HHS OCR Updates Tracking Technologies Guidance – Inside Privacy
HHS OCR Updates Tracking Technologies Guidance Inside Privacy
Kentucky Senate Advances Children’s Medical Record Access Bill – HIPAA Journal
Kentucky Senate Advances Children’s Medical Record Access Bill
HIPAA gives parents the right to access the medical records of their minor children but Kentucky lawmakers want to make sure that parents can access their children’s entire medical records and prevent healthcare providers from withholding information about treatment that does not, under state law, require parental consent.
House Bill 174 was sponsored by Representatives Rebecca Raymer (R), Danny Bentley (R), Chris Fugate (R), John Hodgson (R), and Michael Lockett (R). The bill adds a new section to current state law (KRS, Chapter 422) that establishes standards and procedures for access to copies of the medical records of patients under 18 years by the minor’s personal representatives – individuals who under state law have the authority to make health care decisions for a patient or a parent of the patient – provided the disclosure of those records is not prohibited by the Health Insurance Portability and Accountability Act (HIPAA).
The bill was presented to the House by Sen. Donald Douglas (R), who explained that while HIPAA gives personal representatives/parents the right to access or obtain a copy of the medical records of their minor children, that may not always be the case. “I’ve heard the argument of HIPAA gives us all the access, but ultimately, if one reads all the HIPAA forms, they find that often these decisions are left up to the states or even sometimes these decisions are left up to the treating physician,” said Sen. Douglas. He also explained that state laws have put up barriers for parents. For instance, under state law, minors who present with certain medical conditions can be treated without the consent of a parent or legal guardian and individuals of 16 years of age can receive mental health treatment without the consent of a parent or legal guardian. Sen Douglas believes that is wrong.
In Kentucky, there are certain medical conditions that minors can consent to and not have to get parental consent, for instance, reproductive healthcare, when child abuse is suspected, and mental health care (if over 16). While the amendments to state law have received strong support from Kentucky lawmakers, there has been criticism of the changes, especially from pediatricians. Sen. Karen Berg (D) voted against the amendment. She said she has spoken with pediatricians and the view was that they would not abide by the changes if they are enacted. “They felt that this was a huge break in physician-patient confidentiality around certain singular issues that growing teenagers sometimes desire and sometimes need confidentiality from their parents,” said Sen. Berg.
Sen. Cassie Chambers Armstrong (D) also voted against the bill and said parents already have access to most of their children’s records, aside from a few areas where additional protections have been put in place, such as injuries sustained due to child abuse. A counterargument from Sen. Douglas was that in such cases, healthcare providers are obligated to notify the police, and the role of a healthcare provider is to provide an opinion and treatment, not to get involved in rearing other people’s children.
The bill was passed by the House of Representatives with a vote of 81-15 and by the Senate with a vote of 28-7. The bill now heads back to the House.
The post Kentucky Senate Advances Children’s Medical Record Access Bill appeared first on HIPAA Journal.
In Updated Guidance on Use of Tracking Technologies by HIPAA Regulated Entities, HHS-OCR Takes Expansive View … – JD Supra
HHS’s CARES Act Final Rule Better Aligns Part 2 Substance Use Disorder Patient Records Confidentiality Regulations … – McDermott Will & Emery
CISA Proposes Cyberattack Reporting Rules for Critical Infrastructure Entities – HIPAA Journal
CISA Proposes Cyberattack Reporting Rules for Critical Infrastructure Entities
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has proposed a rule that implements cyberattack and ransom payment reporting requirements for critical infrastructure entities, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
In March 2022, CIRCIA was signed into law by President Biden, one of the requirements of which was for CISA to develop and implement new regulations that require critical infrastructure entities, including hospitals and health systems, to report covered cyber incidents and ransomware payments to CISA. The purpose of the reporting is to provide CISA with timely information about cyberattacks to allow resources to be rapidly deployed and assistance provided to support victims of cyberattacks and allow CISA to rapidly identify cyberattack trends and disseminate information to help network defenders prevent further attacks.
When developing the new requirements, CISA consulted with various entities, including the Sector Risk Management Agencies, the Department of Justice, other appropriate Federal agencies, the DHS-chaired Cyber Incident Reporting Council, and non-federal stakeholders.
Incidents That Should Be Reported
- Unauthorized access to systems
- Denial of Service (DOS) attacks that last more than 12 hours
- Malicious code on systems, including variants if known
- Targeted and repeated scans against services on systems
- Repeated attempts to gain unauthorized access to systems
- Email or mobile messages associated with phishing attempts or successes
- Ransomware against critical infrastructure, including variant and ransom details if known
Information That Should be Shared
- Incident date and time
- Incident location
- Type of observed activity
- Detailed narrative of the event
- Number of people or systems affected
- Company/Organization name
- Point of Contact details
- Severity of event
- Critical Infrastructure Sector if known
- Anyone else that has been informed
Proposed Timeframe for Reporting
Time is of the essence when reporting incidents. The sooner CISA is informed, the faster information can be shared to warn other organizations in the sector about attackers’ tactics, techniques, and procedures. Covered entities will be required to report covered incidents within 72 hours, and ransom payments will need to be reported within 24 hours of payment being made.
Since some of the requirements of CIRCIA are regulatory, CISA is first required to publish a Notice of Proposed Rulemaking (NPRM) in the Federal Register and accept public comments for 60 days. The NMPR was published in the Federal Register on March 27, 2024. The Final Rule will be published within 18 months of the date of the NPRM.
The new reporting requirements will not be mandatory until the Final Rule takes effect; however, CISA encourages all critical infrastructure entities to voluntarily report cyberattacks and ransom payments ahead of the compliance date. The information shared will allow CISA to provide assistance and warnings to other organizations to prevent them from suffering similar attacks.
A fact sheet has been released that summarizes key requirements and the NPRM can be viewed in the Federal Register.
The post CISA Proposes Cyberattack Reporting Rules for Critical Infrastructure Entities appeared first on HIPAA Journal.