HIPAA Final Rule: Enforcement–Factors for Determining Civil Money Penalties for HIPAA Violations

February 25, 2013.  Today, we examine factors considered in determining the amount of a civil money penalty for a HIPAA violation that are modified in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. The Department of Health and Human Services (HHS) identified “five general factors”…

READ MORE

HIPAA Final Rule: Modified Rule for Business Associates and Subcontractors

February 6, 2013.  Today, we cover the business associate Administrative Safeguard (b) of the Security Rule, as modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. HIPAA did not directly regulate business associates of covered entities.  The HITECH Act’s 13401 statutorily changed that:  The…

READ MORE

HIPAA Final Rule: Business Associate Notification Timing, Policy and Procedure Updates, Retraining, and Documentation

February 1, 2013.  Today, we wrap up discussion of breach notification in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.  The Final Rule is effective on March 26, 2013, and requires compliance by covered entities and business associates on September 23, 2013.  The focus is on timing of reporting a breach by a business associate to a covered entity, and, because the definition of breach was modified in the Final Rule, on the requirements to update policies and procedures,…

READ MORE

OCR of HHS FINALLY Issues HIPAA/HITECH Act Privacy, Security, Enforcement, and Breach Notification Modifications Final Rule

January 18, 2013. On January 16, 2013, the Office of Management and Budget (OMB) completed its EO 12866 regulatory review of RIN:  0945-AA03, and the long-awaited release of the Department of Health and Human Services’ Office for Civil Rights (OCR) so-called “Omnibus” Final Rule was published at 4:15 PM on January 17, 2013, in pre-publication final draft form on the Federal Register’s Electronic Public Inspection Desk.  Publication in the Federal Register is scheduled for Friday, January 25, 2013.  The title of the Final Rule is:  45 CFR Parts 160 and 164:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and…

READ MORE

OCR Publishes HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol

July 9, 2012.  Late in June, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published its HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol.  Here is OCR’s description of the program, which outlines 77 audit procedures for the HIPAA Security Rule and 88 audit procedures for the HIPAA Privacy and HITECH Act Breach Notification Rules: “The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate.  OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits.  The entire audit protocol is organized around modules, representing separate…

READ MORE

OCR’s Publicly Disclosed Large Breaches Now Top 20 Million Impacted Individuals

May 16, 2012.  The Department of Health and Human Services’ (HHS) HIPAA/HITECH Act privacy and security enforcement arm, Office for Civil Rights (OCR), is responsible under the HITECH Act to publicly disclose privacy and security breaches that affect 500 or more individuals on its Breach Notification Web site.  With the now reported Utah Department of Health hacking/IT incident breach occurring in the period March 10-April 2, 2012 and affecting a reported 780,000 individuals, the total number in 435 breaches reported since September 22, 2009, now totals 20,079,189 impacted individuals.  Of the total number of breaches where location of breached information is known (e.g., electronic or hard copy source), 72% of…

READ MORE

OCR Penalizes Physician Practice for HIPAA Privacy and Security Rule Violations

April 18, 2012.  Late last week, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) executed a Resolution Agreement and included Corrective Action Plan (Appendix A) as a settlement for violations of HIPAA Privacy and Security Rules by a physician practice, Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ. In its April 17, 2012, News Release, HHS stated: “The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and…

READ MORE

Finally, HIPAA/HITECH Act Privacy, Security, Breach Notification, Enforcement Final Rules at OMB

March 24, 2012.   Today, the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB) in the Executive Office of the President showed that it had received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules entitled:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (RIN:  0945-AA03). Following review by OMB, the rules will be published in the Federal Register, most likely in April if OMB’s review is timely. The Abstract of the Rules reads:  “The Department of Health and Human Services Office for Civil Rights will issue final rules to modify the HIPAA Privacy, Security,…

READ MORE

BCBST Pays $1.5 Million to HHS to Settle Potential HIPAA Privacy and Security Violations

On March 13, 2012, Blue Cross Blue Shield of Tennessee (BCBST) agreed to a payment of $1.5 million to the Department of Health and Human Services (HHS) and to a corrective action plan as part of a Resolution Agreement with HHS for potential violation of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations.  According to a HHS Press Release of the same date, “the enforcement action [by HHS’ Office for Civil Rights (OCR)] is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.” According to the HHS Press Release: “The investigation followed…

READ MORE

CMS Publishes Stage 2 Meaningful Use Incentive Program NPRM

On March 7, 2012, the Centers for Medicare & Medicaid Services (CMS) published in the Federal Register its 132-page notice of proposed rule making (NPRM):  Medicare and Medicaid Programs; Electronic Health Record Incentive Program–Stage 2.  Comments to the Department of Health and Human Services (HHS) may be made until 5 PM on May 7, 2012. The summary of the NPRM is included here: “This proposed rule would specify the Stage 2 criteria that eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) must meet in order to qualify for Medicare and/or Medicaid electronic health record (EHR) incentive payments.  In addition, it would specify payment adjustments under Medicare for covered…

READ MORE