The FTC: Watchdog for Privacy and Security of Sensitive Personal Data

Data transmissionThose who dwell in the world of health care privacy and security know well that the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) is the federal agency that issues the regulations, provides guidance and ultimately enforces the complex requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic & Clinical Health Act of 2009(HITECH).  But we also know, as citizens of the 21st Century, that privacy and security concerns extend far beyond insurance claims and health records in our doctors’ offices.  With every new smartphone we indulge in, every online purchase we make, every retail loyalty program for which we register, we share valuable chunks and tidbits of data about ourselves that now can be used to tell others far more about us than we ever would have dreamed possible, or probably desire.  The internet and astounding connectivity of so many technological devices, both consumer and commercial, allow extremely private and sensitive information to be accessed by parties we do not know and cannot imagine, for both our benefit and detriment.  Continue reading

House Calls for Suspension of EHR Incentive Payments under HITECH Act

Hands on keyboard in circleOn Thursday, October 4, 2012, in a letter to Secretary Sebelius of the United States Department of Health & Human Services (HHS), the United States House GOP called on HHS to suspend incentive payments for the adoption and implementation of electronic health records (EHRs) otherwise authorized under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).  The GOP also asked HHS to delay the imposition of penalties on providers who choose not to use EHRs in their practice (such penalties that pursuant to the HITECH Act provisions are to take the form of reductions in Medicare reimbursements in 2015).  Continue reading

Get Ready for Audits on EHR Incentive Payments

The promised audits have begun for providers receiving electronic health records (EHR) incentives available under the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

In order to receive Medicare EHR incentive payments, providers must attest to CMS that they meet Meaningful Use (MU) criteria using certified EHR technology.  Any provider attesting to receive an EHR incentive payment for either the Medicare EHR Incentive Program or the Medicaid EHR Incentive Program potentially may be subject to an audit.  If an audit finds a provider is not eligible for an EHR incentive payment because it does not meet MU criteria, then the incentive payment will be recouped.   Here’s what providers need to know to prepare for an audit:

Continue reading

Initial HIPAA Audit Report Provides Some Guidance, Identifies Top Risks

In our November 2011 blog post, we told you about the launch of HIPAA privacy and security audits mandated by Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). KMPG, Inc. was awarded the contract to develop the audit protocol and conduct these audits last fall and, on March 1, 2012, completed its initial group of 20 audits aimed at testing the audit protocol. The United States Department of Health & Human Services’ (HHS) Office of Civil Rights (OCR) recently issued a preliminary report of the results (click here to see OCR’s slide presentation of the 2012 HIPAA Privacy and Security Audits Report). 

Continue reading

February 29 Data Breach Reporting Deadline Fast Approaching!

The deadline is quickly approaching for mandatory data breach reporting to the United States Department of Health & Human Services (HHS) under the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  Covered entities must report data breaches involving less than 500 individuals to HHS within 60 days following the end of the calendar year in which the breach occurred.   Because 2012 is a leap year, covered entities that experienced a data breach involving fewer than 500 individuals in 2011 should submit data breach notification reports to HHS by February 29, 2012.  

The reports must be submitted electronically.  Please follow these links for the submission form and reporting instructions.