On July 1, 2010, the Office of Management and Budget (OMB) completed review of the Notice of Proposed Rulemaking (NPRM) entitled: Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act](RIN: 0991-AB57). The NPRM was received at OMB for review on April 12, 2010. It likely will be published in the Federal Register imminently. Legal authority for the NPRM is in Sections 13400 to 13410 of Subtitle D (Privacy) of the HITECH Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), enacted on February 17, 2009. Those sections cover:…
Category: Security
OCR Reports 107 Breaches Affecting Over 4 Million Individuals (I)
As of the July 4th holiday weekend, the Office for Civil Rights (OCR) has updated again its Web site listing of breaches affecting 500 or more individuals. As of July 2, 2010, there were 107 breaches listed that were reported to have occurred between September 22, 2009 and June 11, 2010. Individuals affected by these publicly listed breaches totaled 4,086,980. Six of the 107 breaches, or 5.6% of the total, affected 3,353,627 individuals, or 82% of the total. This is the first of three postings that analyzes the data from these 107 breaches. This posting (I) covers electronic breaches, the next posting (II) covers hard copy (paper) breaches, and the…
Reported Breaches of 500 or More Individuals up to 93 and Affecting Over 2.5 Million Individuals; Enforcement and Penalties
As of Friday, June 4, 2010, 93 breaches affecting 500 or more individuals have been reported on the Office for Civil Rights (OCR) Web site. The total number affected has gone beyond 2-1/2 million individuals today, and stands at 2,565,352 individuals. Of the 87 breaches involving breach of hard copy or electronic protected health information, 26% involve hard copy or paper records and 74% records on electronic media or devices. Overall, 71% of the 93 breaches involve theft or loss of records, many of which might have been avoided by appropriate securing of hard copy records and electronic media and devices. Below we remind readers of the Department of Health…
OCR Stepping Up HIPAA Security Enforcement
Health Data Management (HDM) reported today, May 12, that the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is going to strengthen HIPAA Security Rule enforcement, based on statements made on Tuesday, May 11 by the OCR Deputy Director for Privacy, Susan McAndrew, at the Safeguarding Health Information conference in Washington, DC, co-sponsored by OCR and the National Institute of Standards and Technology (NIST). “To boost enforcement of the security rule, OCR has added investigators in 10 regional offices, McAndrew notes,” as reported by Joe Goedert in the HDM article, “OCR Boosting Security Enforcement,” which is available online. This report comes several days after…
OCR Issues Draft Guidance on Security Risk Analysis
The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) issued on May 7, 2010, Security Rule Draft Guidance on Risk Analysis. This is the first in a “series of guidance documents [that] will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. The materials will be updated annually, as appropriate.” This eight-page document is available online. The Draft Guidance on Risk makes the following key points: “The Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the…
Prison Time for Privacy Breach of PHI; OCR Breach List Continues to Grow; More Training Needed
Health Data Management reported in its April 29, 2010, online HDM Daily that “[a] former researcher at the UCLA School of Medicine has been sentenced to four months in federal prison for violations of the HIPAA privacy rule.” You may access and read the article by Joseph Goedert, “Prison for HIPAA Privacy Violater“. On the same day, April 29, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) reported on its Web site 67 entities reporting “Breaches Affecting 500 or More Individuals” over the period September 22, 2009 to March 19, 2010. That is up from the 36 that OCR listed on its initial…
OCR Identifies 36 Entities with Breaches Affecting 500 or More Individuals
On Monday, February 22, 2010, the federal government, through the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS), began enforcing the Breach Notification Rule for breaches occurring on or after that date. The Breach Notification for Unsecured Protected Health Information; Interim Final Rule, was published in the Federal Register on Monday, August 24, 2009 [74 FR 42739-42770] and was effective September 23, 2009. Since September 22, 2009, 36 breaches of privacy or security of protected health information (PHI) affecting 500 or more individuals have been reported to OCR. The total number of individuals affected was 1,073,657, with two of the breaches involving 359,000 (FL)…
Today, February 17, Business Associates Must be in Compliance with HIPAA Security Rule
Today, Wednesday, February 17, 2010, Business Associates of Covered Entities must be able to demonstrate that they are in compliance with administrative, physical, and technical safeguards of the HIPAA Security Rule, as required by the HITECH Act, enacted one year ago today as part of the American Recovery and Reinvestment Act of 2009. In addition, Business Associate Agreements must be rewritten or amended to specifically require a Business Associate’s compliance with the Security Rule as part of its “satisfactory assurances.” Financial penalties for noncompliance discovered during a compliance audit or complaint investigation could be severe, especially for willful neglect. Here are the appropriate authorities: Section 13401 of Part 1 (Improved…
Clock Running Down on Business Associate Compliance with HIPAA Security Rule Required by HITECH Act
Less than one month to go: Business Associates must comply with the HIPAA Security Rule no later than Wednesday, February 17, 2010. Here are relevant provisions from the American Recovery and Reinvestment Act, Public Law 111-5, which included HITECH Act Subtitle D: Privacy. 42 USC 17931 (PART 1–IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS, Section 13401: Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions). (a) APPLICATION OF SECURITY PROVISIONS.–Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered…
HITECH and HIPAA Training: Time to Double Down
As the healthcare industry continues to digest profound HITECH changes to HIPAA Privacy and Security rules, two observations already are apparent and indisputable for covered entities and their business associates. First, time and resources spent on a workforce that is well-trained on the Privacy and Security rules will be an investment of exponential value. Second, enforcement of those same rules will make negligent and uncorrected errors very costly. A well-trained workforce makes fewer mistakes, and identifies and fixes those that it makes. A workforce that violates the rules because it does not know them or does not care to know them makes an inviting target for HITECH’s new enforcement initiatives….