HIPAA.com

BCBST Pays $1.5 Million to HHS to Settle Potential HIPAA Privacy and Security Violations

On March 13, 2012, Blue Cross Blue Shield of Tennessee (BCBST) agreed to a payment of $1.5 million to the Department of Health and Human Services (HHS) and to a corrective action plan as part of a Resolution Agreement with HHS for potential violation of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations. According to a HHS Press Release of the same date, “the enforcement action [by HHS’ Office for Civil Rights (OCR)] is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.” According to the HHS Press Release: “The investigation followed…

Ed JonesAmerican Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, Privacy, Securityappropriate physical safeguards, BCBST, Blue Cross Blue Shield of Tennessee, breach notification rule, breach report, compliance program, corrective action obligations, Corrective Action Plan, DEPARTMENT OF HEALTH AND HUMAN SERVICES, Enforcement, enforcement tools, facility access controls, Health Care Provider, Health Information Technology for Economic and Clinical Health Act, HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT, health plan, HHS, HIPAA, HIPAA Security Rule, HITECH Act, implement, investigation, monitor, non-compliance, OCR, OCR Director Leon Rodriguez, Office for Civil Rights, PHI, policies and procedures, Privacy Rule, protected health information, reportable event, Resolution Agreement, secure health information, security evaluation, Security Rule, settlement, Training, unencrypted, violationLeave a comment

ONC Publishes Stage 2 EHR Technology Certification Criteria NPRM

On March 7, 2012, the Office of the National Coordinator for Health Information Technology (ONC) of the Department of Health and Human Services (HHS) published in the Federal Register its notice of proposed rule making (NPRM) entitled Health Information Technology: Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record [EHR] Technology, 2014 Edition; Revisions to the Permanent Certification Program for Health Information Technology [pp. 13832-13885]. Comments to HHS may be made until 5 PM on May 7, 2012. The summary of the NPRM is included here: “Under section 3004 of the Public Health Service Act, the Secretary of Health and Human Services is proposing to revise the initial set…

Ed JonesAmerican Recovery and Reinvestment Act, Health IT and HITECH, Meaningful Use, Privacy, Security2014 edition, access control, accounting of disclosures, audit log, auditable events, authentication, authorization, automatic log-off, CAHs, certification criteria, certified electronic health record technology, CMS, critical access hospitals, data at rest, DEPARTMENT OF HEALTH AND HUMAN SERVICES, EHR, EHR reporting period, electronic health record, eligible hospitals, eligible professionals, emergency access, encryption, EPs, Federal Register, Final rule, health information technology, HHS, implementation specifications, incentive program, integrity, Interim Final Rule, Meaningful Use, measure, Medicaid, Medicare, Notice of Proposed Rule Making, NPRM, objective, Office of the National Coordinator for Health Information Technology, ONC, permanent certification program, PHI, protected health information, Public Health Service Act, rule making, Secretary, Stage 1, Stage 2, StandardsLeave a comment

CMS Publishes Stage 2 Meaningful Use Incentive Program NPRM

On March 7, 2012, the Centers for Medicare & Medicaid Services (CMS) published in the Federal Register its 132-page notice of proposed rule making (NPRM): Medicare and Medicaid Programs; Electronic Health Record Incentive Program–Stage 2. Comments to the Department of Health and Human Services (HHS) may be made until 5 PM on May 7, 2012. The summary of the NPRM is included here: “This proposed rule would specify the Stage 2 criteria that eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) must meet in order to qualify for Medicare and/or Medicaid electronic health record (EHR) incentive payments. In addition, it would specify payment adjustments under Medicare for covered…

Ed JonesAmerican Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, Meaningful Use, Privacy, Securityappropriate, breach, Breach Notification, CAH, Centers for Medicare & Medicaid Services, CFR, CMS, core objective, critical access hospital, data at rest, DEPARTMENT OF HEALTH AND HUMAN SERVICES, EHR, electronic health record, electronic protected health information, eligible professionals, encryption, Enforcement, EPs, Federal Register, HHS, HIPAA, HIPAA Security Rule, HITECH Act, hospital, Meaningful use incentive program, meaningful use measure, meaningful use objective, Notice of Proposed Rule Making, NPRM, OCR, Office for Civil Rights, PHI, Privacy, reasonable, regulatory agenda, Risk Analysis, Security, Stage 1, Stage 2, White HouseLeave a comment

