OMB Delays Final HIPAA Rule Indefinitely While GAO Urges HHS to Issue Additional HIPAA Security and Privacy Guidance

Kathie McDonald-McClure Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security , , , , ,

On June 22, 2012, the Office of Management and Budget (OMB) announced that it was delaying release of the HIPAA Omnibus Final Rule (HIPAA Rule) under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) from a projected early July date, to a future unspecified date.  

The much-anticipated HIPAA Rule contains implementing regulations for five aspects of the Act: 1) enforcement (new penalty levels); 2) breach notification; 3) use of genetic information by health plans; 4) application of the HIPAA Security Rule requirements directly to business associates and subcontractors; and 5) use of patient health information (PHI) for marketing.  HHS has said the final Rule will contain “significant modifications” to the current HIPAA Privacy Rule.   

Continue reading

Initial HIPAA Audit Report Provides Some Guidance, Identifies Top Risks

Margaret Young Levi Federal Law Resources, Health Information Technology, HITECH Law, Privacy & Security , , , , , , , , , ,

In our November 2011 blog post, we told you about the launch of HIPAA privacy and security audits mandated by Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). KMPG, Inc. was awarded the contract to develop the audit protocol and conduct these audits last fall and, on March 1, 2012, completed its initial group of 20 audits aimed at testing the audit protocol. The United States Department of Health & Human Services’ (HHS) Office of Civil Rights (OCR) recently issued a preliminary report of the results (click here to see OCR’s slide presentation of the 2012 HIPAA Privacy and Security Audits Report). 

Continue reading

New Guide for Privacy and Security of Health Information in EHRs

Margaret Young Levi Electronic Health Records, Federal Law Resources, Health Information Technology, HITECH Law, Meaningful Use, Privacy & Security , , , , , , ,

Lock and KeyThe Office of the National Coordinator for Health Information Technology (ONCHIT) recently released a 47-page Guide to Privacy and Security of Health Information.  The Guide provides direction to providers on protecting patient privacy and securing their health information in an electronic health record (EHR) for purposes of complying with the Heath Insurance Portability and Accountability Act (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Guide also addresses compliance with certain Meaningful Use (MU) standards that have been promulgated pursuant to the HITECH Act’s incentive program for adopting and implementing EHRs.

Continue reading

CMS Releases Proposed Rule for Stage 2 Meaningful Use of Electronic Health Records

Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Eligible Professional Incentives, Health Information Technology, HITECH Law, Hospital EHR Stimulus, Meaningful Use, Physician EMR Stimulus , , , , , , ,

On Thursday, February 23, 2012, the Centers for Medicare and Medicaid Services (CMS), pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, released a 455-page Proposed Rule specifying the Stage 2 criteria that eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) must meet in order to qualify for Medicare and/or Medicaid incentives related to electronic health records (EHRs).  The Proposed Rule also proposes to modify certain Stage 1 criteria, as well as criteria that apply regardless of Stage, as previously published in the Final Rule on July 28, 2010 in the Federal Register.  The proposed provisions related to Medicaid (calculations of patient volume and hospital eligibility) would take effect shortly after the finalization of the Proposed Rule and would not be subject to the proposed one-year delay for Stage 2 meaningful use of a certified EHR.  The Proposed Rule states that the changes to Stage 1 would take effect for 2013, but that most changes would be optional until 2014.  Last but not least, the Proposed Rule addresses the Medicare payment adjustments that will take place for EPs, eligible hospitals and CAHs who fail to demonstrate a meaningful use of certified EHRs by 2015 and proposed exceptions to such adjustments.

Continue reading

February 29 Data Breach Reporting Deadline Fast Approaching!

Margaret Young Levi Health Information Technology, HITECH Law, Privacy & Security , , , ,

The deadline is quickly approaching for mandatory data breach reporting to the United States Department of Health & Human Services (HHS) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  Covered entities must report data breaches involving less than 500 individuals to HHS within 60 days following the end of the calendar year in which the breach occurred.   Because 2012 is a leap year, covered entities that experienced a data breach involving fewer than 500 individuals in 2011 should submit data breach notification reports to HHS by February 29, 2012.  

The reports must be submitted electronically.  Please follow these links for the submission form and reporting instructions.