OCR Publishes HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol

July 9, 2012.  Late in June, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published its HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol.  Here is OCR’s description of the program, which outlines 77 audit procedures for the HIPAA Security Rule and 88 audit procedures for the HIPAA Privacy and HITECH Act Breach Notification Rules: “The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate.  OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits.  The entire audit protocol is organized around modules, representing separate…

READ MORE

ONC Issues Meaningful Use Guide for Privacy & Security Attestation Compliance

May 9, 2012.  The Office of the National Coordinator for Health Information Technology (ONC) has issued a Guide to Privacy and Security of Health Information (Version 1.1 022312).  This Guide is targeted to medical practitioners who participate in the Medicare and Medicaid Program for Adoption and Meaningful Use of Certified Electronic Health Record Technology. Chapters are: 1. What Is Privacy & Security and Why Does It Matter? 2. Privacy & Security and Meaningful Use. 3.  Privacy & Security Step Plan for Meaningful Use. 4.  Integrating Privacy and Security into Your Practice. 5.  Privacy and Security Resources. The Guide highlights two of the Stage 1 Meaningful Use Objectives and Corresponding Measures…

READ MORE

OCR Penalizes Physician Practice for HIPAA Privacy and Security Rule Violations

April 18, 2012.  Late last week, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) executed a Resolution Agreement and included Corrective Action Plan (Appendix A) as a settlement for violations of HIPAA Privacy and Security Rules by a physician practice, Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ. In its April 17, 2012, News Release, HHS stated: “The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and…

READ MORE

Finally, HIPAA/HITECH Act Privacy, Security, Breach Notification, Enforcement Final Rules at OMB

March 24, 2012.   Today, the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB) in the Executive Office of the President showed that it had received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules entitled:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (RIN:  0945-AA03). Following review by OMB, the rules will be published in the Federal Register, most likely in April if OMB’s review is timely. The Abstract of the Rules reads:  “The Department of Health and Human Services Office for Civil Rights will issue final rules to modify the HIPAA Privacy, Security,…

READ MORE

HITECH Act Privacy and Security Final Rules Needed Now

Since September 23, 2009, the enforcement arm of the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), has been required to publicly disclose breaches involving 500 or more individuals discovered and reported by covered entities and their business associates. As of October 25, 2011, OCR has reported 345 such breaches involving a total of 11,959,488 individuals.  Not reflected yet in the OCR disclosed breaches are two involving 6.5 million individuals:  a Nemours breach of 1.6 million individuals and a TRICARE breach involving 4.9 million individuals.  Together, these two recently reported breaches represent 54.4% of the total number of individuals affected by the publicly disclosed breaches…

READ MORE

200 Breaches Impacting Almost 5.9 Million Individuals, with Theft and Loss of Laptops and PEDs Major Cause

December 2, 2010.M Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the Department of Health and Human Services (HHS) any breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for HIPAA privacy and security enforcement,  is required to post these HIPAA privacy or security breaches on its Web site (please note that this URL is a change from the initial…

READ MORE

Prison Time for Privacy Breach of PHI; OCR Breach List Continues to Grow; More Training Needed

Health Data Management  reported in its April 29, 2010, online HDM Daily that “[a] former researcher at the UCLA School of Medicine has been sentenced to four months in federal prison for violations of the HIPAA privacy rule.”  You may access and read the article by Joseph Goedert,  “Prison for HIPAA Privacy Violater“. On the same day, April 29, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) reported on its Web site 67 entities reporting “Breaches Affecting 500 or More Individuals” over the period September 22, 2009 to March 19, 2010.  That is up from the 36 that OCR listed on its initial…

READ MORE

HITECH and HIPAA Training: Time to Double Down

As the healthcare industry continues to digest profound HITECH changes to HIPAA Privacy and Security rules, two observations already are apparent and indisputable for covered entities and their business associates.  First, time and resources spent on a workforce that is well-trained on the Privacy and Security rules will be an investment of exponential value. Second, enforcement of those same rules will make negligent and uncorrected errors very costly. A well-trained workforce makes fewer mistakes, and identifies and fixes those that it makes. A workforce that violates the rules because it does not know them or does not care to know them makes an inviting target for HITECH’s new enforcement initiatives….

READ MORE

HHS Strengthens HIPAA Enforcement

On Friday, October 30, 2009, HHS published in the Federal Register its Interim Final Rule that strengthens HIPAA enforcement under HITECH Act civil penalty revisions enacted as part of the American Recovery and Reinvestment Act on February 17, 2009.  “These HITECH Act revisions significantly increase the penalty amounts the Secretary [of HHS] may impose for violations of the HIPAA rules and encourage prompt corrective action,” according to the HHS press release.  The Interim Final Rule is effective as federal policy on November 30, 2009, and HHS requests comments by December 29, 2009. With the definition of ‘breach’ in the HITECH Act moving privacy and security violations under one requirement requiring…

READ MORE

Security Management Process: Risk Analysis-What to Do and How to Do It

Security Management Process is the first administrative standard of the Security Rule, and Risk Analysis is the implementation specification.  Each covered entity is required to conduct a risk analysis or assessment to determine vulnerabilities and threats and to identify and put in place risk mitigation measures for safeguarding electronic protected health information.  Electronic protected health information is the content of the HIPAA Administrative Simplification Standard Transactions and of the expected growing adoption of clinically-based electronic health record systems. What to do:  Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. How to…

READ MORE