IFR for HIPAA EFT Standard to be Published in Federal Register January 10, 2012

HIPAA.com discussed in its preceding posting this Interim Final Rule (IFR) for “adoption of standards and operating rules for Electronic Funds Transfers (EFT) and operating rules for remittance advice…”, as required by the Patient Protection and Affordable Care Act of 2010 (Public Law 111-148). [124 STAT. 153] The Office of Management and Budget (OMB) completed its regulatory review on January 3, 2012, and the IFR is available for pre-publication review prior to January 10, 2012, when it will be published in the Federal Register. The title of the IFR is: Administrative Simplification: Adoption of Standards for Health Care Electronic Funds Transfers (EFTs) and Remittance Advice. The Summary in the pre-publication…

Ed JonesHealth Care Reform, HIPAA Law, Transactions & Code SetsAdministrative Simplification, Affordable Care Act, comment period, DEPARTMENT OF HEALTH AND HUMAN SERVICES, EFT, electronic funds transfers, Federal Register, Health Insurance Portability and Accountability Act of 1996, HHS, HIPAA, IFR, Interim Final Rule, January 1 2014, Office of Management and Budget, OMB, operating rules, Patient Protection and Affordable Care Act of 2010, Public Law 111-148, Regulatory Review, remittance advice, section 1104, StandardsLeave a comment

IFR for EFT at OMB

The Centers for Medicare & Medicaid Services (CMS) of the Department of Health and Human Services (HHS) has sent to the Office of Management and Budget (OMB) its Interim Final Rule (IFR) for “adoption of standards and operating rules for Electronic Funds Transfers (EFT) and operating rules for remittance advice….” Following the December 15 receipt and subsequent review of the IFR by OMB, the IFR is expected to be published in the Federal Register before January 1, 2012, as required by the Affordable Care Act of 2010 (Public Law 111-148). [124 STAT. 153] The legal authority for the IFR is Section 1104 (Administrative Simplification) of the Affordable Care Act. Section 1104…

Ed JonesHealth Care Reform, HIPAA Law, Transactions & Code SetsAdministrative Simplification, Affordable Care Act of 2010, Centers for Medicare & Medicaid Services, clerical burden, CMS, DEPARTMENT OF HEALTH AND HUMAN SERVICES, effective date, EFT, electronic funds transfers, electronic transmission, Federal Register, health care providers, health plans, HHS, IFR, Interim Final Rule, Office of Management and Budget, OMB, operating rules, PATIENTS, Public Law 111-148, remittance advice, section 1104, Standards, statute, uniform standardsLeave a comment

CMS Initiates 90-Day Enforcement Discretion for 5010 Compliance

January 1, 2012, is the date for covered entities to achieve compliance with ASC X12 Version 5010, NCPDP Telecom D.0, and NCPDP Medicaid Subrogation 3.0 transaction standards. Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Small health plans have until January 1, 2013, to comply with the NCPDP Medicaid Subrogation 3.0 standard. The Center for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) is responsible for enforcement of compliance with electronic transaction standards. CMS announced on November 17, 2011, that “[w]hile enforcement action will not be taken [from January 1-March 31, 2012], OESS will continue to accept complaints associated with compliance with Version 5010,…

Ed Jones5010, Enforcement, HIPAA Law, Transactions & Code Sets5010 Final Rule, ASC X12, Breach Notification, business associate, Centers for Medicare & Medicaid Services, CMS, complaint, compliance, contingency period, covered entities, D.0, Enforcement, evidence, filed-against entities, good faith effort, health plans, healthcare clearinghouse, healthcare provider, HIPAA, HIPAA Privacy, HIPAA security, January 1 2012, management, Medicaid Subrogation 3.0, NCPDP, OCR, OESS, Office for Civil Rights, Office of E-Health Standards and Services, Privacy Official, protected health information, readiness, safeguard, Security Official, software upgrades, testing, trading partners, Transaction Standards, vendor, version 5010Leave a comment

