Finally, HIPAA/HITECH Act Privacy, Security, Breach Notification, Enforcement Final Rules at OMB

March 24, 2012.   Today, the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB) in the Executive Office of the President showed that it had received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules entitled:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (RIN:  0945-AA03). Following review by OMB, the rules will be published in the Federal Register, most likely in April if OMB’s review is timely. The Abstract of the Rules reads:  “The Department of Health and Human Services Office for Civil Rights will issue final rules to modify the HIPAA Privacy, Security,…

READ MORE

OCR Announces November 2011 Start of Privacy and Security Compliance Audits

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for privacy and security enforcement under Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act provisions. OCR has announced that it is initiating compliance audits beginning this month, as authorized by the HITECH Act.  This action precedes the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rules, expected before the end of 2011, and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications.   To avoid the consequences of potential penalties for non-compliance, covered entities and business…

READ MORE

OMB Clears HITECH Act Accounting of Disclosures NPRM

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR), responsible for enforcement of the HIPAA Privacy, Security, and Breach Notification Rules, will issue a Notice of Proposed Rule Making (NPRM) to modify the HIPAA Privacy Rule as necessary to implement the accounting of disclosures provisions of Section 13405(c) of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) (Title XIII of the American Recovery and Reinvestment Act of 2009–Public Law 111-5).  Section 13405(c) is entitled: Accounting of Certain Protected Health Information Disclosures Required if Covered Entity Uses Electronic Health Record. The NPRM was submitted on February 9, 2011, by HHS to the Office…

READ MORE

OMB Completes Review of HIPAA/HITECH Act Privacy, Security, Enforcement Rule Modifications NPRM

On July 1, 2010, the Office of Management and Budget (OMB) completed review of the Notice of Proposed Rulemaking (NPRM) entitled: Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act](RIN:  0991-AB57).  The NPRM was received at OMB for review on April 12, 2010.  It likely will be published in the Federal Register imminently. Legal authority for the NPRM is in Sections 13400 to 13410 of Subtitle D (Privacy) of the HITECH Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), enacted on February 17, 2009. Those sections cover:…

READ MORE

OCR Reports 107 Breaches Affecting Over 4 Million Individuals (I)

As of the July 4th holiday weekend, the Office for Civil Rights (OCR) has updated again its Web site listing of breaches affecting 500 or more individuals.  As of July 2, 2010, there were 107 breaches listed that were reported to have occurred between September 22, 2009 and June 11, 2010. Individuals affected by these publicly listed breaches totaled 4,086,980.  Six of the 107 breaches, or 5.6% of the total, affected 3,353,627 individuals, or 82% of the total.  This is the first of three postings that analyzes the data from these 107 breaches.  This posting (I) covers electronic breaches, the next posting (II) covers hard copy (paper) breaches, and the…

READ MORE

Today, February 17, Business Associates Must be in Compliance with HIPAA Security Rule

Today, Wednesday, February 17, 2010, Business Associates of Covered Entities must be able to demonstrate that they are in compliance with administrative, physical, and technical safeguards of the HIPAA Security Rule, as required by the HITECH Act, enacted one year ago today as part of the American Recovery and Reinvestment Act of 2009.  In addition, Business Associate Agreements must be rewritten or amended to specifically require a Business Associate’s compliance with the Security Rule as part of its “satisfactory assurances.”  Financial penalties for noncompliance discovered during a compliance audit or complaint investigation could be severe, especially for willful neglect. Here are the appropriate authorities: Section 13401 of Part 1 (Improved…

READ MORE

CMS Issues New and Updated HIPAA and HITECH Act FAQs: EHR Incentive Payment Start Dates

The Centers for Medicare and Medicaid Services (CMS) periodically issues new and updated Frequently Asked Questions (FAQs).  HIPAA.com will periodically reproduce new and updated Questions and Answers pertaining to HIPAA Administrative Simplification standards and implementation specifications and to HITECH Act provisions that will be of interest to its readers.  This FAQ [ID#9807] was created on June 22, 2009, and updated by CMS on August 18, 2009. Question:  When will CMS begin to pay incentives to eligible professionals and hospitals for using certified Electronic Health Records (EHRs)? Answer:  By statute [American Recovery and Reinvestment Act of 2009], the earliest dates that CMS will be able to pay an incentive under Medicare…

READ MORE

HHS Secretary Delegates to ONC Head New HITECH Act Authority

Effective August 7, 2009, and published in the Federal Register on Tuesday, August 18, 2009, Secretary Kathleen Sebelius of the U.S. Department of Health and Human Services (HHS) has delegated authority to the National Coordinator for Health Information Technology, David Blumenthal, M.D., to administer “Subtitle B, ‘Incentives for the Use of health Information Technology,’ sections 3011 through 3017, with the exception of 3012(c)(5), the Financial Support subsection.”  These sections and titles, which appear on pages 132-144 of the American Recovery and Reinvestment Act of 2009 (ARRA), signed by President Obama on February 17, 2009, available on the hipaa.com site, include: 3011 Immediate Funding to Strengthen the Health Information Technology Infrastructure,…

READ MORE

HHS Secretary Sebelius Delegates Oversight and Enforcement of HIPAA Security Rule to OCR

U.S. Health and Human Services (HHS) Secretary Kathleen Sebelius has delegated oversight and enforcement of the HIPAA Administrative Simplification Security Rule Standards for Protection of Electronic Protected Health Information to HHS’s Office of Civil Rights (OCR), effective July 27, 2009.  Since October 7, 2003, the Security Rule had been the responsibility of HHS’s Center for Medicare & Medicaid Services (CMS). OCR also has responsibility for the HIPAA Administrative Simplification Privacy Rule.  This delegation brings responsibility for administrative, technical, and physical standards for safeguarding of protected health information in each rule under one authority, and likely will facilitate enforcement of the HITECH Act breach, notification, and business associate security rule compliance…

READ MORE