HIPAA Final Rule: Business Associate Notification Timing, Policy and Procedure Updates, Retraining, and Documentation

February 1, 2013.  Today, we wrap up discussion of breach notification in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.  The Final Rule is effective on March 26, 2013, and requires compliance by covered entities and business associates on September 23, 2013.  The focus is on timing of reporting a breach by a business associate to a covered entity, and, because the definition of breach was modified in the Final Rule, on the requirements to update policies and procedures,…

READ MORE

HHS Secretary Sebelius Delegates Oversight and Enforcement of HIPAA Security Rule to OCR

U.S. Health and Human Services (HHS) Secretary Kathleen Sebelius has delegated oversight and enforcement of the HIPAA Administrative Simplification Security Rule Standards for Protection of Electronic Protected Health Information to HHS’s Office of Civil Rights (OCR), effective July 27, 2009.  Since October 7, 2003, the Security Rule had been the responsibility of HHS’s Center for Medicare & Medicaid Services (CMS). OCR also has responsibility for the HIPAA Administrative Simplification Privacy Rule.  This delegation brings responsibility for administrative, technical, and physical standards for safeguarding of protected health information in each rule under one authority, and likely will facilitate enforcement of the HITECH Act breach, notification, and business associate security rule compliance…

READ MORE