SUMMARY: In June 2011, the United States Department of Health & Human Services (HHS) Office of Civil Rights (OCR)contracted for new periodic audits of covered entities and business associates to ensure compliance with the Privacy and Security Standards found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Announcement of these new audits followed closely on the heels of a May 2011 report from the HHS Office of Inspector General (OIG) criticizing oversight and enforcement of the HIPAA Security Rule requirements and recommending that the OCR conduct random audits.
privacy and security of protected health information
Identity Theft and the FTC’s Red Flags Rule
Update: In a voice vote today, December 7, 2010, the House passed the Red Flag Program Clarification Act of 2010. The Act now goes to President Obama for signing.
On November 30, 2010, the U.S. Senate passed legislation that could exempt health care providers from the FTC’s Red Flag Rule. The Red Flag Program Clarification Act of 2010 amends the Fair Credit Reporting Act with regard to the applicability of identity theft guidelines to creditors. Under the amendment, a “creditor” will “not include a creditor . . . that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” There is an identical companion bill before the House, which is expected to pass. The Clarification Act may lift an impending compliance burden on businesses that do not collect payment for services at the time services are rendered, where there is no reasonably foreseeable risk of identify theft. Continue reading
Health Care Reform & HITECH Update for Employers: Webinar
The health care reform law is massive, and it will take time for employers to develop appropriate plans for compliance. The first transformative step in health care reform actually started with the American Recovery and Reinvestment Act of 2009 (ARRA), which included the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act set the course for implementing a nationwide network of electronic health records (EHRs). One of the main goals of the HITECH Act is to ensure privacy and security. Why might this be important to a business that is not a health care provider? To find out, join the Kentucky Chamber’s webinar, Health Care Reform Update for Employers, on December 16, 2010, from 3:00 to 4:00 pm (EST). The first part of the webinar will focus on the employer and its HR department, looking at the new laws and discussing what decisions an employer must consider in light of these new laws. Jason Lee, Esq., a member of the Tax, Business & Personal Planning Service Team at Wyatt, Tarrant & Combs, LLP, will lead this discussion, which also will include an overview of tax credits and penalties, as well the changes in effect now and those coming in the future, for employers. The second part of the webinar will focus on the changes that occurred last year with the passage of the HITECH Act. Kathie McDonald-McClure, Esq., Editor of the HITECH Law Blog and a partner with Wyatt, Tarrant & Combs, LLP, will lead this discussion. She will highlight certain provisions of the HITECH Act’s new privacy and security provisions that will have an immediate and direct impact on certain businesses, including those that do not directly provide any health care. For more information, and to sign up, click here.
Final Rule on Breach Notification for Unsecured Protected Health Information Delayed for Additional Review
The following statement was recently posted on the U.S. Department of Health & Human Services’ Office of Civil Rights website:
“The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.
“HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.”
wyatthitechlaw.com 