SUMMARY: In June 2011, the United States Department of Health & Human Services (HHS) Office of Civil Rights (OCR)contracted for new periodic audits of covered entities and business associates to ensure compliance with the Privacy and Security Standards found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Announcement of these new audits followed closely on the heels of a May 2011 report from the HHS Office of Inspector General (OIG) criticizing oversight and enforcement of the HIPAA Security Rule requirements and recommending that the OCR conduct random audits.
Federal Law Resources
Health Insurance Portability and Accountability Act
Health Care Reform & HITECH Update for Employers: Webinar
The health care reform law is massive, and it will take time for employers to develop appropriate plans for compliance. The first transformative step in health care reform actually started with the American Recovery and Reinvestment Act of 2009 (ARRA), which included the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act set the course for implementing a nationwide network of electronic health records (EHRs). One of the main goals of the HITECH Act is to ensure privacy and security. Why might this be important to a business that is not a health care provider? To find out, join the Kentucky Chamber’s webinar, Health Care Reform Update for Employers, on December 16, 2010, from 3:00 to 4:00 pm (EST). The first part of the webinar will focus on the employer and its HR department, looking at the new laws and discussing what decisions an employer must consider in light of these new laws. Jason Lee, Esq., a member of the Tax, Business & Personal Planning Service Team at Wyatt, Tarrant & Combs, LLP, will lead this discussion, which also will include an overview of tax credits and penalties, as well the changes in effect now and those coming in the future, for employers. The second part of the webinar will focus on the changes that occurred last year with the passage of the HITECH Act. Kathie McDonald-McClure, Esq., Editor of the HITECH Law Blog and a partner with Wyatt, Tarrant & Combs, LLP, will lead this discussion. She will highlight certain provisions of the HITECH Act’s new privacy and security provisions that will have an immediate and direct impact on certain businesses, including those that do not directly provide any health care. For more information, and to sign up, click here.
Final Rule on Breach Notification for Unsecured Protected Health Information Delayed for Additional Review
The following statement was recently posted on the U.S. Department of Health & Human Services’ Office of Civil Rights website:
“The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.
“HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.”
HHS Office of Civil Rights updates HIPAA Breach Website
As indicated in a July 8, 2010 press briefing, the Office of Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) has updated its HIPAA breach notification webpage. This is the webpage where OCR is posting breaches of unsecured Protected Health Information (PHI) affecting 500 or more individuals. The format includes brief summaries of the incidents reported to the HHS Secretary that OCR has investigated and closed. The format also allows users to search and sort the posted breaches by entity, state, date, number of individuals affected, type of breach, and location of breached information. There are currently 107 breach notifications posted, all occurring since September 9, 2009. The breaches reported thus far indicate that theft ranks #1 as the type of activity leading to a breach. A quick run-down of the stats reflect the following:
HHS announces proposed rulemaking to “significantly” modify HIPAA
On Thursday, July 8, 2010, the United States Department of Health & Human Services (HHS) held a press briefing to announce “significant modifications” through proposed rulemaking to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). The proposed modifications also seek to strengthen the privacy of health information and help Americans understand their rights and resources available to safeguard their personal health information. As part of the latter effort, Sebelius announced the launch of another new website “where Americans can read about all HHS’ efforts to protect privacy in the exchange of electronic health information and that will give Americans the tools needed to embrace technology to take control over their health information.” The website will be available at www.hhs.gov/healthprivacy.
wyatthitechlaw.com 