Federal Government Report Summarizes Health Care Privacy Compliance Efforts

July 29, 2014July 31, 2014 Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law breach, compliance report, data breach, OCR, Office for Civil Rights, Privacy & Security, report to Congress, U.S. Department of Health and Human Services

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

–“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report); and

–“Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both of OCR’s reports (as well as previous annual reports) may be accessed here. This post discusses the Compliance Report. We summarized the Breach Report in a separate post entitled “Federal Government Report on Data Breaches in Health Care.”

OCR is the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report summarizes OCR’s compliance and enforcement activity with respect to the HIPAA Privacy, Security, and Breach Notification Rules.

Continue reading →

Federal Government Report on Data Breaches in Health Care

July 21, 2014July 22, 2014 Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law data breach, healthcare breach reports, Privacy and security of electronic data, privacy and security of personal health information, U.S. Department of Health & Human Services Office for Civil Rights

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

• “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report), and
• “Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both reports (as well as previous annual reports) may be accessed here. This post discusses the Breach Report, and a separate article will be posted later addressing the Compliance Report.

The Breach Report offers valuable insight into OCR’s priorities with respect to healthcare data breaches and gives an excellent summary of many recent settlements. OCR (the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules) has prepared this Breach Report describing the numbers and types of healthcare data breaches occurring for calendar years 2011 and 2012. The Breach Report is compiled from breach reports that HIPAA requires be provided to OCR by covered healthcare providers, health plans, healthcare clearinghouses and their business associates. The raw data upon which these reports is based is available here. OCR also provides some cumulative data on breaches reported since the breach notification law went into effect on September 23, 2009. OCR then slices and dices this data in a variety of different and useful ways, sorting it by: cause, location of affected protected health information (PHI), types of entities involved, number of individuals affected, remediation steps taken, etc. Continue reading →

New Kentucky Data Breach Rules Go into Effect

July 15, 2014July 18, 2014 Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security definition of personally identifiable information, encryption standards, Privacy & Security, privacy and security of protected health information, state data breach law

Kentucky imposes new security and data breach notification requirements.

In its most recent legislative session, the Kentucky General Assembly enacted two new data breach laws, HB 5 and HB 232, which go into effect July 15, 2014. Kentucky governmental agencies, those doing business with governmental agencies, and persons simply doing business in Kentucky should be aware of these added data security and breach notification requirements. Some level of comfort may be taken by health care providers, health insurance companies, banks, or others who are subject to either the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or Title V of the Gramm-Leach-Bliley Act of 1999, as at least HB 232 appears to exempt them. However, questions remain as to whether HIPAA-covered entities and banks are exempt under HB 5 when they have a contract with a state agency and receive personal information from the agency. Hopefully this issue will be sorted out in the rule-making to come, before additional requirements of HB 5 kick in on January 1, 2015.

Continue reading →

March 31st Attestation Deadline for Eligible Professionals

March 18, 2014 Margaret Young Levi Electronic Health Records, Health Information Technology, Meaningful Use EHR, Electronic Health Records, Health care reform, Health Information Technology, Meaningful Use, meaningful use of certified EHR

Reminder: The deadline for Medicare eligible professionals to attest to meaningful use of certified electronic health record technology for the 2013 program year is just two weeks away. Attestations are due on March 31, 2014 at 11:59 pm EST. Click here for addition information about the EHR incentive program as well as to register or attest to meaningful use.

CMS Issues EHR Meaningful Use Hardship Exceptions for Health Care Providers Subject to 2015 Medicare Reimbursement Reduction (Includes Automatic One-Year Reprieve for 2013 Meaningful Users)

March 11, 2014March 12, 2014 Margaret Young Levi EHR Certification Standards, Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Incentives, Hospital EHR Stimulus, Meaningful Use, Physician EMR Stimulus CEHRT, EHR, hardship exception, hardship exemption, Meaningful Use

On February 28, 2014, we posted an article about ICD-10 and Stage 2 Meaningful Use (MU) announcements by the Centers for Medicare & Medicaid Services (CMS) at the 2014 HIMSS annual conference. At that conference, while CMS refused to extend the deadlines for ICD-10 and Stage 2 MU, it promised to be more flexible about providing hardship exemptions on Stage 2 MU for providers and vendors truly struggling to meet the incentive program’s requirements. CMS said that guidance would be forthcoming. Yesterday, March 10, 2014, CMS issued such guidance. The Guidance is directed solely at providers experiencing EHR vendor issues. Importantly, the Guidance gives an automatic, one-year reprieve for certain providers who demonstrated MU for 2013. Continue reading →

A legal blog about consumer privacy and data security in a high-tech world

Author: Margaret Young Levi