200 Breaches Impacting Almost 5.9 Million Individuals, with Theft and Loss of Laptops and PEDs Major Cause

December 2, 2010.M Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the Department of Health and Human Services (HHS) any breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for HIPAA privacy and security enforcement,  is required to post these HIPAA privacy or security breaches on its Web site (please note that this URL is a change from the initial…

READ MORE

OCR Stepping Up HIPAA Security Enforcement

Health Data Management (HDM) reported today, May 12, that the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is going to strengthen HIPAA Security Rule enforcement, based on statements made on Tuesday, May 11 by the OCR Deputy Director for Privacy, Susan McAndrew, at the Safeguarding Health Information conference in Washington, DC, co-sponsored by OCR and the National Institute of Standards and Technology (NIST).  “To boost enforcement of the security rule, OCR has added investigators in 10 regional offices, McAndrew notes,” as reported by Joe Goedert in the HDM article, “OCR Boosting Security Enforcement,” which is available online. This report comes several days after…

READ MORE

Prison Time for Privacy Breach of PHI; OCR Breach List Continues to Grow; More Training Needed

Health Data Management  reported in its April 29, 2010, online HDM Daily that “[a] former researcher at the UCLA School of Medicine has been sentenced to four months in federal prison for violations of the HIPAA privacy rule.”  You may access and read the article by Joseph Goedert,  “Prison for HIPAA Privacy Violater“. On the same day, April 29, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) reported on its Web site 67 entities reporting “Breaches Affecting 500 or More Individuals” over the period September 22, 2009 to March 19, 2010.  That is up from the 36 that OCR listed on its initial…

READ MORE

HITECH and HIPAA Training: Time to Double Down

As the healthcare industry continues to digest profound HITECH changes to HIPAA Privacy and Security rules, two observations already are apparent and indisputable for covered entities and their business associates.  First, time and resources spent on a workforce that is well-trained on the Privacy and Security rules will be an investment of exponential value. Second, enforcement of those same rules will make negligent and uncorrected errors very costly. A well-trained workforce makes fewer mistakes, and identifies and fixes those that it makes. A workforce that violates the rules because it does not know them or does not care to know them makes an inviting target for HITECH’s new enforcement initiatives….

READ MORE

Is Certification a Surrogate for HIPAA Privacy and Security Training?

Several visitors to HIPAA.com have asked if ‘certification’ can substitute for compliance with the HIPAA Privacy and Security training standards and new Privacy requirements under the HITECH Act. Generally, certification is a snapshot in a moment of time. The Merrim-Webster’s Collegiate Dictionary (11th ed.) defines certification as the act or state of “attest[ing] as being true or as represented or as meeting a standard.” Certification generally is done by an external source. Training is an ongoing internal process for safeguarding protected health information from unauthorized use or disclosure as business policies and procedures evolve and regulatory standards are initiated or modified. Further, training requires that workforce members, including management, demonstrate…

READ MORE

Business Associate To-Do List

What are Business Associates Required to Do to Meet HIPAA Requirements? With passage of the American Recovery and Reinvestment Act (ARRA), privacy and security compliance increased significantly with business associates immediately required to comply directly with many of HIPAA’s rules. It also dramatically expanded other remedial actions (such as increasing federal government audits; granting attorneys fees in some HIPAA lawsuits; and allowing a method for individuals to recover penalties under HIPAA). Business associates also are subject to civil and criminal penalties , including a provision that allows individuals to receive financial compensation for the violation. If you are a business associate, your “To-Do” list looks similar to the list the…

READ MORE