HIPAA.com

CMS Issues Final Administrative Simplification Final Rules Regarding Identifiers and ICD-10 Code Set Compliance Delay

August 24, 2012. Today, the Office of Management and Budget (OMB) completed review and sent to the Federal Register for publication on September 5, 2012, the Centers for Medicare & Medicaid Services (CMS) Final Rule: Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for the International Classification of Diseases, 10th Edition (ICD-10-CM and ICD-10-PCS) Medical Data Code Sets. The effective date of the Rule is November 5, 2012. Prior to publication, the Final Rule may be examined at or downloaded from the Office of the Federal Register’s Electronic Public Inspection Desk. Here…

Ed Jones5010, American Recovery and Reinvestment Act, Health Care Reform, HIPAA Law, Identifiers, Transactions & Code SetsAdministrative Simplification, Centers for Medicare & Medicaid Services, claims payments, clearinghouse, CMS, covered entity, Electronic Public Inspection Desk, Federal Register, Final rule, health plan, HIPAA, HPID, ICD-10, ICD-10-CM, ICD-10-PCS, identification errors, Identifiers, implementation specification, medical data code sets, Medicare Part D, National Provider Identifier, NPI, OEID, Office of Management and Budget, OMB, other entity identifier, patient eligibility, remittance advice, Secretary of HHS, small health plan, standard, standard transactions, third party administrator, unique health plan identifier, version 5010, X12Leave a comment

Five HIPAA Compliance Activities Your Organization Must Undertake

HIPAA Administrative Simplification was enacted on August 21, 1996 as Subtitle F of Title II of Public Law 104-191. The so-called HITECH Act “Omnibus” regulation that modifies HIPAA privacy and security provisions will be published in the Federal Register by the end of this summer, according to the head of HHS’ National Coordinator for Health Information Technology, Farzad Mostashari, M.D. Based on the timeline in the Notice of Proposed Rule Making, compliance by all covered entities and their business associates would be required 240 days after publication, most likely sometime in May 2013, assuming the end-of-summer deadline is met. All covered entities and their business associates will be required to comply with provisions of…

Ed JonesHIPAA LawAdministrative Simplification, American Recovery and Reinvestment Act (ARRA), breach investigation, Breach Notification, business associate, certified electronic health record technology, complaint investigation, compliance, compliance audit, compliance auditors, CORE, Corrective Action Plan, covered entity, demonstrate compliance, detection, documentation, encrypt, encrypting your PHI, Enforcement, federal, Federal Register, Financial Incentive Program, HHS, HIPAA, HIT, HITECH Act, implementation specification, Medicaid, Medicare, Mostashari, non-compliance, OCR, OCR Guidance, Omnibus regulation, penalties, PHI, policies, Ponemon Institute, Privacy, procedures, protected health information, Risk Analysis, risk mitigation, Rodriguez, safeguard, Security, settlement, State, Training, violations, willful neglect, workforce member1 Comment

EFT and RA Transaction Operating Rules IFC Published in Federal Register August 10

August 10, 2012. Today, the Interim Final Rule with comment period (IFC): Administrative Simplification: Adoption of Operating Rules for Electronic Funds Transfers (EFT) and Remittance Advice Transactions, was published in the Federal Register. The effective date of the IFC is the date of publication, August 10, 2012. Comments on the IFC may be submitted to the Department of Health and Human Services (HHS) on or before October 9, 2012, with submission instructions included on page 48008 of the IFC. The Executive Summary (without footnotes) from the IFC follows: “A. Purpose of the Regulatory Action. Health care spending in the United States constitutes nearly 18 percent of the US…

Ed Jones5010, Health Care Reform, HIPAA Law, Transactions & Code Sets835, acknowledgement standard, administrative costs, Administrative Simplification, Affordable Care Act, BIR, CAQH, cash flow, cash forecasting, CORE, DEPARTMENT OF HEALTH AND HUMAN SERVICES, EDI, effective date, EFT, electronic data interchange, electronic funds transfers, electronic remittance advice, enrollment, ERA, Federal Register, fraud control, GDP, health plans, HHS, IFC, interim final rule with comment period, March 23 2010, Operating Rule Set, operating rules, paper check form, payment reconciliation, payment recovery, posting, Public Law 111-148, Public Law 111-152, RA transaction, reassociation, regulatory action, regulatory impact analysis, remittance advice transactions, RIA, section 1104(b)(2), section 1173(g), Social Security Act, TPA, trading partners, x12 999Leave a comment

OCR Publishes HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol

July 9, 2012. Late in June, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published its HIPAA/HITECH Act Privacy and Security Compliance Audit Protocol. Here is OCR’s description of the program, which outlines 77 audit procedures for the HIPAA Security Rule and 88 audit procedures for the HIPAA Privacy and HITECH Act Breach Notification Rules: “The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate…

