Search the News Archive

All Is Not Lost as the Sun Sets on the HIPAA Reproductive Health Rule

"HHS's decision not to appeal Purl ... does not relieve HIPAA regulated entities from their obligations to protect reproductive health care information. HIPAA regulated entities must still ensure that their existing HIPAA policies and procedures adequately protect PHI, including reproductive health care information, even though the protections that were in the Rule are now defunct."

HIPAA Privacy Notices: A How-To Guide for Plan Sponsors

"The deadline has passed for the Trump Administration to appeal the district court decision vacating the HIPAA Privacy Rule to Support Reproductive Health Care that went into effect at the end of 2024.... As a result, many group health plan sponsors will still need to revise their plan's HIPAA Notice of Privacy Practices ... [T]his 'how‑to guide' [provides] a brief overview of the Privacy Notice requirements for health plan sponsors seeking to comply with their obligations under the HIPAA Privacy Rule."

Time to Revisit Your HIPAA Documents

"Given that the ruling is unlikely to be challenged by the Department under the current administration, Plan Sponsors and Covered Entities should review their HIPAA Privacy Policy, HIPAA Notice of Privacy Practices, business associate agreements, and any other related HIPAA Privacy documentation to determine whether any updates are needed." [Purl v. HHS, No. 24-0228 (N.D. Tex. Jun. 18, 2025)]

OIG Report: OCR Should Enhance Its HIPAA Audit Program to Enforce HIPAA Requirements

"OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. However: OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the health care sector. Specifically: OCR’s audits consisted of assessing only 8 of 180 HIPAA Rules requirements; and only 2 of those 8 requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards. OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates."

HIPAA Takeaways as HHS Addresses Misconceptions on Applicability to COVID-19 Vaccination Information

"[1] HIPAA only regulates covered entities and business associates.... [2] HIPAA does not prohibit covered entities or business associates from asking about vaccinations.... [3] HIPAA does not apply to employee information.... [4] HIPAA covered entities do not always need authorization to disclose vaccination information.... [5] HIPAA covered entity health care providers can disclose vaccination information to employers without authorization only in specific circumstances."

Text of HHS OCR FAQs: HIPAA, COVID-19 Vaccination, and the Workplace

Does the HIPAA Privacy Rule prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine? No.... Does the HIPAA Privacy Rule prevent customers or clients of a business from disclosing whether they have received a COVID-19 vaccine? No.... Does the HIPAA Privacy Rule prohibit an employer from requiring a workforce member to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties? No.... Does the HIPAA Privacy Rule prohibit a covered entity or business associate from requiring its workforce members to disclose to their employers or other parties whether the workforce members have received a COVID-19 vaccine? No.... Does the HIPAA Privacy Rule prohibit a doctor's office from disclosing an individual's protected health information (PHI), including whether they have received a COVID-19 vaccine, to the individual's employer or other parties? Generally, yes.

De Facto Private Right of Action Under HIPAA: Is Ohio Next?

"HIPAA does not provide a private cause of action to individuals affected by a health care privacy breach. This means that an individual whose PHI has been used or disclosed by a health care provider in violation of HIPAA may not bring a civil claim against the health care provider under HIPAA. Moreover, HIPAA specifically preempts any contrary provision of state law ... Recent decisions by state courts, however, have held that HIPAA is the standard industry practice for health care providers and may form the basis for state law negligence claims involving disclosure of patient medical records."

Protecting Patient Data in the Cloud: Understanding New HIPAA Compliance Requirements

"When you're determining which business associate to hire, it's important to understand the terms that consultants and associates use to describe their services. HIPAA-compliant refers to software and data storage systems that have controls based on three categories of safeguards: administrative, physical, and technical. Each category includes shared responsibilities for the cloud provider, along with safeguards that are the sole responsibilities of each. A 'HIPAA-compliant' service has been found in compliance with the HIPAA Security and Privacy Rules. HIPAA-certified is a term consultants sometimes use to claim their work is HIPAA-compliant, but the HHS and its Office for Civil Rights (OCR) do not certify any persons or products as 'HIPAA-certified.'"

Employee and Other Whistleblower Complaints Common Source of HIPAA Privacy and Other Complaints

"Beyond illustrating the potential HIPAA-associated penalties that can result from failing to comply with HIPAA, the [Parkview Health System, Inc.] resolution agreement also illustrates the risks that current or former workforce members and others acting as whistleblowers play in helping OCR to identify HIPAA violations.... With retaliation and other whistleblower complaints becoming increasingly common and judgments from these claims rising, covered entities and their business associates need to include appropriate employment liability risk management processes and procedures in their HIPAA compliance processes and coordinate carefully with their human resources team and qualified employment counsel to manage the employment liability related risks associated with investigations and discipline activities under HIPAA."

IRS Joins DOL to Close Wellness Plan Loophole in HIPAA

Excerpt: The requirement that the supplemental coverage not differentiate among individuals based on any health factor is key. Effectively, IRS and DOL are saying they will not treat supplemental coverage as a HIPAA excepted benefit that is exempt from the HIPAA nondiscrimination rules unless the supplemental coverage itself satisfies the HIPAA nondiscrimination rules. Thus, tying the wellness plan reward to the supplemental coverage will prevent such coverage from being a HIPAA excepted benefit – and the wellness plan will have to satisfy the HIPAA nondiscrimination rules.