OCR Announces November 2011 Start of Privacy and Security Compliance Audits

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for privacy and security enforcement under Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act provisions. OCR has announced that it is initiating compliance audits beginning this month, as authorized by the HITECH Act. This action precedes the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification, and Enforcement Rules, expected before the end of 2011, and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications. To avoid the consequences of potential penalties for non-compliance, covered entities and business…

Ed JonesAmerican Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, Privacy, Securityaccountability, American Recovery and Reinvestment Act of 2009, audit protocols, audit report, best practice, Breach Notification, business associates, complaint investigation, compliance audit, compliance review, corrective actions, covered entities, DEPARTMENT OF HEALTH AND HUMAN SERVICES, documentation, Enforcement, final rules, guidance, HHS, HIPAA, HIPAA Enforcement Rule, HITECH Act, HITECH Act Section 13411, OCR, Office for Civil Rights, PHI, pilot, policies and procedures, Privacy, protected health information, risk assessment, risk mitigation, rule modifications, Security, site visit, standard, technical assistance, Training, vulnerabilities, workforce member1 Comment

HITECH Act Breached Individuals Skyrocket in Latest OCR Web Site Posting

Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate. The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches…

Ed JonesAmerican Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, Privacy, Security$214, accountability, backup tapes, breach, breach investigation, breach notification rule, business associate, complaint investigation, compliance, compliance audit, covered entity, customer goodwill, damage to reputation, discovery of breach, electronic device, electronic media, encrypt, Enforcement, HIPAA, HITECH Act, lost, lost business, mitigating risk, mobile electronic device or media, Nemours, OCR, Office for Civil Rights, PHI, policies and procedures, Ponemon Institute, Privacy, protected health information, remediation, risk assessment, safeguard, Security, Training, TRICARE, workforce member1 Comment

HHS Extends Life of Temporary EHR Technology Certification Program

The Office of the National Coordinator for Health Information Technology (ONC) of the Department of Health and Human Services (HHS) published a notice in the Thursday, November 3, 2011, Federal Register that extends the life of the “temporary certification program for health information technology” beyond its expected sunset date of December 31, 2011, to at least summer 2012. “We believe that the sunset of the temporary certification programs [ONC-Authorized Testing and Certification Bodies (ATCBs)] should be tied to the effective date of the final rule that we intend to issue in summer 2012, which is expected to adopt new and revised standards, implementation specifications, and certification criteria for EHR technology in…

Ed JonesAmerican Recovery and Reinvestment Act, Health IT and HITECH, Meaningful UseATCBs, authorized certification bodies, authorized testing and certification bodies, certification criteria, DEPARTMENT OF HEALTH AND HUMAN SERVICES, efffective date, EHR technology, Federal Register, Final rule, HHS, implementation specifications, Meaningful Use, Medicare and Medicaid EHR Incentive Programs, notice, Office of the National Coordinator, ONC, ONC-ACBs, permanent certification program, Stage 2, Standards, sunset accredited testing laboratories, Temporary Certification ProgramLeave a comment

HITECH Act Privacy and Security Final Rules Needed Now

Since September 23, 2009, the enforcement arm of the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), has been required to publicly disclose breaches involving 500 or more individuals discovered and reported by covered entities and their business associates. As of October 25, 2011, OCR has reported 345 such breaches involving a total of 11,959,488 individuals. Not reflected yet in the OCR disclosed breaches are two involving 6.5 million individuals: a Nemours breach of 1.6 million individuals and a TRICARE breach involving 4.9 million individuals. Together, these two recently reported breaches represent 54.4% of the total number of individuals affected by the publicly disclosed breaches…

Ed JonesAmerican Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, HIPAA Law, Privacy, Security3 tips, 9 steps, Agency Rule List, AMA HIPAA School, breach, breach investigation, Breach Notification, business associate, civil enforcement, complaint investigation, compliance, compliance audit, Corrective Action Plan, covered entity, Enforcement, Federal Register, Government Health IT, guidance, HHS, HIPAA PRIVACY RULE, HIPAA School, HIPAA Security Rule, Nemours breach, NIST, noncompliance, OCR, OCR breach investigation, OMB, Omnibus Final Rules, penalties, policy and procedures, Privacy, Resolution Agreement, risk assessment, safeguard training, Security, state attorney general, Tricare breach, UCLA Health System, workforceLeave a comment