Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate. The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches…
Tag: electronic media
OCR Stepping Up HIPAA Security Enforcement
Health Data Management (HDM) reported today, May 12, that the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is going to strengthen HIPAA Security Rule enforcement, based on statements made on Tuesday, May 11 by the OCR Deputy Director for Privacy, Susan McAndrew, at the Safeguarding Health Information conference in Washington, DC, co-sponsored by OCR and the National Institute of Standards and Technology (NIST). “To boost enforcement of the security rule, OCR has added investigators in 10 regional offices, McAndrew notes,” as reported by Joe Goedert in the HDM article, “OCR Boosting Security Enforcement,” which is available online. This report comes several days after…
OCR Identifies 36 Entities with Breaches Affecting 500 or More Individuals
On Monday, February 22, 2010, the federal government, through the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS), began enforcing the Breach Notification Rule for breaches occurring on or after that date. The Breach Notification for Unsecured Protected Health Information; Interim Final Rule, was published in the Federal Register on Monday, August 24, 2009 [74 FR 42739-42770] and was effective September 23, 2009. Since September 22, 2009, 36 breaches of privacy or security of protected health information (PHI) affecting 500 or more individuals have been reported to OCR. The total number of individuals affected was 1,073,657, with two of the breaches involving 359,000 (FL)…
Word of the Day: Electronic Media
Electronic Media: Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media. Transmission media include the Internet (wide open), extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Written communications sent via facsimile (not from one computer to another) and verbal information exchanges are not considered electronic media.
HIPAA ‘Protected Health Information’: What Does PHI Include?
HIPAA.com has received from its readers requests for information on topics related to HIPAA Administrative Simplification Privacy and Security Rules and to updates to those rules reflected in the HITECH Act provisions of the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009. Of particular interest to readers is: what exactly is protected health information (PHI)? Protected Health Information To get to protected health information, you have to examine two definitions that were in Section 1171 of Part C of Subtitle F of Public Law 104-191 (August 21, 1996): Health Insurance Portability and Accountability Act of 1996: Administrative Simplification. These statutory definitions are of…
Transmission Security: What This HIPAA Security Rule Technical Safeguard Standard Means
This is the fifth and last Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has two implementation specifications: integrity controls; and encryption. Each is addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. For compliance with…
Person or Entity Authentication: What This HIPAA Security Rule Technical Safeguard Standard Means
This is the fourth Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. There is not a separately described implementation specification. Rather, this standard’s implementation specification is connoted in the language of the standard and is required. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. For compliance with this Technical Safeguard Standard, a covered entity is required to implement procedures to verify that…
Physical Safeguard Standard, Device and Media Controls: Data Backup and Storage Implementation Specification-What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard. Data Backup and Storage is the fourth and last of four implementation specifications, and it is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act…
Physical Safeguard Standard, Device and Media Controls: Disposal Implementation Specification-What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, Device and Medial Controls is the fourth and last Physical Safeguard Standard. Disposal is the first of four implementation specifications, and it is required. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009. What to Do A covered entity must implement policies and procedures to address the final disposition of electronic protected health information and…
Device and Media Controls: What This HIPAA Security Rule Physical Safeguard Standard Means
This is the fourth and last Physical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has four implementation specifications: disposal, media re-use, accountability, and data backup and storage. The first two are required; the last two are addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act…