placeholder

CMS Initiates 90-Day Enforcement Discretion for 5010 Compliance

The Center for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) is responsible for enforcement of compliance with electronic transaction standards. January 1, 2012, is the date for covered entities to achieve compliance with ASC X12 Version 5010, NCPDP Telecom D.0, and NCPDP Medicaid Subrogation 3.0 transaction standards. CMS announced on November 17, 2011, that “[w]hile enforcement action will not be taken [from January 1-March 31, 2012], OESS will continue to accept complaints associated with compliance with Version 5010, NCPDP D.0 and NCPDP 3.0 transaction standards during the 90-day period…. If requested by OESS, covered entities that are the subject of complaints (known as ‘filed-against entities’) must produce evidence of either compliance or a good faith effort to become compliant with the new HIPAA [version] standards during the 90-day period.” [emphasis added]

OCR Announces November 2011 Start of Privacy and Security Compliance Audits

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for privacy and security enforcement under Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act provisions. OCR has announced that it is initiating compliance audits beginning this month, as authorized by the HITECH Act. This action precedes the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rules, expected before the end of 2011, and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications. To avoid the consequences of potential penalties for non-compliance, covered entities and business associates must now pay immediate attention to conducting a new or reviewing an existing risk assessment of threat and vulnerability to protected health information (PHI), mitigating identified risks through privacy and security safeguard policies and procedures, training their workforce members to safeguard privacy and security of PHI, and documenting those actions in writing.

HITECH Act Breached Individuals Skyrocket in Latest OCR Web Site Posting

On November 4, 2011, OCR reported a total of 364 such breaches, up from 345 in its previous post in October. The 364 breaches have impacted 18,190,451 persons in breaches reported by covered entities from September 22, 2009—the day prior to the effective date of the Breach Notification Rule—to September 14, 2011. The increase of 6,230,963 impacted individuals represents a skyrocketing jump of just over 52% from the 11,959,488 accounted for in the October post of 345 breaches. The growing number of individuals affected by privacy and security breaches heightens the need by OCR to issue the Final Privacy, Security, Breach Notification, and Enforcement Rules and strengthen enforcement and accountability through compliance audits and complaint and breach investigations to ensure compliance with those Rules. Covered entities and business associates must pay more attention to conducting risk assessments and mitigating risks through privacy and security safeguard policies and procedures, and especially training their workforce members to safeguard electronic, hardware, devices, and media containing protected health information (PHI). Investment now in HIPAA/HITECH Act privacy and security safeguards to minimize risk to PHI is a cost-effective and wise investment, especially in ENCRYPTING YOUR PHI on mobile and portable electronic devices and media with a high likelihood of being lost or stolen.

HHS Extends Life of Temporary EHR Technology Certification Program

The Office of the National Coordinator for Health Information Technology (ONC) of the Department of Health and Human Services (HHS) published a notice in the Thursday, November 3, 2011, Federal Register that extends the life of the “temporary certification program for health information technology” beyond its expected sunset date of December 31, 2011, to at least summer 2012.