Federal Government Report Summarizes Health Care Privacy Compliance Efforts

government buildingThe U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

–“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report); and

–“Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both of OCR’s reports (as well as previous annual reports) may be accessed here. This post discusses the Compliance Report. We summarized the Breach Report in a separate post entitled “Federal Government Report on Data Breaches in Health Care.”

OCR is the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The Compliance Report summarizes OCR’s compliance and enforcement activity with respect to the HIPAA Privacy, Security, and Breach Notification Rules.

Continue reading

New Kentucky Data Breach Rules Go into Effect

Kentucky imposes new security and data breach notification requirements.
Kentucky imposes new security and data breach notification requirements.

In its most recent legislative session, the Kentucky General Assembly enacted two new data breach laws, HB 5 and HB 232, which go into effect July 15, 2014. Kentucky governmental agencies, those doing business with governmental agencies, and persons simply doing business in Kentucky should be aware of these added data security and breach notification requirements. Some level of comfort may be taken by health care providers, health insurance companies, banks, or others who are subject to either the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or Title V of the Gramm-Leach-Bliley Act of 1999, as at least HB 232 appears to exempt them.  However, questions remain as to whether HIPAA-covered entities and banks are exempt under HB 5 when they have a contract with a state agency and receive personal information from the agency.  Hopefully this issue will be sorted out in the rule-making to come, before additional requirements of HB 5 kick in on January 1, 2015.

Continue reading

No Further Extensions for ICD-10 and MU Stage 2

strike before midnightUpdate:  On April 1, 2014, President Obama signed into law the “Doc Fix” bill, Public Law 113-93, which extends the deadline for ICD-10 for an additional year.  Section 212 of this law prohibits the Secretary of Health and Human Services from adopting ICD-10 code sets prior to October 1, 2015.

Everyone is a-twitter (pun intended) about the announcement on Thursday, February 27, 2014, from Marilyn Tavenner, the Administrator for the Centers for Medicare & Medicaid Services (CMS), that the deadline for adoption of ICD-10 will not be extended. Tavenner was the keynote speaker at the HIMSS14 conference, and numerous tweets from HIMSS attendees highlighted her assertion that CMS will stand firm on the October 1, 2014 deadline. All entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must be prepared to use ICD-10 codes on transactions by this date.

Tavenner also affirmed that the deadlines for Stage 2 Meaningful Use (MU) will not be extended. Providers who are not meaningful users of Certified Electronic Health Record (EHR) Technology under the Medicare EHR Incentive Programs will face a penalty, in the form of Medicare payment adjustments. These payment adjustments will be applied beginning on January 1, 2015. Continue reading

After LabMD: FTC, What Do We Comply With?

by Ann F. Triebsch

clip_image002As observers of data security enforcement are aware, the Federal Trade Commission (FTC) determined on January 16, 2014, that even entities that are already subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) are also subject to FTC jurisdiction and enforcement powers for data security breaches.  In the LabMD decision, the FTC denied the motion to dismiss sought by LabMD in the administrative case against it, which was formally filed in August, 2013. This outcome, though anticipated, has stirred up plenty of discussion, including about how to know whether or not you’re storing data in a way that satisfies the FTC, and what happens if you’re not.  For entities that are subject to HIPAA and have been following the HIPAA Security Rule regulations, is this enough?  Should they be doing more to also demonstrate compliance to the FTC? Continue reading

The FTC: Watchdog for Privacy and Security of Sensitive Personal Data

Data transmissionThose who dwell in the world of health care privacy and security know well that the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) is the federal agency that issues the regulations, provides guidance and ultimately enforces the complex requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic & Clinical Health Act of 2009(HITECH).  But we also know, as citizens of the 21st Century, that privacy and security concerns extend far beyond insurance claims and health records in our doctors’ offices.  With every new smartphone we indulge in, every online purchase we make, every retail loyalty program for which we register, we share valuable chunks and tidbits of data about ourselves that now can be used to tell others far more about us than we ever would have dreamed possible, or probably desire.  The internet and astounding connectivity of so many technological devices, both consumer and commercial, allow extremely private and sensitive information to be accessed by parties we do not know and cannot imagine, for both our benefit and detriment.  Continue reading