The Office of the National Coordinator for Health Information Technology (ONCHIT) recently released a 47-page Guide to Privacy and Security of Health Information. The Guide provides direction to providers on protecting patient privacy and securing their health information in an electronic health record (EHR) for purposes of complying with the Heath Insurance Portability and Accountability Act (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Guide also addresses compliance with certain Meaningful Use (MU) standards that have been promulgated pursuant to the HITECH Act’s incentive program for adopting and implementing EHRs.
Privacy & Security
February 29 Data Breach Reporting Deadline Fast Approaching!
The deadline is quickly approaching for mandatory data breach reporting to the United States Department of Health & Human Services (HHS) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Covered entities must report data breaches involving less than 500 individuals to HHS within 60 days following the end of the calendar year in which the breach occurred. Because 2012 is a leap year, covered entities that experienced a data breach involving fewer than 500 individuals in 2011 should submit data breach notification reports to HHS by February 29, 2012.
The reports must be submitted electronically. Please follow these links for the submission form and reporting instructions.
Office of Civil Rights Launches Privacy and Security Audits
Section 13411 of the the Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires United States Department of Health & Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. The HHS Office of Civil Rights (OCR) announced yesterday, November 8, 2011, the launch of long-expected privacy and security audits.
In our blog on July 13, 2011, we posted information concerning OCR’s hiring of contractors to conduct new periodic audits of covered entities and business associates to ensure compliance with the Privacy and Security Standards found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the HITECH Act. Yesterday, OCR announced a pilot program to perform up to 150 audits to assess privacy and security compliance. Audits conducted during the pilot phase will begin in November 2011 and conclude by December 2012.
The initial 150 audits will focus on covered entities, and the audits will begin this month and end by December 2012. Business Associates may have a brief respite but should expect to be the target of future audits.
OCR’s stated goals of the audits are to “examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.” OCR will “share best practices gleaned through the audit process and guidance targeted to observed compliance challenges.”
Covered entities will be notified in writing if selected for an audit and should be on the lookout for these notices because selected entities have only a short period of time, 10 business days, in which to respond and provide any requested information. After the initial request for information, auditors may conduct onsite audits at an organization. Covered entities will receive 30 to 90 days advance notice of an onsite visit, and auditors expect to spend three to ten days onsite reviewing records, policies and practices. Prior to an auditor’s submission of a final report to OCR, the covered entity will have an opportunity to provide written comments on the auditor’s findings.
Click here to link to OCR’s website with additional details concerning the OCR HIPAA Audit Program.
ONC Releases Model Privacy Notice for Personal Health Records
After the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, the interest in storing and accessing health information online increased, prompting increased concerns about the privacy and security of such information. In September 2011, the Office of the National Coordinator for Health Information Technology (ONC) released a Personal Health Record (PHR) Model Privacy Notice for public use. This Model Notice meets ONC’s initial goal in a multi-phased, consumer project to increase consumer awareness of PHR companies’ data practices. The next phase seeks to empower consumers by providing them with an easy way to compare the data practices of two or more PHR companies. Continue reading
Proposed Federal Regulation Requires HIPAA-Covered Labs to Release Test Results to Patients
On September 12, 2011, the Office of National Coordinator (ONC) for the United States Department of Health & Human Services (HHS) announced a Proposed Rule that will enable direct access to laboratory test results by patients. Under the Clinical Laboratory Improvement Amendments of 1988 (CLIA), laboratories must hold a CLIA certificate in order to perform one of three levels of complex laboratory tests regulated by CLIA. Even before the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), concerns have been expressed regarding the lack of clarity under state law, and the literal prohibition in some states, regarding whether a CLIA laboratory that is independent (as opposed to hospital based) may release laboratory test results directly to a patient. Continue reading
wyatthitechlaw.com 