HIPAA Final Rule: Enforcement: Four Penalty Tiers

February 21, 2013.  Today, we examine the four penalty tiers for violations of HIPAA Rules in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. We start with two definitions, the first of which, Reasonable cause, was modified in the Final Rule, and the second of…

READ MORE

HIPAA Final Rule: Genetic Information Nondiscrimination Act: Manifestation or Manifested

February 19, 2013.  Today, we finish examination of modifications of HIPAA Privacy under the Genetic Information Nondiscrimination Act (GINA), by focusing on the definition: manifestation or manifested. The modifications of HIPAA Privacy are in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. We presented in…

READ MORE

HIPAA Final Rule: Genetic Information Nondiscrimination Act (GINA) Definitions

February 15, 2013.  Today, we present several new definitions relating to the Genetic Information Nondiscrimination Act (GINA), which addressed the application of the HIPAA Privacy Rule to genetic information.  The definitions are in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. The Final Rule states: …

READ MORE

HIPAA Final Rule: Modification of Business Associate Definition, Part (3)

February 11, 2013.  Today, we start to examine (3)—the third paragraph of four—of the business associate definition, as modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. Here is the first of three parts of this paragraph, (i), which is the subject of today’s…

READ MORE

HIPAA Final Rule: More on Breach Notification Rule Changes

January 31, 2013.  Today, we briefly identify key changes or reminders regarding breach notification in the preamble of the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, published in the Federal Register on January 25, 2013.  The Final Rule becomes effective March 26, 2013 and requires compliance by covered entities and business associates on September 23, 2013.  Earlier this week, we have examined the changed definition of breach, the substitution of the “probability standard” for the current “harm standard” underpinning…

READ MORE

HIPAA Final Rule: Breach Notification Guidance Safe Harbor

January 30, 2013.  Today, we look at the definition of unsecured protected health information and the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable , Unreadable, or Indecipherable to Unauthorized Individuals [“Guidance”] as discussed in the January 25, 2013 Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act [HITECH Act]; Other Modifications to the HIPAA Rules.  The Final Rule becomes effective on March 26, 2013, and requires compliance by covered entities and business associates on September 23, 2013. Here is the definition of unsecured protected health information: “protected health information that is…

READ MORE

HIPAA Final Rule: Breach Risk Assessment Factors for “Probability Standard”

January 29, 2013.  Today, we cover the four risk assessment factors pertaining to breach notification in the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules:  Final Rule that was published in the Federal Register on Friday, January 25, 2013.  As discussed in yesterday’s post, these risk assessment factors are used in assessing the probability of impermissible use or disclosure compromising protected health information, thereby requiring breach notification. This “probability standard” replaces the “harm standard,” becomes effective March 26, 2013, and requires compliance…

READ MORE

Final HIPAA/HITECH Act Privacy, Security, Enforcement, Breach Notification Rules Published in Federal Register January 25, 2013.

January 25, 2013.  The Final Rule is published, at last!  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule cleared the Office of Management and Budget on January 16, was issued online on the Federal Register’s Electronic Public Inspection Desk in pre-publication format on January 17, and published in the Federal Register today.  The Final Rule is 136 pages (pp.5566-5702).  The effective date of the Final Rule is Tuesday, March 26, 2013, and the compliance date is Monday, September 23, 2013. Here is the…

READ MORE

Final Administrative Simplification Rules for Plan ID, NPI Addition, and ICD-10 Code Set Compliance Delay Published in Federal Register

September 5, 2012.  Today, the Federal Register published the Centers for Medicare & Medicaid Services (CMS) Final Rule:  Administrative Simplification:  Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier [NPI] Requirements; and a Change to the Compliance Date for the International Classification of Diseases, 10th Edition (ICD-10-CM and ICD-10-PCS) Medical Data Code Sets.  We provided the detailed “Executive Summary” in our August 24, 2012, posting, based on the preview posting at the Federal Register’s Electronic Public Inspection Desk.  Below we provide the shorter publication “Summary” [p.54664]: “This final rule adopts the standard for a national unique health plan identifier (HPID) and establishes requirements…

READ MORE

CMS and ONC Publish Final Rules for Meaningful Use Stage 2 Security in Federal Register

September 4, 2012.  The Department of Health and Human Services (HHS) entities:  Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC), published their Final Rules for Meaningful Use Stage 2 in today’s Federal Register.  This posting focuses on the preamble relating to the following Stage 2 security objective in the CMS Final Rule entitled Medicare and Medicaid Programs; Electronic Health Record Incentive Program:  “Protect electronic health information created or maintained by the Certified EHR Technology [CEHRT] through the implementation of appropriate technical capabilities.”  Reference numbers in brackets refer to the page number(s) in the September 4, 2012,  Federal Register. Associated with this objective…

READ MORE