A couple of privacy items heading into summer

© yavdat - stock.adobe.com

Earlier this year, OCR officials confirmed to the Information Security Media Group that HIPAA audits are being reinstated.

OCR director, Melanie Fontes Rainer stated “OCR intends to initiate audits of HIPAA-regulated entities later this year. These audits can assist regulated entities in improving their HIPAA compliance and their protection of health information.” 

In the past, the audits have ranged from desk audits to on-site inspections of both covered entities and business associates alike. Healthcare sector participants should take notice, especially in light of three recent Final Rules related to HIPAA that both HHS OCR and SAMHSA published.

Federal laws and the reopening of HHS OCR audits should not be the only items on healthcare industry participants’ radars – state laws should also be at the top of the list.

In 2023, amendments to the longstanding California Confidentiality of Medical Information Act (the “CMIA”) passed. AB 254 (effective date January 1, 2024) and AB 352 (effective date July 1, 2024) relate to the expansion of the term “medical information” and additional restrictions on sensitive health data. AB 254 expanded the scope of “medical information” to include “reproductive or sexual health application information” which means “information about a consumer’s reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity collected by a reproductive or sexual health digital service, including, but not limited to, information from which one can infer someone’s pregnancy status, menstrual cycle, fertility, hormone levels, birth control use, sexual activity, or gender identity.” AB 352, on the other hand, introduced new requirements on businesses that electronically store or maintain medical information on the provision of sensitive services.” These services are defined as “health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence[.]” There are a couple of notable items that stand out. First, the term consumer is utilized. Second, there is alignment with the Federal Trade Commission’s enforcement actions over the past 18 months and the Health Breach Notification Rule 16 C.F.R. Part 318 and the recent amendments, which were published in the Federal Register on May 30, 2024.

On April 4, the Kentucky Consumer Data Protection Act (KCDPA) was signed into law, making Kentucky the fifteenth state to enact a comprehensive data privacy law. The KCDPA applies to anyone doing business in Kentucky and either controls or processes the personal data of either: (1) at least 100,000 Kentucky consumers; or (2) 25,000 Kentucky consumers while deriving over 50% of their gross revenues from the sale of personal data. Similar to other states’ privacy laws, entities regulated by the Gramm-Leach-Bliley Act (GLBA) and data regulated under HIPAA are exempted.

In sum, as vacations and summer holidays ramp-up, so should the healthcare sector’s focus on data privacy and security. Afterall, a breach is just a click away.