognized security practices of covered entities and business associates when OCR makes determinations regarding fines, audits, and remedies to resolve potential violations of the [HIPAA] Security Rule; and the distribution to harmed individuals of a percentage of civil money penalties (CMPs) or monetary settlements collected pursuant to the HITECH Act[.]"

Text of HHS RFI on Modifying HIPAA Rules to Improve Coordinated Care

"The Office for Civil Rights (OCR) is issuing this Request for Information (RFI) to assist OCR in identifying provisions of the [HIPAA] privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals' protected health information. This RFI requests information on whether and how the rules could be revised to promote these goals, while preserving and protecting the privacy and security of such information and individuals' rights with respect to it."

Text of Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2011 and 2012 (PDF)

"This report describes the types and numbers of breaches reported to the Office for Civil Rights (OCR) (the office within the Department that is responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules) that occurred between January 1, 2011, and December 31, 2012, as well as provides some cumulative data on breaches reported since the September 23, 2009, effective date of the breach notification requirements. The report also describes actions that have been taken by covered entities and business associates in response to the reported breaches. In addition, this report generally describes the OCR investigations and enforcement actions with respect to the reported breaches."

Text of OCR Fact Sheet: Ransomware and HIPAA (PDF)

"The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware.... The HIPAA Security Rule requires covered entities and business associates to implement policies and procedures that can assist an entity in responding to and recovering from a ransomware attack.... What should covered entities or business associates do if their computer systems are infected with ransomware? ... Is it a HIPAA breach if ransomware infects a covered entity's or business associate's computer system? ... Is it a reportable breach if the ePHI encrypted by the ransomware was already encrypted to comply with HIPAA?" [Undated and unnumbered document, published online on July 11, 2016.]

HIPAA Security Rule to Now Be Administered and Enforced by OCR, Not CMS

Excerpt: Department of Health and Human Services (HHS) Secretary Kathleen Sebelius has announced that authority for the administration and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule has been delegated to the Office for Civil Rights (OCR).