The Centers for Medicare & Medicaid Services (CMS) of the Department of Health and Human Services (HHS) has sent to the Office of Management and Budget (OMB) its Interim Final Rule (IFR) for “adoption of standards and operating rules for Electronic Funds Transfers (EFT) and operating rules for remittance advice….” Following the December 15 receipt and subsequent review of the IFR by OMB, the IFR is expected to be published in the Federal Register before January 1, 2012, as required by the Affordable Care Act of 2010 (Public Law 111-148). [124 STAT. 153] The legal authority for the IFR is Section 1104 (Administrative Simplification) of the Affordable Care Act. Section 1104…
Category: HIPAA Law
CMS Initiates 90-Day Enforcement Discretion for 5010 Compliance
January 1, 2012, is the date for covered entities to achieve compliance with ASC X12 Version 5010, NCPDP Telecom D.0, and NCPDP Medicaid Subrogation 3.0 transaction standards. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Small health plans have until January 1, 2013, to comply with the NCPDP Medicaid Subrogation 3.0 standard. The Center for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) is responsible for enforcement of compliance with electronic transaction standards. CMS announced on November 17, 2011, that “[w]hile enforcement action will not be taken [from January 1-March 31, 2012], OESS will continue to accept complaints associated with compliance with Version 5010,…
OCR Announces November 2011 Start of Privacy and Security Compliance Audits
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for privacy and security enforcement under Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act provisions. OCR has announced that it is initiating compliance audits beginning this month, as authorized by the HITECH Act. This action precedes the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rules, expected before the end of 2011, and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications. To avoid the consequences of potential penalties for non-compliance, covered entities and business…
HITECH Act Privacy and Security Final Rules Needed Now
Since September 23, 2009, the enforcement arm of the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), has been required to publicly disclose breaches involving 500 or more individuals discovered and reported by covered entities and their business associates. As of October 25, 2011, OCR has reported 345 such breaches involving a total of 11,959,488 individuals. Not reflected yet in the OCR disclosed breaches are two involving 6.5 million individuals: a Nemours breach of 1.6 million individuals and a TRICARE breach involving 4.9 million individuals. Together, these two recently reported breaches represent 54.4% of the total number of individuals affected by the publicly disclosed breaches…
HHS Publishes HITECH Act Accounting of Disclosures NPRM
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published in the May 31, 2011, Federal Register the Notice of Proposed Rule Making (NPRM) entitled HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act (76(104), pp. 31426-31449). This NPRM is available online in pdf. Comments on the NPRM are requested to be submitted on or before August 1, 2011. The Summary of the NPRM with abbreviations, as noted, on p. 31426, is: “HHS is issuing this NPRM to modify the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information. The purpose of these modifications…
OMB Clears HITECH Act Accounting of Disclosures NPRM
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR), responsible for enforcement of the HIPAA Privacy, Security, and Breach Notification Rules, will issue a Notice of Proposed Rule Making (NPRM) to modify the HIPAA Privacy Rule as necessary to implement the accounting of disclosures provisions of Section 13405(c) of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) (Title XIII of the American Recovery and Reinvestment Act of 2009–Public Law 111-5). Section 13405(c) is entitled: Accounting of Certain Protected Health Information Disclosures Required if Covered Entity Uses Electronic Health Record. The NPRM was submitted on February 9, 2011, by HHS to the Office…
Over 10 Million Individuals Now Affected by Large Data Breaches, as Reported on OCR Web site
Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate. The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches on…
Nearly 8.3 Million Individuals Impacted by 249 Privacy and Security Breaches Reported by HHS; More Training on Safeguarding PHI Required
Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate. The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches…
HHS Pulls Breach Notification Final Rule
The HIPAA Administrative Simplification; Notification in the Case of Breach Final Rule (Regulation Identifier Number (RIN) 0991-AB56) has been at the Office of Management and Budget (OMB) since May 14, 2010, for Executive Order (EO) 12866 review and approval prior to publication in the Federal Register. On July 28, 2010, HHS “withdrew” this Final Rule, with the following explanation: “The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the…
OCR Reports 107 Breaches Affecting Over 4 Million Individuals (II)
The Office for Civil Rights (OCR) regularly updates its Web site listing of breaches affecting 500 or more individuals. As of July 2, 2010, there were 107 breaches listed that were reported to have occurred between September 22, 2009 and June 11, 2010. Individuals affected by these publicly listed breaches totaled 4,086,980. Six of the 107 breaches, or 5.6% of the total, affected 3,353,627 individuals, or 82% of the total. This is the second of three postings that analyzes the data from these 107 breaches. This posting (II) covers paper breaches. The first posting (I) covered electronic breaches, and the final posting (III) looks at the prevalence of business associate…