OCR of HHS FINALLY Issues HIPAA/HITECH Act Privacy, Security, Enforcement, and Breach Notification Modifications Final Rule

January 18, 2013. On January 16, 2013, the Office of Management and Budget (OMB) completed its EO 12866 regulatory review of RIN:  0945-AA03, and the long-awaited release of the Department of Health and Human Services’ Office for Civil Rights (OCR) so-called “Omnibus” Final Rule was published at 4:15 PM on January 17, 2013, in pre-publication final draft form on the Federal Register’s Electronic Public Inspection Desk.  Publication in the Federal Register is scheduled for Friday, January 25, 2013.  The title of the Final Rule is:  45 CFR Parts 160 and 164:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and…

READ MORE

Finally, HIPAA/HITECH Act Privacy, Security, Breach Notification, Enforcement Final Rules at OMB

March 24, 2012.   Today, the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB) in the Executive Office of the President showed that it had received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules entitled:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (RIN:  0945-AA03). Following review by OMB, the rules will be published in the Federal Register, most likely in April if OMB’s review is timely. The Abstract of the Rules reads:  “The Department of Health and Human Services Office for Civil Rights will issue final rules to modify the HIPAA Privacy, Security,…

READ MORE

BCBST Pays $1.5 Million to HHS to Settle Potential HIPAA Privacy and Security Violations

On March 13, 2012, Blue Cross Blue Shield of Tennessee (BCBST) agreed to a payment of $1.5 million to the Department of Health and Human Services (HHS) and to a corrective action plan as part of a Resolution Agreement with HHS for potential violation of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations.  According to a HHS Press Release of the same date, “the enforcement action [by HHS’ Office for Civil Rights (OCR)] is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.” According to the HHS Press Release: “The investigation followed…

READ MORE

HHS Publishes HITECH Act Accounting of Disclosures NPRM

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published in the May 31, 2011, Federal Register the Notice of Proposed Rule Making (NPRM) entitled HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act (76(104), pp. 31426-31449). This NPRM is available online in pdf.  Comments on the NPRM are requested to be submitted on or before August 1, 2011.  The Summary of the NPRM with abbreviations, as noted, on p. 31426, is: “HHS is issuing this NPRM to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information.  The purpose of these modifications…

READ MORE

HHS Pulls Breach Notification Final Rule

The HIPAA Administrative Simplification; Notification in the Case of Breach Final Rule (Regulation Identifier Number (RIN) 0991-AB56) has been at the Office of Management and Budget (OMB) since May 14, 2010, for Executive Order (EO) 12866 review and approval prior to publication in the Federal Register. On July 28, 2010, HHS “withdrew” this Final Rule, with the following explanation: “The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the…

READ MORE

OCR Reports 107 Breaches Affecting Over 4 Million Individuals (II)

The Office for Civil Rights (OCR) regularly updates its Web site listing of breaches affecting 500 or more individuals. As of July 2, 2010, there were 107 breaches listed that were reported to have occurred between September 22, 2009 and June 11, 2010. Individuals affected by these publicly listed breaches totaled 4,086,980. Six of the 107 breaches, or 5.6% of the total, affected 3,353,627 individuals, or 82% of the total. This is the second of three postings that analyzes the data from these 107 breaches. This posting (II) covers paper breaches. The first posting (I) covered electronic breaches, and the final posting (III) looks at the prevalence of business associate…

READ MORE

HIPAA Privacy, Security, Enforcement Rule Modifications NPRM at Federal Register

This morning, July 8, 2010, HHS’ Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act Notice of Proposed Rulemaking (NPRM) was posted at the Federal Register for public access prior to publication.  It will be published on Wednesday, July 14, 2010.  The 234 page NPRM can be accessed in portable document format (pdf) online at:  http://www.ofr.gov/OFRUpload/OFRData/2010-16718_PI.pdf.  There will be a 60-day comment period relating to the content of the NPRM.  HIPAA.com will provide a synopsis of the NPRM in a series of postings following publication in the Federal Register.

Final Rules for EHR Incentives and Certification Criteria at OMB for Review

The Office of Management and Budget (OMB) received in early July for Executive Order (EO) 12866 Regulatory Planning and Review two Final Rules relating to electronic health record (EHR) incentives and certification criteria required under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that was enacted on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009. On Friday, July 2, 2010, OMB received from the Office of the Secretary at the Department of Health and Human Services (HHS) for review Health Information Technology:  Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule.  The Interim Final…

READ MORE

OMB Completes Review of HIPAA/HITECH Act Privacy, Security, Enforcement Rule Modifications NPRM

On July 1, 2010, the Office of Management and Budget (OMB) completed review of the Notice of Proposed Rulemaking (NPRM) entitled: Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act](RIN:  0991-AB57).  The NPRM was received at OMB for review on April 12, 2010.  It likely will be published in the Federal Register imminently. Legal authority for the NPRM is in Sections 13400 to 13410 of Subtitle D (Privacy) of the HITECH Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), enacted on February 17, 2009. Those sections cover:…

READ MORE

OCR Reports 107 Breaches Affecting Over 4 Million Individuals (I)

As of the July 4th holiday weekend, the Office for Civil Rights (OCR) has updated again its Web site listing of breaches affecting 500 or more individuals.  As of July 2, 2010, there were 107 breaches listed that were reported to have occurred between September 22, 2009 and June 11, 2010. Individuals affected by these publicly listed breaches totaled 4,086,980.  Six of the 107 breaches, or 5.6% of the total, affected 3,353,627 individuals, or 82% of the total.  This is the first of three postings that analyzes the data from these 107 breaches.  This posting (I) covers electronic breaches, the next posting (II) covers hard copy (paper) breaches, and the…

READ MORE