The New HIPAA Rules are Out!

January 23, 2013March 12, 2014 Ann Feldkamp Triebsch Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security HITECH Act, linkedin, Meaningful Use, Omnibus Rule, Privacy & Security, privacy and security of protected health information

by Ann F. Triebsch

(Updated January 27, 2013)

On January 17, 2013, the Department of Health & Human Services (HHS), Office for Civil Rights (OCR), released the final HIPAA Omnibus Rule (Omnibus Rule) implementing the HITECH Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Omnibus Rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s enforcement capabilities. The regulations are published in the January 25, 2013 Federal Register, and will be effective on March 26, 2013, with compliance required by September 23, 2013.

We will discuss the highlights of the new regulations, topic by topic, in this blog over the next few weeks, but we begin with a key piece of information relevant to existing business associate agreements. The new regs substantially increase the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. Business associates may also be liable for increased penalties for noncompliance based on the level of negligence, up to a maximum penalty of $1.5 million.

All of the new requirements will need to be reflected in business associate agreements (BAAs). If your current business associate agreement was signed on or before January 24, 2013, it will be deemed HIPAA compliant through September 23, 2014 (at which time the agreement will need to have been amended for compliance with the Omnibus Rule). After January 24, 2013, any new BAAs signed should comply with the Omnibus Rule, and be in place by September 23, 2013.

To read the Omnibus Rule, click here.

Long-awaited HIPAA Omnibus Rule may be released soon

January 17, 2013April 16, 2013 Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security

“Rumor has it” that the long-awaited HIPAA-HITECH Omnibus Rule under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) will be released the week of January 21st or 28th. While similar rumors have abounded for many months, this one may have some merit.

It is reasonable to expect the Office of Management and Budget (OMB) to release the final OMNIBUS regulations as soon as late January or early February based on the fact that the OMB has had the rule for almost a year to perform a perfunctory final review. The Department for Health and Human Services (HHS) released the Rule to OMB for review, one of the last steps before publication in the Federal Register, on March 24, 2012. OMB had the standard 90-day period to perform its review, but requested an extension. Some have speculated that the pending election last year may have played a part in delaying the Rule.

The Modern Healthcare’s IT Everything blog also posted recently that “in February, there is a HIPAA summit mid-month” that “calls for regulators to give a talk on the final rule.” Read more here.

The much-anticipated HIPAA Rule is expected to contain implementing regulations for the following aspects of the HITECH Act: 1) data breach enforcement and penalty levels; 2) data breach notification requirements; 3) application of the HIPAA Security Rule requirements directly to business associates and subcontractors; 4) use of genetic information by health plans; 5) use of patient health information (PHI) for marketing and fundraising. HHS has said the final Rule will contain “significant modifications” to the current HIPAA Privacy Rule. The final Rule will not address the proposed change to the HIPAA Privacy Rule’s standard on accounting for disclosures (i.e., access by whom, when and for what purpose), a controversial proposal that was complex, burdensome and potentially very costly.

We also have heard that a notice of proposed rulemaking would be out in March proposing a methodology by which people harmed by a HIPAA violation could share in any settlement or civil monetary penalty.

Stay tuned . . .

Get Ready for Audits on EHR Incentive Payments

August 1, 2012March 12, 2014 Margaret Young Levi EHR Certification Standards, Electronic Health Records, Eligible Professional Incentives, Federal Law Resources, Health Information Technology, HITECH Law, Hospital EHR Stimulus, Meaningful Use, Privacy & Security Health Information Technology, HITECH Act, linkedin, meaningful use of certified EHR, Medicare EHR Incentives, privacy and security of health information exchange

The promised audits have begun for providers receiving electronic health records (EHR) incentives available under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

In order to receive Medicare EHR incentive payments, providers must attest to CMS that they meet Meaningful Use (MU) criteria using certified EHR technology. Any provider attesting to receive an EHR incentive payment for either the Medicare EHR Incentive Program or the Medicaid EHR Incentive Program potentially may be subject to an audit. If an audit finds a provider is not eligible for an EHR incentive payment because it does not meet MU criteria, then the incentive payment will be recouped. Here’s what providers need to know to prepare for an audit:

Continue reading →

OMB Delays Final HIPAA Rule Indefinitely While GAO Urges HHS to Issue Additional HIPAA Security and Privacy Guidance

July 10, 2012April 16, 2013 Kathie McDonald-McClure Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Act, linkedin, privacy and security of protected health information

On June 22, 2012, the Office of Management and Budget (OMB) announced that it was delaying release of the HIPAA Omnibus Final Rule (HIPAA Rule) under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) from a projected early July date, to a future unspecified date.

The much-anticipated HIPAA Rule contains implementing regulations for five aspects of the Act: 1) enforcement (new penalty levels); 2) breach notification; 3) use of genetic information by health plans; 4) application of the HIPAA Security Rule requirements directly to business associates and subcontractors; and 5) use of patient health information (PHI) for marketing. HHS has said the final Rule will contain “significant modifications” to the current HIPAA Privacy Rule.

Continue reading →

Initial HIPAA Audit Report Provides Some Guidance, Identifies Top Risks

July 3, 2012March 12, 2014 Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security audit, Health Information Technology, HIT, HITECH Act, HITECH implementation, linkedin, Privacy & Security, privacy and security of health information exchange, privacy and security of protected health information, protocol, security of protected health information

In our November 2011 blog post, we told you about the launch of HIPAA privacy and security audits mandated by Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). KMPG, Inc. was awarded the contract to develop the audit protocol and conduct these audits last fall and, on March 1, 2012, completed its initial group of 20 audits aimed at testing the audit protocol. The United States Department of Health & Human Services’ (HHS) Office of Civil Rights (OCR) recently issued a preliminary report of the results (click here to see OCR’s slide presentation of the 2012 HIPAA Privacy and Security Audits Report).

Continue reading →