Insights

Washington – June 6, 2024: Crowell & Moring earned 78 rankings for 67 lawyers, as well as 41 national and statewide practice area rankings, in the Chambers USA 2024 guide. The rankings are driven by independent interviews of clients and lawyers at peer firms.

On January 6, 2025, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) published a notice of proposed rulemaking (the “NPRM”) entitled HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information. In light of evolving technologies and cybersecurity threats, the NPRM aims to modernize security regulations implementing the Health Insurance Portability and Accountability Act security standards (the “HIPAA Security Rule”) and strengthen protections for the confidentiality, integrity, and availability of electronic protected health information (“ePHI”). In particular, OCR is considering modifications to the HIPAA Security Rule to address:

Federal policy efforts to advance health data exchange and interoperability are continuing to change rapidly. The latest changes are the publication of two final rules by the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) finalizing parts of the of the Health Data, Technology, and Interoperability (HTI-2) Proposed Rule. These rules adopt requirements regarding the Trusted Exchange Framework and Common Agreement (TEFCA) (HTI-2 Final Rule), and create a new Information Blocking exception under Protecting Care Access (HTI-3 Final Rule), on December 16thand 17th, respectively.

The Department of Health and Human Services (HHS) continues its push on health data interoperability with a proposed rule, HHS Acquisition Regulation: Acquisition of Information Technology; Standards for Health Information Technology.  Specifically, HHS proposes to modify the Health and Human Service Acquisition Regulation (HHSAR) to implement an HHS-wide policy to align requirements related to the procurement of health IT with standards and implementation specifications adopted by the Office of the National Coordinator for Health IT (ONC) or compliance with the voluntary ONC Health IT Certification Program.  This proposed rule was published on August 9, 2024, just 4 days after the ONC proposed HTI-2 rule was published in the Federal Register.

Though general rules established by the Health Insurance Portability and Accountability Act and its implementing regulations (collectively known as HIPAA) are relatively well known, fewer people are familiar with some finer details, such as the fact that HIPAA is somewhat limited in scope. It’s also a common misconception that HIPAA applies to all or most individually identifiable health information.