OCR’s Publicly Disclosed Large Breaches Now Top 20 Million Impacted Individuals

May 16, 2012.  The Department of Health and Human Services’ (HHS) HIPAA/HITECH Act privacy and security enforcement arm, Office for Civil Rights (OCR), is responsible under the HITECH Act to publicly disclose privacy and security breaches that affect 500 or more individuals on its Breach Notification Web site.  With the now reported Utah Department of Health hacking/IT incident breach occurring in the period March 10-April 2, 2012 and affecting a reported 780,000 individuals, the total number in 435 breaches reported since September 22, 2009, now totals 20,079,189 impacted individuals.  Of the total number of breaches where location of breached information is known (e.g., electronic or hard copy source), 72% of…

READ MORE

Finally, HIPAA/HITECH Act Privacy, Security, Breach Notification, Enforcement Final Rules at OMB

March 24, 2012.   Today, the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB) in the Executive Office of the President showed that it had received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules entitled:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (RIN:  0945-AA03). Following review by OMB, the rules will be published in the Federal Register, most likely in April if OMB’s review is timely. The Abstract of the Rules reads:  “The Department of Health and Human Services Office for Civil Rights will issue final rules to modify the HIPAA Privacy, Security,…

READ MORE

OCR Announces November 2011 Start of Privacy and Security Compliance Audits

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for privacy and security enforcement under Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act provisions. OCR has announced that it is initiating compliance audits beginning this month, as authorized by the HITECH Act.  This action precedes the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rules, expected before the end of 2011, and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications.   To avoid the consequences of potential penalties for non-compliance, covered entities and business…

READ MORE

Get Ready Now for Toughened HIPAA/HITECH Act Privacy and Security Rules and Enforcement, and Big Noncompliance Fines

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996, as Public Law 104-191.   HIPAA Administrative Simplification provisions in Subtitle F, Title II included transactions and code sets, privacy, security, and unique identifiers.  Except for several identifiers, the federal government promulgated enabling regulations under the Administrative Procedure Act.  For example, the Privacy Rule required compliance by healthcare providers, healthcare clearinghouses, and health plans—Covered Entities—by April 14, 2003, and the Security Rule required compliance by April 20, 2005, with small health plans for each rule having an additional year in which to comply. On February 17, 2009, the Health Information Technology for Economic and…

READ MORE