HIPAA Final Rule: Business Associate Notification Timing, Policy and Procedure Updates, Retraining, and Documentation

February 1, 2013.  Today, we wrap up discussion of breach notification in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.  The Final Rule is effective on March 26, 2013, and requires compliance by covered entities and business associates on September 23, 2013.  The focus is on timing of reporting a breach by a business associate to a covered entity, and, because the definition of breach was modified in the Final Rule, on the requirements to update policies and procedures,…

READ MORE

HIPAA Final Rule: More on Breach Notification Rule Changes

January 31, 2013.  Today, we briefly identify key changes or reminders regarding breach notification in the preamble of the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, published in the Federal Register on January 25, 2013.  The Final Rule becomes effective March 26, 2013 and requires compliance by covered entities and business associates on September 23, 2013.  Earlier this week, we have examined the changed definition of breach, the substitution of the “probability standard” for the current “harm standard” underpinning…

READ MORE

Final Rule: Modified Definition of Breach

January 28, 2013.  Today, we want to explore the modified definition of breach in the Final HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rule published in the Federal Register on Friday, January 25, 2013. Here is the modified definition [45 CFR 164.402, Definitions, effective March 26, 2013; 78 Federal Register 5695]: Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [HIPAA Privacy Rule] of this part [Part 164] which compromises the security or privacy of the protected health information. (1) Breach excludes: (i) Any unintentional acquisition, access, or use of protected health information by a workforce member or…

READ MORE

OCR Announces November 2011 Start of Privacy and Security Compliance Audits

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for privacy and security enforcement under Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act provisions. OCR has announced that it is initiating compliance audits beginning this month, as authorized by the HITECH Act.  This action precedes the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rules, expected before the end of 2011, and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications.   To avoid the consequences of potential penalties for non-compliance, covered entities and business…

READ MORE

HITECH Act Breached Individuals Skyrocket in Latest OCR Web Site Posting

Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate.  The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches…

READ MORE

HITECH Act Privacy and Security Final Rules Needed Now

Since September 23, 2009, the enforcement arm of the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), has been required to publicly disclose breaches involving 500 or more individuals discovered and reported by covered entities and their business associates. As of October 25, 2011, OCR has reported 345 such breaches involving a total of 11,959,488 individuals.  Not reflected yet in the OCR disclosed breaches are two involving 6.5 million individuals:  a Nemours breach of 1.6 million individuals and a TRICARE breach involving 4.9 million individuals.  Together, these two recently reported breaches represent 54.4% of the total number of individuals affected by the publicly disclosed breaches…

READ MORE

Get Ready Now for Toughened HIPAA/HITECH Act Privacy and Security Rules and Enforcement, and Big Noncompliance Fines

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted on August 21, 1996, as Public Law 104-191.   HIPAA Administrative Simplification provisions in Subtitle F, Title II included transactions and code sets, privacy, security, and unique identifiers.  Except for several identifiers, the federal government promulgated enabling regulations under the Administrative Procedure Act.  For example, the Privacy Rule required compliance by healthcare providers, healthcare clearinghouses, and health plans—Covered Entities—by April 14, 2003, and the Security Rule required compliance by April 20, 2005, with small health plans for each rule having an additional year in which to comply. On February 17, 2009, the Health Information Technology for Economic and…

READ MORE

Evaluation-What This HIPAA Security Rule Administrative Safeguard Standard Means

This is the eighth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. Its implementation specification is embodied in the language of the standard itself, and it is required of covered entities.  Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010, as provided for in the HITECH Act provisions of the American Recovery and Reinvestment Act, signed by President Obama on February 17, 2009. What is Required Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of…

READ MORE