HIPAA Final Rule: Enforcement: Willful Neglect

February 20, 2013.  Today, we begin examination of HITECH Act modifications of HIPAA Enforcement, focusing on the meaning and consequences of willful neglect in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. Willful neglect is defined as “conscious, intentional failure or reckless indifference to the…

READ MORE

HIPAA Final Rule: Genetic Information Nondiscrimination Act: Manifestation or Manifested

February 19, 2013.  Today, we finish examination of modifications of HIPAA Privacy under the Genetic Information Nondiscrimination Act (GINA), by focusing on the definition: manifestation or manifested. The modifications of HIPAA Privacy are in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. We presented in…

READ MORE

HIPAA Final Rule: Modification of Business Associate Definition, Part (4)–Personal Health Record Vendor

February 12, 2013.  Today, we examine the role of the personal health record vendor in paragraph (3)—the third paragraph of four—of the business associate definition, as modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. Here is the second of three parts of this…

READ MORE

HIPAA Final Rule: Modification of Business Associate Definition, Part (3)

February 11, 2013.  Today, we start to examine (3)—the third paragraph of four—of the business associate definition, as modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. Here is the first of three parts of this paragraph, (i), which is the subject of today’s…

READ MORE

HIPAA Final Rule: Business Associate Definition

February 7, 2013.  Today, we provide the business associate definition, as modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. Business Associate:  Definition (78 Federal Register 5688)– “(1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a…

READ MORE

HIPAA Final Rule: Security Standards, General Rules & Administrative Safeguard Modifications

February 5, 2013.  Today, we cover the modifications to Security Standards:  General Rules, and Administrative Safeguards in the HIPAA Security Rule, as modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. Security Standards:  General Rules.  The five General Rules govern how the administrative, physical,…

READ MORE

Final HIPAA Rule: Security Statutory Authority and Direct Regulation of Business Associates

February 4, 2013.  Today, we cover the security safeguards of the HIPAA Security Rule, as Modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. The statutory authority for applicability of the HIPAA Security Rule is in Section 13401 of the HITECH Act (123 STAT….

READ MORE

HIPAA Final Rule: Business Associate Notification Timing, Policy and Procedure Updates, Retraining, and Documentation

February 1, 2013.  Today, we wrap up discussion of breach notification in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.  The Final Rule is effective on March 26, 2013, and requires compliance by covered entities and business associates on September 23, 2013.  The focus is on timing of reporting a breach by a business associate to a covered entity, and, because the definition of breach was modified in the Final Rule, on the requirements to update policies and procedures,…

READ MORE

HIPAA Final Rule: More on Breach Notification Rule Changes

January 31, 2013.  Today, we briefly identify key changes or reminders regarding breach notification in the preamble of the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, published in the Federal Register on January 25, 2013.  The Final Rule becomes effective March 26, 2013 and requires compliance by covered entities and business associates on September 23, 2013.  Earlier this week, we have examined the changed definition of breach, the substitution of the “probability standard” for the current “harm standard” underpinning…

READ MORE

HIPAA Final Rule: Breach Notification Guidance Safe Harbor

January 30, 2013.  Today, we look at the definition of unsecured protected health information and the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable , Unreadable, or Indecipherable to Unauthorized Individuals [“Guidance”] as discussed in the January 25, 2013 Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act [HITECH Act]; Other Modifications to the HIPAA Rules.  The Final Rule becomes effective on March 26, 2013, and requires compliance by covered entities and business associates on September 23, 2013. Here is the definition of unsecured protected health information: “protected health information that is…

READ MORE