HHS Secretary Delegates to ONC Head New HITECH Act Authority

Effective August 7, 2009, and published in the Federal Register on Tuesday, August 18, 2009, Secretary Kathleen Sebelius of the U.S. Department of Health and Human Services (HHS) has delegated authority to the National Coordinator for Health Information Technology, David Blumenthal, M.D., to administer “Subtitle B, ‘Incentives for the Use of health Information Technology,’ sections 3011 through 3017, with the exception of 3012(c)(5), the Financial Support subsection.”  These sections and titles, which appear on pages 132-144 of the American Recovery and Reinvestment Act of 2009 (ARRA), signed by President Obama on February 17, 2009, available on the hipaa.com site, include: 3011 Immediate Funding to Strengthen the Health Information Technology Infrastructure,…

READ MORE

HHS Secretary Sebelius Delegates Oversight and Enforcement of HIPAA Security Rule to OCR

U.S. Health and Human Services (HHS) Secretary Kathleen Sebelius has delegated oversight and enforcement of the HIPAA Administrative Simplification Security Rule Standards for Protection of Electronic Protected Health Information to HHS’s Office of Civil Rights (OCR), effective July 27, 2009.  Since October 7, 2003, the Security Rule had been the responsibility of HHS’s Center for Medicare & Medicaid Services (CMS). OCR also has responsibility for the HIPAA Administrative Simplification Privacy Rule.  This delegation brings responsibility for administrative, technical, and physical standards for safeguarding of protected health information in each rule under one authority, and likely will facilitate enforcement of the HITECH Act breach, notification, and business associate security rule compliance…

READ MORE

FTC Delays “Red Flags” Rule for Third Time

The Federal Trade Commission announced a third delay, from August 1, 2009, to November 1, 2009, for compliance with the identity theft prevention red flags rule. The delay is for another three months.  Compliance originally was scheduled for November 1, 2008, then delayed the first time until May 1, 2009.  Entities affected are creditors and financial institutions. Healthcare providers that extend delayed payment plans to patients are deemed “creditors” under the red flags rule. This delay was to give affected entities more time to develop and implement written identity theft prevention policies and procedures for compliance with the rule, which is based on enabling regulations of provisions in the Fair and Accurate…

READ MORE

Transmission Security Encryption: What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the second of two implementation specifications for the Technical Safeguard Standard, Transmission Security.  This implementation specification is addressable. Addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to…

READ MORE

Transmission Security Integrity Controls: What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Technical Safeguard Standard, Transmission Security.  This implementation specification is addressable. Addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to Do Implement…

READ MORE

Transmission Security: What This HIPAA Security Rule Technical Safeguard Standard Means

This is the fifth and last Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule.  It has two implementation specifications:  integrity controls; and encryption.  Each is addressable.  Addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. For compliance with…

READ MORE

Person or Entity Authentication: What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the fourth Technical Safeguard Standard.  There is not a separately described implementation specification.  Rather, this standard’s implementation specification is connoted in the language of the standard and is required.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to Do A covered entity is required to implement procedures to verify that a…

READ MORE

Person or Entity Authentication: What This HIPAA Security Rule Technical Safeguard Standard Means

This is the fourth Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule.  There is not a separately described implementation specification.  Rather, this standard’s implementation specification is connoted in the language of the standard and is required.  As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010.  This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. For compliance with this Technical Safeguard Standard, a covered entity is required to implement procedures to verify that…

READ MORE

Accountability Key Privacy/Security Principle of Meaningful Use 2011 Objectives

On December 15, 2008, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services (HHS) published its 11 page report: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The eight principles in this report underpin the HIPAA Administrative Simplification Privacy and Security Rule standards, provide a foundation of the Privacy provisions of the HITECH Act in the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009, and are a key objective of proposed 2011 Objective recommendations for Meaningful Use published by HHS’ Health IT Policy Committee on June 16, 2009….

READ MORE

Safeguards Key Privacy/Security Principle of Meaningful Use 2011 Objectives

On December 15, 2008, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services (HHS) published its 11 page report: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The eight principles in this report underpin the HIPAA Administrative Simplification Privacy and Security Rule standards, provide a foundation of the Privacy provisions of the HITECH Act in the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009, and are a key objective of proposed 2011 Objective recommendations for Meaningful Use published by HHS’ Health IT Policy Committee on June 16, 2009….

READ MORE