|
Prison Time for Privacy Breach of PHI; OCR Breach List Continues to Grow; More Training NeededHDM Daily reported on April 29, 2010, a four month federal prison sentence for a HIPAA privacy violation. On the same day, OCR at HHS reported on its Web site 67 entities that have reported breaches affecting 500 or more individuals since the breach notification rule became effective. HIPAA.com believes that these two reports illustrate the need for more privacy and security training, and invite readers to sign up on the hipaa.com Web site for more information in May about training from HIPAA School. |
|
|
OCR Identifies 36 Entities with Breaches Affecting 500 or More IndividualsOn Monday, February 22, 2010, the federal government, through the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS), began enforcing the Breach Notification Rule for breaches occurring on or after that date. The Breach Notification for Unsecured Protected Health Information; Interim Final Rule, was published in the Federal Register on Monday, August 24, 2009 [74 FR 42739-42770] and was effective September 23, 2009. Since September 22, 2009, 36 breaches affecting 500 or more individuals have been reported to OCR. The total number of individuals affected was 1,073,657, with two of the breaches involving 359,000 (FL) and 500,000 (TN), as reported. |
|
|
Today, February 17, Business Associates Must be in Compliance with HIPAA Security RuleToday, Wednesday, February 17, 2010, Business Associates of Covered Entities must be able to demonstrate that they are in compliance with administrative, physical, and technical safeguards of the HIPAA Security Rule, as required by the HITECH Act, enacted one year ago today as part of the American Recovery and Reinvestment Act of 2009. In addition, Business Associate Agreements must be rewritten or amended to specifically require a Business Associate’s compliance with the Security Rule as part of its “satisfactory assurances.” Financial penalties for noncompliance discovered during a compliance audit or complaint investigation could be severe, especially for willful neglect. |
|
|
Clock Running Down on Business Associate Compliance with HIPAA Security Rule Required by HITECH ActLess than one month to go: Business Associates must comply with the HIPAA Security Rule no later than Wednesday, February 17, 2010. Here are relevant provisions from the American Recovery and Reinvestment Act, which included HITECH Act Subtitle D: Privacy. |
|
|
HITECH and HIPAA Training: Time to Double DownAs the healthcare industry continues to digest profound HITECH changes to HIPAA Privacy and Security rules, two observations already are apparent and indisputable for covered entities and their business associates. First, time and resources spent on a workforce that is well-trained on the Privacy and Security rules will be an investment of exponential value. Second, enforcement of those same rules will make negligent and uncorrected errors very costly. A well-trained workforce makes fewer mistakes, and identifies and fixes those that it makes. A workforce that violates the rules because it does not know them or does not care to know them makes an inviting target for HITECH’s new enforcement initiatives. The lesson seems clear: train on HITECH and re-train on existing HIPAA rules–or pay some new and onerous penalties for workforce mistakes. |
|
|
How Data Validation Will Make Your Life EasierAs a clinician, you want to know if data being entered into the system is accurate, clean, correct and useful. Data validation often called “validation rules” or “check routines” are built into systems such as EHR systems. These rules check for correctness, meaningfulness, and security of data. For example, the system would automatically disallow or question a user trying to enter eligibility results into the patient’s address field. |
|
|
Is Certification a Surrogate for HIPAA Privacy and Security Training?The burden on a covered entity or business associate is to conduct and periodically review its risk assessment, implement policies and procedures to safeguard protected health information, conduct ‘awareness’ training for all workforce members based on those policies and procedures, update that training if policies and procedures change or HIPAA privacy and security regulations are initiated or modified, and document in writing those activities. Certification is not a requirement in that process. |
|
|
Three Key Properties of HIPAA Privacy and Security of Protected Health InformationHIPAA.com has received from its readers requests for information on topics related to HIPAA Administrative Simplification Privacy and Security Rules and to updates to those rules reflected in the HITECH Act provisions of the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009. Recently, HIPAA.com answered the question of particular interest to several readers: what exactly is protected health information (PHI)? In this posting, we answer the question: what are the fundamental properties that underlie privacy and security of protected health information? |
Syndicate this site
Sign up for email updates
Follow HIPAA.com on Twitter