Ed JonesEnforcement, Health IT and HITECH, HIPAA Law, Privacy, Securityaccounting of disclosures, Administrative Safeguard, amendment, audit procedures, Audit Protocol, availability, Breach Notification, conduct risk assessment, confidentiality, covered entity, DEPARTMENT OF HEALTH AND HUMAN SERVICES, Enforcement, ePHI, established performance criteria, HHS, HIPAA, HIPAA PRIVACY RULE, HIPAA Security Rule, HITECH Act, HITECH Act Breach Notification Rule, inquire of management, integrity, key activity, keyword search, mandate, modules, notice of privacy practice, OCR, Office for Civil Rights, performance audits, PHI, physical safeguard, policies and procedures, Privacy, protected health information, Security, Technical Safeguard, use and disclosure1 Comment

OCR’s Publicly Disclosed Large Breaches Now Top 20 Million Impacted Individuals

May 16, 2012. The Department of Health and Human Services’ (HHS) HIPAA/HITECH Act privacy and security enforcement arm, Office for Civil Rights (OCR), is responsible under the HITECH Act to publicly disclose privacy and security breaches that affect 500 or more individuals on its Breach Notification Web site. With the now reported Utah Department of Health hacking/IT incident breach occurring in the period March 10-April 2, 2012 and affecting a reported 780,000 individuals, the total number in 435 breaches reported since September 22, 2009, now totals 20,079,189 impacted individuals. Of the total number of breaches where location of breached information is known (e.g., electronic or hard copy source), 72% of…

Ed JonesAmerican Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, Privacy, Securitybreach, Breach Notification Web site, business associate, compliance, Corrective Action Plan, covered entities, DEPARTMENT OF HEALTH AND HUMAN SERVICES, electronic, encryption, Enforcement, EO 12866, Federal Register, final rules, hacking, hard copy, HHS, HIPAA, HIPAA/HITECH Act, HITECH Act, individuals, IT incident, laptop, lost, March 24 2012, OCR, Office for Civil Rights, Office of Management and Budget, OMB, other portable electronic device, PHI, policies and procedures, Privacy, protected health information, Resolution Agreement, Risk Analysis, safeguard, Security, stolen, Training, Utah Department of Health, workforce memberLeave a comment

ONC Issues Meaningful Use Guide for Privacy & Security Attestation Compliance

May 9, 2012. The Office of the National Coordinator for Health Information Technology (ONC) has issued a Guide to Privacy and Security of Health Information (Version 1.1 022312). This Guide is targeted to medical practitioners who participate in the Medicare and Medicaid Program for Adoption and Meaningful Use of Certified Electronic Health Record Technology. Chapters are: 1. What Is Privacy & Security and Why Does It Matter? 2. Privacy & Security and Meaningful Use. 3. Privacy & Security Step Plan for Meaningful Use. 4. Integrating Privacy and Security into Your Practice. 5. Privacy and Security Resources. The Guide highlights two of the Stage 1 Meaningful Use Objectives and Corresponding Measures…

Ed JonesAmerican Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, Meaningful Use, Privacy, Security45 CFR 164.308(a), access, administrative, Breach Notification, business associate, business associate agreement, Certified EHR, compliance, covered entity, designated record set, designated representative, diagnostic test results, documentation, EHR, electronic copy of health information, Enforcement, Guide to Privacy and Security of Health Information, HHS, HIPAA, HIPAA PRIVACY RULE, HIPAA Security Rule, HITECH Act, implementation specification, Meaningful Us, measures, Medicaid, Medicare, medication allergies, medication lists, mitigating security risk, objectives, OCR, Office for Civl Rights, Office of the National Coordinator for Health Information Technology, ONC, PHI, physical, practice, Privacy, problem list, Program for Adoption and Meaningful Use of Certified Electronic Health Record Technology, protected health information, risk management process, safeguard, Security, security risk analysis, security updates, Stage 1 Meaningful Use, standard, technical, Training, unauthorized access or use, workforce memberLeave a comment

OCR Penalizes Physician Practice for HIPAA Privacy and Security Rule Violations

April 18, 2012. Late last week, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) executed a Resolution Agreement and included Corrective Action Plan (Appendix A) as a settlement for violations of HIPAA Privacy and Security Rules by a physician practice, Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ. In its April 17, 2012, News Release, HHS stated: “The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and…

