Finally, HIPAA/HITECH Act Privacy, Security, Breach Notification, Enforcement Final Rules at OMB

March 24, 2012.   Today, the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB) in the Executive Office of the President showed that it had received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules entitled:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (RIN:  0945-AA03). Following review by OMB, the rules will be published in the Federal Register, most likely in April if OMB’s review is timely. The Abstract of the Rules reads:  “The Department of Health and Human Services Office for Civil Rights will issue final rules to modify the HIPAA Privacy, Security,…

READ MORE

Get Ready Now for Toughened HIPAA/HITECH Act Privacy and Security Rules and Enforcement, and Big Noncompliance Fines

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996, as Public Law 104-191.   HIPAA Administrative Simplification provisions in Subtitle F, Title II included transactions and code sets, privacy, security, and unique identifiers.  Except for several identifiers, the federal government promulgated enabling regulations under the Administrative Procedure Act.  For example, the Privacy Rule required compliance by healthcare providers, healthcare clearinghouses, and health plans—Covered Entities—by April 14, 2003, and the Security Rule required compliance by April 20, 2005, with small health plans for each rule having an additional year in which to comply. On February 17, 2009, the Health Information Technology for Economic and…

READ MORE

200 Breaches Impacting Almost 5.9 Million Individuals, with Theft and Loss of Laptops and PEDs Major Cause

December 2, 2010.M Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the Department of Health and Human Services (HHS) any breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for HIPAA privacy and security enforcement,  is required to post these HIPAA privacy or security breaches on its Web site (please note that this URL is a change from the initial…

READ MORE

Today, February 17, Business Associates Must be in Compliance with HIPAA Security Rule

Today, Wednesday, February 17, 2010, Business Associates of Covered Entities must be able to demonstrate that they are in compliance with administrative, physical, and technical safeguards of the HIPAA Security Rule, as required by the HITECH Act, enacted one year ago today as part of the American Recovery and Reinvestment Act of 2009.  In addition, Business Associate Agreements must be rewritten or amended to specifically require a Business Associate’s compliance with the Security Rule as part of its “satisfactory assurances.”  Financial penalties for noncompliance discovered during a compliance audit or complaint investigation could be severe, especially for willful neglect. Here are the appropriate authorities: Section 13401 of Part 1 (Improved…

READ MORE