From now through November, HIPAA.com is providing a run through of HIPAA transaction & code set, privacy, and security definitions, along with relevant HITECH Act definitions pertaining to breach notification and securing of protected health information. These definitions are key to understanding the referenced HIPAA and HITECH Act enabling regulations that are effective now and that will require compliance by covered entities and business associates now or in the months ahead, as indicated in HIPAA.com’s timeline. Each posting will contain three definitions, with a date reference to the Federal Register and citation to the Code of Federal Regulations (CFR). We begin the first series of postings with definitions from “Health…
Author: Ed Jones
Is Certification a Surrogate for HIPAA Privacy and Security Training?
Several visitors to HIPAA.com have asked if ‘certification’ can substitute for compliance with the HIPAA Privacy and Security training standards and new Privacy requirements under the HITECH Act. Generally, certification is a snapshot in a moment of time. The Merrim-Webster’s Collegiate Dictionary (11th ed.) defines certification as the act or state of “attest[ing] as being true or as represented or as meeting a standard.” Certification generally is done by an external source. Training is an ongoing internal process for safeguarding protected health information from unauthorized use or disclosure as business policies and procedures evolve and regulatory standards are initiated or modified. Further, training requires that workforce members, including management, demonstrate…
Three Key Properties of HIPAA Privacy and Security of Protected Health Information
HIPAA.com has received from its readers requests for information on topics related to HIPAA Administrative Simplification Privacy and Security Rules and to updates to those rules reflected in the HITECH Act provisions of the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009. Recently, HIPAA.com answered the question of particular interest to several readers: what exactly is protected health information (PHI)? In this posting, we answer the question: what are the fundamental properties that underlie privacy and security of protected health information? Three Key Properties The three key properties that underpin privacy and security under the Health Insurance Portability and Accountability Act (HIPAA) are availability,…
HIPAA ‘Protected Health Information’: What Does PHI Include?
HIPAA.com has received from its readers requests for information on topics related to HIPAA Administrative Simplification Privacy and Security Rules and to updates to those rules reflected in the HITECH Act provisions of the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009. Of particular interest to readers is: what exactly is protected health information (PHI)? Protected Health Information To get to protected health information, you have to examine two definitions that were in Section 1171 of Part C of Subtitle F of Public Law 104-191 (August 21, 1996): Health Insurance Portability and Accountability Act of 1996: Administrative Simplification. These statutory definitions are of…
CMS Issues New and Updated HIPAA and HITECH Act FAQs: EHR Incentive Payment Start Dates
The Centers for Medicare and Medicaid Services (CMS) periodically issues new and updated Frequently Asked Questions (FAQs). HIPAA.com will periodically reproduce new and updated Questions and Answers pertaining to HIPAA Administrative Simplification standards and implementation specifications and to HITECH Act provisions that will be of interest to its readers. This FAQ [ID#9807] was created on June 22, 2009, and updated by CMS on August 18, 2009. Question: When will CMS begin to pay incentives to eligible professionals and hospitals for using certified Electronic Health Records (EHRs)? Answer: By statute [American Recovery and Reinvestment Act of 2009], the earliest dates that CMS will be able to pay an incentive under Medicare…
CMS Issues New and Updated HIPAA and HITECH Act FAQs: EHR Incentives
The Centers for Medicare and Medicaid Services (CMS) periodically issues new and updated Frequently Asked Questions (FAQs). HIPAA.com will periodically reproduce new and updated Questions and Answers pertaining to HIPAA Administrative Simplification standards and implementation specifications and to HITECH Act provisions that will be of interest to its readers. The FAQ [ID#9844] that follows is new, published by CMS on August 13, 2009. Question: Are physicians who practice in hospital-based ambulatory clinics eligible to receive the Recovery Act’s Medicare or Medicaid electronic health record (EHR) incentive payments. Answer: Hospital-based eligible professionals are ineligible for the EHR incentive payments under both Medicare and Medicaid. Our [Department of Health and Human Services] forthcoming NPRM…
HHS Issues Interim Final Rule for HITECH ‘Breach Notification’
U.S. Department of Health and Human Services Secretary, Kathleen Sebelius, has issued the Interim Final Rule for Breach Notification for Unsecured Protected Health Information. The Interim Final Rule was signed by Secretary Sebelius on August 6, 2009, filed at the Federal Register on Wednesday, August 19, 2009, and will be published on Monday, August 24, 2009, in the Federal Register. The effective date of the Interim Final Rule will be 30 days after publication, and will cover both covered entities and business associates of covered entities. Here is the Summary of the Interim Final Rule: “The Department of Health and Human Services (HHS) is issuing this interim final rule with…
HHS Secretary Delegates to ONC Head New HITECH Act Authority
Effective August 7, 2009, and published in the Federal Register on Tuesday, August 18, 2009, Secretary Kathleen Sebelius of the U.S. Department of Health and Human Services (HHS) has delegated authority to the National Coordinator for Health Information Technology, David Blumenthal, M.D., to administer “Subtitle B, ‘Incentives for the Use of health Information Technology,’ sections 3011 through 3017, with the exception of 3012(c)(5), the Financial Support subsection.” These sections and titles, which appear on pages 132-144 of the American Recovery and Reinvestment Act of 2009 (ARRA), signed by President Obama on February 17, 2009, available on the hipaa.com site, include: 3011 Immediate Funding to Strengthen the Health Information Technology Infrastructure,…
HHS Secretary Sebelius Delegates Oversight and Enforcement of HIPAA Security Rule to OCR
U.S. Health and Human Services (HHS) Secretary Kathleen Sebelius has delegated oversight and enforcement of the HIPAA Administrative Simplification Security Rule Standards for Protection of Electronic Protected Health Information to HHS’s Office of Civil Rights (OCR), effective July 27, 2009. Since October 7, 2003, the Security Rule had been the responsibility of HHS’s Center for Medicare & Medicaid Services (CMS). OCR also has responsibility for the HIPAA Administrative Simplification Privacy Rule. This delegation brings responsibility for administrative, technical, and physical standards for safeguarding of protected health information in each rule under one authority, and likely will facilitate enforcement of the HITECH Act breach, notification, and business associate security rule compliance…
FTC Delays “Red Flags” Rule for Third Time
The Federal Trade Commission announced a third delay, from August 1, 2009, to November 1, 2009, for compliance with the identity theft prevention red flags rule. The delay is for another three months. Compliance originally was scheduled for November 1, 2008, then delayed the first time until May 1, 2009. Entities affected are creditors and financial institutions. Healthcare providers that extend delayed payment plans to patients are deemed “creditors” under the red flags rule. This delay was to give affected entities more time to develop and implement written identity theft prevention policies and procedures for compliance with the rule, which is based on enabling regulations of provisions in the Fair and Accurate…