Health Insurance Portability and Accountability Act

Key Takeaways:

  • Ed tech company PowerSchool’s recent breach exposed the data of approximately 60 million students and 10 million educators.
  • Hacker gained access via a compromised employee password and remained undetected for nine days.
  • Sensitive personal data, including Social Security numbers and medical histories, was potentially compromised, raising a number of legal and regulatory concerns.
  • The breach underscores the urgent need for stronger third-party oversight and security requirements.

On June 27, 2023, the Office of Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) released its final rule (“Final Rule”) implementing penalties for information blocking.

The Final Rule codifies the prohibition on “information blocking” introduced by the 21st Century Cures Act (“Act”), which was

Like many federal statutes, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains a provision governing how the statute is designed to interact with similar or otherwise related state laws.  When this type of provision is used to override or supplant similar state laws, the provision is called “preemptive.”  On November 11, 2014, the Connecticut Supreme Court held in Byrne v. Avery Center For Obstetrics and Gynecology, P.C. that state law negligence claims are not preempted by HIPAA even where the plaintiff relies on HIPAA to establish the applicable standard of care.  In so holding, the Court