January 28, 2013. Today, we want to explore the modified definition of breach in the Final HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rule published in the Federal Register on Friday, January 25, 2013. Here is the modified definition [45 CFR 164.402, Definitions, effective March 26, 2013; 78 Federal Register 5695]: Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [HIPAA Privacy Rule] of this part [Part 164] which compromises the security or privacy of the protected health information. (1) Breach excludes: (i) Any unintentional acquisition, access, or use of protected health information by a workforce member or…
Category: Health IT and HITECH
Final HIPAA/HITECH Act Privacy, Security, Enforcement, Breach Notification Rules Published in Federal Register January 25, 2013.
January 25, 2013. The Final Rule is published, at last! Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule cleared the Office of Management and Budget on January 16, was issued online on the Federal Register’s Electronic Public Inspection Desk in pre-publication format on January 17, and published in the Federal Register today. The Final Rule is 136 pages (pp.5566-5702). The effective date of the Final Rule is Tuesday, March 26, 2013, and the compliance date is Monday, September 23, 2013. Here is the…
OCR of HHS FINALLY Issues HIPAA/HITECH Act Privacy, Security, Enforcement, and Breach Notification Modifications Final Rule
January 18, 2013. On January 16, 2013, the Office of Management and Budget (OMB) completed its EO 12866 regulatory review of RIN: 0945-AA03, and the long-awaited release of the Department of Health and Human Services’ Office for Civil Rights (OCR) so-called “Omnibus” Final Rule was published at 4:15 PM on January 17, 2013, in pre-publication final draft form on the Federal Register’s Electronic Public Inspection Desk. Publication in the Federal Register is scheduled for Friday, January 25, 2013. The title of the Final Rule is: 45 CFR Parts 160 and 164: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and…
ONC Touts its 10 Step Plan for Meeting Meaningful Use Privacy and Security Attestation Requirements
In a recent Tweet, the Office of the National Coordinator for Health Information Technology (ONC) stated: “Move into the 21st Century and check out the Privacy & Security 10-Step Plan before you implement an Electronic Health Record.” ONC makes the following recommendation to an Eligible Professional (EP) covered entity participating in the Medicare and Medicaid Financial Incentive Program for Adoption and Meaningful Use of Certified Electronic Health Record (EHR) Technology: “An EP must meaningfully use certified EHR technology for an EHR reporting period, and then attest to CMS [the Centers for Medicare & Medicaid Services] that he or she has met meaningful use for that period. Start your 10-step process at…
CMS and ONC Publish Final Rules for Meaningful Use Stage 2 Security in Federal Register
September 4, 2012. The Department of Health and Human Services (HHS) entities: Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC), published their Final Rules for Meaningful Use Stage 2 in today’s Federal Register. This posting focuses on the preamble relating to the following Stage 2 security objective in the CMS Final Rule entitled Medicare and Medicaid Programs; Electronic Health Record Incentive Program: “Protect electronic health information created or maintained by the Certified EHR Technology [CEHRT] through the implementation of appropriate technical capabilities.” Reference numbers in brackets refer to the page number(s) in the September 4, 2012, Federal Register. Associated with this objective…
OCR Publishes HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol
July 9, 2012. Late in June, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published its HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol. Here is OCR’s description of the program, which outlines 77 audit procedures for the HIPAA Security Rule and 88 audit procedures for the HIPAA Privacy and HITECH Act Breach Notification Rules: “The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate…
OCR’s Publicly Disclosed Large Breaches Now Top 20 Million Impacted Individuals
May 16, 2012. The Department of Health and Human Services’ (HHS) HIPAA/HITECH Act privacy and security enforcement arm, Office for Civil Rights (OCR), is responsible under the HITECH Act to publicly disclose privacy and security breaches that affect 500 or more individuals on its Breach Notification Web site. With the now reported Utah Department of Health hacking/IT incident breach occurring in the period March 10-April 2, 2012 and affecting a reported 780,000 individuals, the total number in 435 breaches reported since September 22, 2009, now totals 20,079,189 impacted individuals. Of the total number of breaches where location of breached information is known (e.g., electronic or hard copy source), 72% of…
ONC Issues Meaningful Use Guide for Privacy & Security Attestation Compliance
May 9, 2012. The Office of the National Coordinator for Health Information Technology (ONC) has issued a Guide to Privacy and Security of Health Information (Version 1.1 022312). This Guide is targeted to medical practitioners who participate in the Medicare and Medicaid Program for Adoption and Meaningful Use of Certified Electronic Health Record Technology. Chapters are: 1. What Is Privacy & Security and Why Does It Matter? 2. Privacy & Security and Meaningful Use. 3. Privacy & Security Step Plan for Meaningful Use. 4. Integrating Privacy and Security into Your Practice. 5. Privacy and Security Resources. The Guide highlights two of the Stage 1 Meaningful Use Objectives and Corresponding Measures…
Finally, HIPAA/HITECH Act Privacy, Security, Breach Notification, Enforcement Final Rules at OMB
March 24, 2012. Today, the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB) in the Executive Office of the President showed that it had received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules entitled: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (RIN: 0945-AA03). Following review by OMB, the rules will be published in the Federal Register, most likely in April if OMB’s review is timely. The Abstract of the Rules reads: “The Department of Health and Human Services Office for Civil Rights will issue final rules to modify the HIPAA Privacy, Security,…
BCBST Pays $1.5 Million to HHS to Settle Potential HIPAA Privacy and Security Violations
On March 13, 2012, Blue Cross Blue Shield of Tennessee (BCBST) agreed to a payment of $1.5 million to the Department of Health and Human Services (HHS) and to a corrective action plan as part of a Resolution Agreement with HHS for potential violation of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations. According to a HHS Press Release of the same date, “the enforcement action [by HHS’ Office for Civil Rights (OCR)] is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.” According to the HHS Press Release: “The investigation followed…