Health Data Management (HDM) reported today, May 12, that the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is going to strengthen HIPAA Security Rule enforcement, based on statements made on Tuesday, May 11 by the OCR Deputy Director for Privacy, Susan McAndrew, at the Safeguarding Health Information conference in Washington, DC, co-sponsored by OCR and the National Institute of Standards and Technology (NIST). “To boost enforcement of the security rule, OCR has added investigators in 10 regional offices, McAndrew notes,” as reported by Joe Goedert in the HDM article, “OCR Boosting Security Enforcement,” which is available online. This report comes several days after…
Categories American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, Privacy, SecurityLeave a comment
OCR Issues Draft Guidance on Security Risk Analysis
The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) issued on May 7, 2010, Security Rule Draft Guidance on Risk Analysis. This is the first in a “series of guidance documents [that] will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. The materials will be updated annually, as appropriate.” This eight-page document is available online. The Draft Guidance on Risk makes the following key points: “The Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the…
Categories SecurityLeave a commentPrison Time for Privacy Breach of PHI; OCR Breach List Continues to Grow; More Training Needed
Health Data Management reported in its April 29, 2010, online HDM Daily that “[a] former researcher at the UCLA School of Medicine has been sentenced to four months in federal prison for violations of the HIPAA privacy rule.” You may access and read the article by Joseph Goedert, “Prison for HIPAA Privacy Violater“. On the same day, April 29, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) reported on its Web site 67 entities reporting “Breaches Affecting 500 or More Individuals” over the period September 22, 2009 to March 19, 2010. That is up from the 36 that OCR listed on its initial…
Categories American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, Privacy, SecurityLeave a commentHHS’ ONC Releases Proposed Rule for Temporary and Permanent HIT Certification Programs
On Wednesday, March 10, 2010, the Office of the National Coordinator for Health Information Technology (ONC) of the Department of Health and Human Services (HHS) published in the Federal Register the Proposed Rule (NPRM) for Proposed Establishment of Certification Programs for Health Information Technology. [75 Federal Register 11327-11373] We present the summary of the NPRM. “SUMMARY. Under the authority granted to the National Coordinator for Health Information Technology (the National Coordinator) by section 3001(c)(5) of the Public Health Service Act (PHSA) as added by the Health Information Technology for Economic and Clinical Health (HITECH ) Act, this rule proposes the establishment of two certification programs for purposes of testing and certifying…
Categories American Recovery and Reinvestment Act, Health IT and HITECH, Meaningful UseLeave a commentOCR Identifies 36 Entities with Breaches Affecting 500 or More Individuals
On Monday, February 22, 2010, the federal government, through the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS), began enforcing the Breach Notification Rule for breaches occurring on or after that date. The Breach Notification for Unsecured Protected Health Information; Interim Final Rule, was published in the Federal Register on Monday, August 24, 2009 [74 FR 42739-42770] and was effective September 23, 2009. Since September 22, 2009, 36 breaches of privacy or security of protected health information (PHI) affecting 500 or more individuals have been reported to OCR. The total number of individuals affected was 1,073,657, with two of the breaches involving 359,000 (FL)…
Categories Health IT and HITECH, Privacy, SecurityLeave a commentToday, February 17, Business Associates Must be in Compliance with HIPAA Security Rule
Today, Wednesday, February 17, 2010, Business Associates of Covered Entities must be able to demonstrate that they are in compliance with administrative, physical, and technical safeguards of the HIPAA Security Rule, as required by the HITECH Act, enacted one year ago today as part of the American Recovery and Reinvestment Act of 2009. In addition, Business Associate Agreements must be rewritten or amended to specifically require a Business Associate’s compliance with the Security Rule as part of its “satisfactory assurances.” Financial penalties for noncompliance discovered during a compliance audit or complaint investigation could be severe, especially for willful neglect. Here are the appropriate authorities: Section 13401 of Part 1 (Improved…
Categories American Recovery and Reinvestment Act, Health IT and HITECH, HIPAA Law, SecurityLeave a commentNew HIPAA/HITECH Act Rules Require Compliance in February
Three new HIPAA/HITECH Act rules go into effect this month: Two weeks from today, on Wednesday, February 17, 2010, Business Associates of Covered Entities must comply with the HIPAA Security Rule. For the first time Business Associates will be regulated by the federal government. Section 13401 of Subtitle D (Privacy) of the HITECH Act (42 USC 17931) states that “[t]he additional requirements of this title that related to security and that are made applicable with respect to Covered Entities shall also be applicable to such a Business Associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” [Public Law 111-5, p.260] In…
Categories Health IT and HITECHLeave a commentClock Running Down on Business Associate Compliance with HIPAA Security Rule Required by HITECH Act
Less than one month to go: Business Associates must comply with the HIPAA Security Rule no later than Wednesday, February 17, 2010. Here are relevant provisions from the American Recovery and Reinvestment Act, Public Law 111-5, which included HITECH Act Subtitle D: Privacy. 42 USC 17931 (PART 1–IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS, Section 13401: Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions). (a) APPLICATION OF SECURITY PROVISIONS.–Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered…
Categories American Recovery and Reinvestment Act, Health IT and HITECH, Privacy, SecurityLeave a commentHHS Publishes Proposed Rule for Electronic Health Record Incentive Program
HHS published today in the Federal Register: “Medicare and Medicaid Programs–Electronic Health Record Incentive Program; Proposed Rule.” 75 FR 1844-2011. Comments on this Notice of Proposed Rulemaking (NPRM) may be submitted to HHS no later than March 15, 2010. Here is the Summary from the NPRM: “This proposed rule would implement the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)(Public Law 111-5) that provide incentive payments to eligible professionals (EPs) and eligible hospitals participating in Medicare and Medicaid programs that adopt and meaningfully use certified electronic health record (EHR) technology. The proposed rule would specify the initial criteria an EP and eligible hospital must meet in order…
Categories American Recovery and Reinvestment Act, Health IT and HITECH, Meaningful UseLeave a commentHHS Publishes EHR Standards, Implementation Specifications and Certification Criteria IFR
HHS published today in the Federal Register: “Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology” 75 FR 2013-2047. This Interim Final Rule (IFR) is effective February 2, 2010. Comments on the IFR may be submitted to HHS no later than March 15, 2010. Here is the Summary from the IFR: “The Department of Health and Human Services (HHS) is issuing this interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act. This interim final rule represents the first step in…
Categories American Recovery and Reinvestment Act, Health IT and HITECH, Meaningful UseLeave a comment