OMB Delays Final HIPAA Rule Indefinitely While GAO Urges HHS to Issue Additional HIPAA Security and Privacy Guidance

On June 22, 2012, the Office of Management and Budget (OMB) announced that it was delaying release of the HIPAA Omnibus Final Rule (HIPAA Rule) under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) from a projected early July date, to a future unspecified date.  

The much-anticipated HIPAA Rule contains implementing regulations for five aspects of the Act: 1) enforcement (new penalty levels); 2) breach notification; 3) use of genetic information by health plans; 4) application of the HIPAA Security Rule requirements directly to business associates and subcontractors; and 5) use of patient health information (PHI) for marketing.  HHS has said the final Rule will contain “significant modifications” to the current HIPAA Privacy Rule.   

Continue reading

Office of Civil Rights Launches Privacy and Security Audits

Section 13411 of the the Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires United States Department of Health & Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.   The HHS Office of Civil Rights (OCR) announced yesterday, November 8, 2011, the launch of long-expected privacy and security audits.

In our blog on July 13, 2011, we posted information concerning OCR’s hiring of contractors to conduct new periodic audits of covered entities and business associates to ensure compliance with the Privacy and Security Standards found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the HITECH Act. Yesterday, OCR announced a pilot program to perform up to 150 audits to assess privacy and security compliance. Audits conducted during the pilot phase will begin in November 2011 and conclude by December 2012.

The initial 150 audits will focus on covered entities, and the audits will begin this month and end by December 2012. Business Associates may have a brief respite but should expect to be the target of future audits.

OCR’s stated goals of the audits are to “examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.” OCR will “share best practices gleaned through the audit process and guidance targeted to observed compliance challenges.”

Covered entities will be notified in writing if selected for an audit and should be on the lookout for these notices because selected entities have only a short period of time, 10 business days, in which to respond and provide any requested information. After the initial request for information, auditors may conduct onsite audits at an organization. Covered entities will receive 30 to 90 days advance notice of an onsite visit, and auditors expect to spend three to ten days onsite reviewing records, policies and practices. Prior to an auditor’s submission of a final report to OCR, the covered entity will have an opportunity to provide written comments on the auditor’s findings.

Click here to link to OCR’s website with additional details concerning the OCR HIPAA Audit Program.

Proposed Federal Regulation Requires HIPAA-Covered Labs to Release Test Results to Patients

On September 12, 2011, the Office of National Coordinator (ONC) for the United States Department of Health & Human Services (HHS) announced a Proposed Rule that will enable direct access to laboratory test results by patients.  Under the Clinical Laboratory Improvement Amendments of 1988 (CLIA), laboratories must hold a CLIA certificate in order to perform one of three levels of complex laboratory tests regulated by CLIA.  Even before the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), concerns have been expressed regarding the lack of clarity under state law, and the literal prohibition in some states, regarding whether a CLIA laboratory that is independent (as opposed to hospital based) may release laboratory test results directly to a patient.   Continue reading

Office of Civil Rights Steps Up HIPAA Audits

SUMMARY:  In June 2011, the  United States Department of Health & Human Services (HHS) Office of Civil Rights (OCR)contracted for new periodic audits of covered entities and business associates to ensure compliance with the Privacy and Security Standards found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  Announcement of these new audits followed closely on the heels of a May 2011 report from the HHS Office of Inspector General (OIG) criticizing oversight and enforcement of the HIPAA Security Rule requirements and recommending that the OCR conduct random audits. 

Continue reading

HHS Office of Civil Rights updates HIPAA Breach Website

As indicated in a July 8, 2010 press briefing, the Office of Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) has updated its HIPAA breach notification webpage.  This is the webpage where OCR is posting breaches of unsecured Protected Health Information (PHI) affecting 500 or more individuals.  The format includes brief summaries of the incidents reported to the HHS Secretary that OCR has investigated and closed.  The format also allows users to search and sort the posted breaches by entity, state, date, number of individuals affected, type of breach, and location of breached information.  There are currently 107 breach notifications posted, all occurring since September 9, 2009.  The breaches reported thus far indicate that theft ranks #1 as the type of activity leading to a breach. A quick run-down of the stats reflect the following:

Continue reading