February 1, 2013. Today, we wrap up discussion of breach notification in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules. The Final Rule is effective on March 26, 2013, and requires compliance by covered entities and business associates on September 23, 2013. The focus is on timing of reporting a breach by a business associate to a covered entity, and, because the definition of breach was modified in the Final Rule, on the requirements to update policies and procedures,…
Tag: effective date
HIPAA Final Rule: More on Breach Notification Rule Changes
January 31, 2013. Today, we briefly identify key changes or reminders regarding breach notification in the preamble of the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, published in the Federal Register on January 25, 2013. The Final Rule becomes effective March 26, 2013 and requires compliance by covered entities and business associates on September 23, 2013. Earlier this week, we have examined the changed definition of breach, the substitution of the “probability standard” for the current “harm standard” underpinning…
HIPAA Final Rule: Breach Risk Assessment Factors for “Probability Standard”
January 29, 2013. Today, we cover the four risk assessment factors pertaining to breach notification in the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules: Final Rule that was published in the Federal Register on Friday, January 25, 2013. As discussed in yesterday’s post, these risk assessment factors are used in assessing the probability of impermissible use or disclosure compromising protected health information, thereby requiring breach notification. This “probability standard” replaces the “harm standard,” becomes effective March 26, 2013, and requires compliance…
Final HIPAA/HITECH Act Privacy, Security, Enforcement, Breach Notification Rules Published in Federal Register January 25, 2013.
January 25, 2013. The Final Rule is published, at last! Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule cleared the Office of Management and Budget on January 16, was issued online on the Federal Register’s Electronic Public Inspection Desk in pre-publication format on January 17, and published in the Federal Register today. The Final Rule is 136 pages (pp.5566-5702). The effective date of the Final Rule is Tuesday, March 26, 2013, and the compliance date is Monday, September 23, 2013. Here is the…
OCR of HHS FINALLY Issues HIPAA/HITECH Act Privacy, Security, Enforcement, and Breach Notification Modifications Final Rule
January 18, 2013. On January 16, 2013, the Office of Management and Budget (OMB) completed its EO 12866 regulatory review of RIN: 0945-AA03, and the long-awaited release of the Department of Health and Human Services’ Office for Civil Rights (OCR) so-called “Omnibus” Final Rule was published at 4:15 PM on January 17, 2013, in pre-publication final draft form on the Federal Register’s Electronic Public Inspection Desk. Publication in the Federal Register is scheduled for Friday, January 25, 2013. The title of the Final Rule is: 45 CFR Parts 160 and 164: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and…
EFT and RA Transaction Operating Rules IFC Published in Federal Register August 10
August 10, 2012. Today, the Interim Final Rule with comment period (IFC): Administrative Simplification: Adoption of Operating Rules for Electronic Funds Transfers (EFT) and Remittance Advice Transactions, was published in the Federal Register. The effective date of the IFC is the date of publication, August 10, 2012. Comments on the IFC may be submitted to the Department of Health and Human Services (HHS) on or before October 9, 2012, with submission instructions included on page 48008 of the IFC. The Executive Summary (without footnotes) from the IFC follows: “A. Purpose of the Regulatory Action. Health care spending in the United States constitutes nearly 18 percent of the US…
HHS Issues HIPAA NPRM for Unique Health Plan Identifier and One Year Delay for ICD-10 Code Set Compliance
April 10, 2012. Yesterday, the Office of the Secretary of the Department of Health and Human Services (HHS) promulgated a notice of proposed rule making (NPRM) entitled: Administrative Simplification: Adoption of a Standard for a Unique Health Plan Identifier; Addition to the National Provider Identifier Requirements; and a Change to the Compliance Date for ICD-10-CM and ICD-10-PCS Medical Data Code Sets. The NPRM will be published in the Federal Register on April 17, 2012. Here is the NPRM summary: “This proposed rule would implement section 1104 of the Patient Protection and Affordable Care Act (hereinafter referred to as the Affordable Care Act) by establishing new requirements for administrative transactions that…
IFR for EFT at OMB
The Centers for Medicare & Medicaid Services (CMS) of the Department of Health and Human Services (HHS) has sent to the Office of Management and Budget (OMB) its Interim Final Rule (IFR) for “adoption of standards and operating rules for Electronic Funds Transfers (EFT) and operating rules for remittance advice….” Following the December 15 receipt and subsequent review of the IFR by OMB, the IFR is expected to be published in the Federal Register before January 1, 2012, as required by the Affordable Care Act of 2010 (Public Law 111-148). [124 STAT. 153] The legal authority for the IFR is Section 1104 (Administrative Simplification) of the Affordable Care Act. Section 1104…
Nearly 8.3 Million Individuals Impacted by 249 Privacy and Security Breaches Reported by HHS; More Training on Safeguarding PHI Required
Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the U.S. Department of Health and Human Services (HHS) any privacy or security breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate. The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches…
EHR Incentive and Certification Criteria Final Rules Published in Federal Register
The EHR Incentive and Certification final rules were published in the Federal Register this morning, July 28, 2010. HIPAA.com provides the title, summary, effective date, and URL for each below. Department of Health and Human Services, Centers for Medicare & Medicaid Services, “42 CFR Parts 412, 413, 422, and 495; Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rule, Federal Register, 75(144), Wednesday, July 28, 2010, pp. 44313-44588. Summary: This final rule implements the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)(Public Law 111-5) that provide incentive payments to eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) participating in Medicare and Medicaid programs…