Ed JonesAmerican Recovery and Reinvestment Act, Enforcement, HIPAA Law, Privacy, SecurityAppendix A, breach, business associate agreement, civil money penalty, complaint investigation, compliance, compliance audit, Corrective Action Plan, covered conduct, covered entity, cup, DEPARTMENT OF HEALTH AND HUMAN SERVICES, discovery, electronic protected health information, ePHI, HHS, HIPAA PRIVACY RULE, HIPAA Security Rule, Leon Rodriguez, news release, OCR, OCR investigation, Office for Civil Rights, patient information, Phoenix AZ, Phoenix Cardiac Surgery, physician practice, policies and procedures, Prescott AZ, reportable events, Resolution Agreement, Risk Analysis, safeguards, Security Official, settlement, violations, workforce memberLeave a comment

HHS Publishes NPRM for HIPAA Health Plan Identifier and Delay for ICD-10 Compliance Date

April 17, 2012. The Office of the Secretary of the Department of Health and Human Services (HHS) published today in the Federal Register its Notice of Proposed Rule Making (NPRM): Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for ICD-10-CM and (CD-10-PCS Medical Data Code Sets. From the NPRM is the Summary of the Major Provisions: “a. HPID. This rule proposes the adoption of the HPID [national unique health plan identifier] as the standard for the unique identifier for health plans and definitions for ‘Controlling Health Plan’ and ‘Subhealth Plan.’ The proposed…

Ed JonesHIPAA Law, Identifiers, Transactions & Code SetsAdministrative Simplification, claim, clearinghouse, code sets, compliance date, controlling health plan, covered entities, covered entity, covered transaction, data element, definition, DEPARTMENT OF HEALTH AND HUMAN SERVICES, Federal Register, Health Plan Identifier, HHS, HIPAA, HPID, ICD-10-CM, ICD-10-PCS, individuals, National Provider Identifier, Notice of Proposed Rule Making, NPI, NPRM, OEID, Office of the Secretary, other entity identifier, payer, pharmacy, prescriber, prescription, standard, sub health plan, third party administrator, transaction vendor, uniform identifierLeave a comment

HHS Issues HIPAA NPRM for Unique Health Plan Identifier and One Year Delay for ICD-10 Code Set Compliance

April 10, 2012. Yesterday, the Office of the Secretary of the Department of Health and Human Services (HHS) promulgated a notice of proposed rule making (NPRM) entitled: Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for ICD-10-CM and ICD-10-PCS Medical Data Code Sets. The NPRM will be published in the Federal Register on April 17, 2012. Here is the NPRM summary: “This proposed rule would implement section 1104 of the Patient Protection and Affordable Care Act (hereinafter referred to as the Affordable Care Act) by establishing new requirements for administrative transactions that…

Ed JonesHealth Care Reform, HIPAA Law, Identifiers, Transactions & Code SetsAdministrative Simplification, Affordable Care Act, April 17 2012, code sets, DEPARTMENT OF HEALTH AND HUMAN SERVICES, effective date, Federal Register, Health Insurance Portability and Accountability Act of 1996, HHS, HIPAA, HPID, ICD-10-CM, ICD-10-PCS, National Provider Identifier, Notice of Proposed Rule Making, NPI, NPRM, October 1 2012, October 1 2013, October 1 2014, OEID, Office of the Secretary, other entity identifier, Patient Protection and Affordable Care Act, section 1104, standard, unique health plan identifierLeave a comment

Finally, HIPAA/HITECH Act Privacy, Security, Breach Notification, Enforcement Final Rules at OMB

March 24, 2012. Today, the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB) in the Executive Office of the President showed that it had received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules entitled: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (RIN: 0945-AA03). Following review by OMB, the rules will be published in the Federal Register, most likely in April if OMB’s review is timely. The Abstract of the Rules reads: “The Department of Health and Human Services Office for Civil Rights will issue final rules to modify the HIPAA Privacy, Security,…

Ed JonesAmerican Recovery and Reinvestment Act, Enforcement, GINA, Health IT and HITECH, HIPAA Law, Privacy, Security123 STAT., 42 USC 1320d-9, Abstract, American Recovery and Reinvestment Act of 2009, Breach Notification, business associate, compliance audit, covered entities, DEPARTMENT OF HEALTH AND HUMAN SERVICES, electronic devices or media, encrypting, Enforcement, Executive Office of the President, Federal Register, final rules, financial penalties, Genetic Information Nondiscrimination Act of 2008, GINA, Health Information Technology for Economic and Clinical Health Act, HHS, HIPAA PRIVACY RULE, HIPAA Security Rule, HITECH Act, laptop, Modifications to the HIPAA Privacy, non-compliance, OCR, Office for Civil Rights, Office of Information and Regulatory Affairs, Office of Management and Budget, OMB, PHI, Privacy, protected health information, RIN: 0945-AA03, section 105, Security, smart phone, Subtitle D, tablet, Title XIIILeave a comment