Over 10 Million Individuals Now Affected by Large Data Breaches, as Reported on OCR Web site

Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches on…

READ MORE

HIPAA Privacy, Security, Enforcement Rule Modifications NPRM at Federal Register

This morning, July 8, 2010, HHS’ Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act Notice of Proposed Rulemaking (NPRM) was posted at the Federal Register for public access prior to publication.  It will be published on Wednesday, July 14, 2010.  The 234 page NPRM can be accessed in portable document format (pdf) online at:  http://www.ofr.gov/OFRUpload/OFRData/2010-16718_PI.pdf.  There will be a 60-day comment period relating to the content of the NPRM.  HIPAA.com will provide a synopsis of the NPRM in a series of postings following publication in the Federal Register.

OMB Completes Review of HIPAA/HITECH Act Privacy, Security, Enforcement Rule Modifications NPRM

On July 1, 2010, the Office of Management and Budget (OMB) completed review of the Notice of Proposed Rulemaking (NPRM) entitled: Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act](RIN:  0991-AB57).  The NPRM was received at OMB for review on April 12, 2010.  It likely will be published in the Federal Register imminently. Legal authority for the NPRM is in Sections 13400 to 13410 of Subtitle D (Privacy) of the HITECH Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), enacted on February 17, 2009. Those sections cover:…

READ MORE

OCR Identifies 36 Entities with Breaches Affecting 500 or More Individuals

On Monday, February 22, 2010, the federal government, through the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS), began enforcing the Breach Notification Rule for breaches occurring on or after that date.  The Breach Notification for Unsecured Protected Health Information; Interim Final Rule, was published in the Federal Register on Monday, August 24, 2009 [74 FR 42739-42770] and was effective September 23, 2009.  Since September 22, 2009, 36 breaches of privacy or security of protected health information (PHI) affecting 500 or more individuals have been reported to OCR.  The total number of individuals affected was 1,073,657, with two of the breaches involving 359,000 (FL)…

READ MORE

HHS Publishes EHR Standards, Implementation Specifications and Certification Criteria IFR

HHS published today in the Federal Register:  “Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology”  75 FR 2013-2047.  This Interim Final Rule (IFR) is effective February 2, 2010.  Comments on the IFR may be submitted to HHS no later than March 15, 2010.  Here is the Summary from the IFR: “The Department of Health and Human Services (HHS) is issuing this interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act.  This interim final rule represents the first step in…

READ MORE

Exploring HIPAA and HITECH Act Definitions: Part 16

From now through early December, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification, securing of protected health information, and electronic health record (EHR) standards development and adoption. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. Each posting will contain three definitions, with a date reference to the Federal Register, Code of Federal Regulations (CFR), or statute, as appropriate. Exploring HIPAA…

READ MORE

Exploring HIPAA and HITECH Act Definitions: Part 15

From now through December, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification, securing of protected health information, and electronic health record (EHR) standards development and adoption. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. Each posting will contain three definitions, with a date reference to the Federal Register, Code of Federal Regulations (CFR), or statute, as appropriate. Exploring HIPAA and…

READ MORE

Exploring HIPAA and HITECH Act Definitions: Part 14

From now through December, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification, securing of protected health information, and electronic health record (EHR) standards development and adoption. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. Each posting will contain three definitions, with a date reference to the Federal Register, Code of Federal Regulations (CFR), or statute, as appropriate. Exploring HIPAA and…

READ MORE

Exploring HIPAA and HITECH Act Definitions: Part 13

From now through December, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification, securing of protected health information, and electronic health record (EHR) standards development and adoption. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. Each posting will contain three definitions, with a date reference to the Federal Register, Code of Federal Regulations (CFR), or statute, as appropriate. Exploring HIPAA and…

READ MORE

Exploring HIPAA and HITECH Act Definitions: Part 12

From now through December, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification, securing of protected health information, and electronic health record (EHR) standards development and adoption. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. Each posting will contain three definitions, with a date reference to the Federal Register, Code of Federal Regulations (CFR), or statute, as appropriate. Exploring HIPAA and…

READ MORE