Get Ready Now for Toughened HIPAA/HITECH Act Privacy and Security Rules and Enforcement, and Big Noncompliance Fines

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996, as Public Law 104-191.   HIPAA Administrative Simplification provisions in Subtitle F, Title II included transactions and code sets, privacy, security, and unique identifiers.  Except for several identifiers, the federal government promulgated enabling regulations under the Administrative Procedure Act.  For example, the Privacy Rule required compliance by healthcare providers, healthcare clearinghouses, and health plans—Covered Entities—by April 14, 2003, and the Security Rule required compliance by April 20, 2005, with small health plans for each rule having an additional year in which to comply. On February 17, 2009, the Health Information Technology for Economic and…

READ MORE

Categories American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, Privacy, SecurityTags , , , , , , , , , , , , , , , , , , , , Leave a comment

HHS Publishes HITECH Act Accounting of Disclosures NPRM

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published in the May 31, 2011, Federal Register the Notice of Proposed Rule Making (NPRM) entitled HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act (76(104), pp. 31426-31449). This NPRM is available online in pdf.  Comments on the NPRM are requested to be submitted on or before August 1, 2011.  The Summary of the NPRM with abbreviations, as noted, on p. 31426, is: “HHS is issuing this NPRM to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information.  The purpose of these modifications…

READ MORE

Categories American Recovery and Reinvestment Act, Health IT and HITECH, HIPAA Law, PrivacyTags , , , , , , , , , , , , , , , , , , , , , , , , , Leave a comment

OMB Clears HITECH Act Accounting of Disclosures NPRM

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR), responsible for enforcement of the HIPAA Privacy, Security, and Breach Notification Rules, will issue a Notice of Proposed Rule Making (NPRM) to modify the HIPAA Privacy Rule as necessary to implement the accounting of disclosures provisions of Section 13405(c) of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) (Title XIII of the American Recovery and Reinvestment Act of 2009–Public Law 111-5).  Section 13405(c) is entitled: Accounting of Certain Protected Health Information Disclosures Required if Covered Entity Uses Electronic Health Record. The NPRM was submitted on February 9, 2011, by HHS to the Office…

READ MORE

Categories American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, PrivacyTags , , , , , , , , , , , , , , , , , , , , , , , , , , , , , Leave a comment

Over 10 Million Individuals Now Affected by Large Data Breaches, as Reported on OCR Web site

Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches on…

READ MORE

Categories American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, Privacy, SecurityTags , , , , , , , , , , , , , , , , , , , Leave a comment

Nearly 8.3 Million Individuals Impacted by 249 Privacy and Security Breaches Reported by HHS; More Training on Safeguarding PHI Required

Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches…

READ MORE

Categories American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, Privacy, SecurityTags , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , Leave a comment

Permanent HIT Certification Final Rule Published by ONC in Federal Register

January 7, 2011.  The Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) published today in the Federal Register the final rule for Establishment of the Permanent Certification Program for Health Information Technology (HIT), available online.  This regulation is effective on February 7, 2011.  According to the January 3, 2011, HHS News Release, “[t]he temporary  certification program, established through a final rule published on June 24, 2010, will continue in effect until it sunsets on December 31, 2011, or at a later date when the processes necessary for the permanent certification program to operate are completed. ONC expects to stand-up the programmatic…

READ MORE

Categories Health IT and HITECH, Meaningful UseTags , , , , , , , , , , , , , , , , , , Leave a comment

Healthcare Providers Receive FTC Red Flags Exemption from Congress

HIPAA.com has covered the provisions of the Federal Trade Commission (FTC) Red Flags Rule in earlier postings.  Congressional action now exempts healthcare providers from compliance with the provisions of the Red Flags Rule. On Tuesday, December 7, the House by voice vote joined the Senate in passage of S.3987, the Red Flag Program Clarification Act of 2010.  On November 30, 2010, the Senate passed this legislation by unanimous consent.  The bill has been cleared to the White House for signature. The following information from the Library of Congress summarizes S 3987 (see http://thomas.loc.gov): “Amends the Fair Credit Reporting Act, with respect to federal agency (red flag) guidelines regarding identity theft…

READ MORE

Categories Red Flags Rules1 Comment

200 Breaches Impacting Almost 5.9 Million Individuals, with Theft and Loss of Laptops and PEDs Major Cause

December 2, 2010.M Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the Department of Health and Human Services (HHS) any breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for HIPAA privacy and security enforcement,  is required to post these HIPAA privacy or security breaches on its Web site (please note that this URL is a change from the initial…

READ MORE

Categories American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, Privacy, SecurityTags , , , , , , , , , , , , , , , , , , , , , , , , , , Leave a comment

HHS Pulls Breach Notification Final Rule

The HIPAA Administrative Simplification; Notification in the Case of Breach Final Rule (Regulation Identifier Number (RIN) 0991-AB56) has been at the Office of Management and Budget (OMB) since May 14, 2010, for Executive Order (EO) 12866 review and approval prior to publication in the Federal Register. On July 28, 2010, HHS “withdrew” this Final Rule, with the following explanation: “The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the…

READ MORE

Categories American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, Privacy, SecurityTags , , , , , , , , , , , , , , , , , , Leave a comment

EHR Incentive and Certification Criteria Final Rules Published in Federal Register

The EHR Incentive and Certification final rules were published in the Federal Register this morning, July 28, 2010.  HIPAA.com provides the title, summary, effective date, and URL for each below. Department of Health and Human Services, Centers for Medicare & Medicaid Services, “42 CFR Parts 412, 413, 422, and 495;  Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rule, Federal Register, 75(144), Wednesday, July 28, 2010, pp. 44313-44588. Summary:  This final rule implements the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)(Public Law 111-5) that provide incentive payments to eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) participating in Medicare and Medicaid programs…

READ MORE

Categories American Recovery and Reinvestment Act, Health IT and HITECH, Meaningful UseTags , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , Leave a comment