September 4, 2012. The Department of Health and Human Services (HHS) entities: Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC), published their Final Rules for Meaningful Use Stage 2 in today’s Federal Register. This posting focuses on the preamble relating to the following Stage 2 security objective in the CMS Final Rule entitled Medicare and Medicaid Programs; Electronic Health Record Incentive Program: “Protect electronic health information created or maintained by the Certified EHR Technology [CEHRT] through the implementation of appropriate technical capabilities.” Reference numbers in brackets refer to the page number(s) in the September 4, 2012, Federal Register. Associated with this objective…
Tag: safeguard
Five HIPAA Compliance Activities Your Organization Must Undertake
HIPAA Administrative Simplification was enacted on August 21, 1996 as Subtitle F of Title II of Public Law 104-191. The so-called HITECH Act “Omnibus” regulation that modifies HIPAA privacy and security provisions will be published in the Federal Register by the end of this summer, according to the head of HHS’ National Coordinator for Health Information Technology, Farzad Mostashari, M.D. Based on the timeline in the Notice of Proposed Rule Making, compliance by all covered entities and their business associates would be required 240 days after publication, most likely sometime in May 2013, assuming the end-of-summer deadline is met. All covered entities and their business associates will be required to comply with provisions of…
OCR’s Publicly Disclosed Large Breaches Now Top 20 Million Impacted Individuals
May 16, 2012. The Department of Health and Human Services’ (HHS) HIPAA/HITECH Act privacy and security enforcement arm, Office for Civil Rights (OCR), is responsible under the HITECH Act to publicly disclose privacy and security breaches that affect 500 or more individuals on its Breach Notification Web site. With the now reported Utah Department of Health hacking/IT incident breach occurring in the period March 10-April 2, 2012 and affecting a reported 780,000 individuals, the total number in 435 breaches reported since September 22, 2009, now totals 20,079,189 impacted individuals. Of the total number of breaches where location of breached information is known (e.g., electronic or hard copy source), 72% of…
ONC Issues Meaningful Use Guide for Privacy & Security Attestation Compliance
May 9, 2012. The Office of the National Coordinator for Health Information Technology (ONC) has issued a Guide to Privacy and Security of Health Information (Version 1.1 022312). This Guide is targeted to medical practitioners who participate in the Medicare and Medicaid Program for Adoption and Meaningful Use of Certified Electronic Health Record Technology. Chapters are: 1. What Is Privacy & Security and Why Does It Matter? 2. Privacy & Security and Meaningful Use. 3. Privacy & Security Step Plan for Meaningful Use. 4. Integrating Privacy and Security into Your Practice. 5. Privacy and Security Resources. The Guide highlights two of the Stage 1 Meaningful Use Objectives and Corresponding Measures…
CMS Initiates 90-Day Enforcement Discretion for 5010 Compliance
January 1, 2012, is the date for covered entities to achieve compliance with ASC X12 Version 5010, NCPDP Telecom D.0, and NCPDP Medicaid Subrogation 3.0 transaction standards. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Small health plans have until January 1, 2013, to comply with the NCPDP Medicaid Subrogation 3.0 standard. The Center for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) is responsible for enforcement of compliance with electronic transaction standards. CMS announced on November 17, 2011, that “[w]hile enforcement action will not be taken [from January 1-March 31, 2012], OESS will continue to accept complaints associated with compliance with Version 5010,…
HITECH Act Breached Individuals Skyrocket in Latest OCR Web Site Posting
Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate. The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches…
Nearly 8.3 Million Individuals Impacted by 249 Privacy and Security Breaches Reported by HHS; More Training on Safeguarding PHI Required
Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate. The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches…
HHS Strengthens HIPAA Enforcement
On Friday, October 30, 2009, HHS published in the Federal Register its Interim Final Rule that strengthens HIPAA enforcement under HITECH Act civil penalty revisions enacted as part of the American Recovery and Reinvestment Act on February 17, 2009. “These HITECH Act revisions significantly increase the penalty amounts the Secretary [of HHS] may impose for violations of the HIPAA rules and encourage prompt corrective action,” according to the HHS press release. The Interim Final Rule is effective as federal policy on November 30, 2009, and HHS requests comments by December 29, 2009. With the definition of ‘breach’ in the HITECH Act moving privacy and security violations under one requirement requiring…
Contingency Plan: Disaster Recovery Plan-What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish (and implement as needed) procedures to restore any loss of data. How to Do It The content and procedures of a covered entity’s disaster recovery plan will be » Outcomes of the covered entity’s identification of vulnerabilities and…