The U.S. Department for Health & Human Services’ Office of Inspector General (OIG) has conducted two recent studies calling for tighter enforcement of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA).
OCR Should Strengthen Its Oversight of Covered Entities'
Compliance With the HIPAA ...
Under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), eligible hospitals and critical access hospitals and eligible professionals must make a “meaningful use” of “certified electronic health technology” or face reductions in Medicare reimbursement. Conducting or reviewing a security ...
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:
--“Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 ...
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:
• “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and ...
In its most recent legislative session, the Kentucky General Assembly enacted two new data breach laws, HB 5 and HB 232, which go into effect July 15, 2014. Kentucky governmental agencies, those doing business with governmental agencies, and persons simply doing business in Kentucky should be aware of these added data security and breach ...
Updated May 1, 2014 at 5:30 pm
The old weather proverb about March, in like a lion and out like a lamb, hit April in the reverse in the world of cyber security. While the first six days of April seemed relatively calm in the cyber world, on Monday, April 7, 2014, the Heartbleed flaw in encryption security was announced (see our previous post here). ...
Saturday, March 1, 2014, is the deadline for entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to report to the U.S. Department of Health & Human Services Office for Civil Rights (OCR) all "small breaches" of unsecured protected health information that occurred during 2013. Entities subject to this ...
The Puerto Rico Health Insurance Administration has fined Triple-S Salud Inc. (TSS) $6.8 million for failure to safeguard Medicare beneficiary numbers. This far exceeds any fine imposed by or settlement reached by the United States Office of Civil Rights to date for HIPAA data breaches. How did the fine reach such a staggering amount? What ...
by Ann F. Triebsch
As observers of data security enforcement are aware, the Federal Trade Commission (FTC) determined on January 16, 2014, that even entities that are already subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) are also subject to FTC jurisdiction and ...
by Kathie McDonald-McClure and Elizabeth O'Keeffe
As we have previously reported on the Wyatt HITECH Law blog on September 14, 2013 and September 23, 2011, the Department of Health and Human Services (HHS) has had in the works, for over two years now, revisions to the Clinical Laboratory Improvement Act of 1988 (CLIA) regulations concerning whether ...
by Dan Soldato
Data breaches, particularly of consumer information and other private information, are becoming an increasing public concern and a headline in the daily news. We regularly hear about incidents in which electronically stored customer information is lost by or stolen from businesses, including health care companies ...
Welcome to our newest contributing author, Elizabeth O'Keeffe, who prepared the following post
E-health, e-patients, social media, telehealth, telemedicine, mobile health care – what does it all mean to you as a patient? As an employee? As a CEO? “Telehealth” is booming and could substantially disrupt the old-fashioned health care ...
by Margaret Young Levi and Kathie McDonald-McClure
The U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) has a new acronym, “LoProCo,” relating to assessing data breaches under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the HIPAA Omnibus ...
NOTE: On February 18, 2010, we posted an article about what to do with paper medical records when converting to an electronic health record (EHR). To date, this has been the most popular article on the HITECH Law Blog. We decided to re-review the topic, update it, and repost it. Actually, not much has changed in the way of the law applicable to this ...
More and more, health care providers are employing laptops, tablets, smartphones and other portable electronic devices in their work. And more and more, laptops and other portable electronic devices are involved in breaches of patient data. According to the Office of Civil Rights (OCR) website, 265 (or 39%) of the 674 total data breaches ...
Late last week the Office for Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) announced a delay in its enforcement of the requirement that certain laboratories revise their notices of privacy practices (NPPs).
As we have previously posted on the HITECH Law Blog, HHS has in the works revisions to the Clinical ...
by Ann F. Triebsch
We’ve all heard about HIPAA privacy breaches until we think there couldn’t be anything else to worry about. Think again—the Federal Trade Commission (FTC) is prosecuting privacy breaches in the health care industry as a violation of Section 5 of the FTC Act. The Department of Health and Human Services (HHS) Office of ...
by Margaret Young Levi
Reminder: the clock is ticking for covered entities and business associates to come into compliance with new requirements under HITECH-HIPAA Omnibus Rule. Monday, September 23, 2013 is the deadline for covered entities and business associates to put into place new Business Associate Agreements (“BAAs”). As we ...
It has been widely reported that WellPoint Inc. recently agreed to pay a $1.7 million fine to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. The U.S. Department for Health & Human Services’ (“HHS”) press release asserts that WellPoint failed to ...
The U.S. Department for Health & Human Services (HHS) announced it is releasing technical corrections to the HIPAA Omnibus Rule tomorrow. These technical corrections are "to address public comment received on the interim final Breach Notification Rule, and to make certain other modifications to the HIPAA Rules to improve their workability ...
The final HIPAA-HITECH Omnibus Rule (Omnibus Rule), released in January, substantially increases the privacy responsibilities of a business associate that receives protected health information, such as contractors and subcontractors. These new requirements will need to be reflected in business associate agreements (BAAs) between the ...
by Ann F. Triebsch
Friday, March 1, is the deadline for HIPAA covered entities to report to HHS small breaches of unsecured protected health information that occurred in 2012. A small breach includes less than 500 individuals. Affected individuals must be notified within 60 days of the breach’s discovery, but the breach also must be reported ...
by Ann F. Triebsch
(Updated January 27, 2013)
On January 17, 2013, the Department of Health & Human Services (HHS), Office for Civil Rights (OCR), released the final HIPAA Omnibus Rule (Omnibus Rule) implementing the HITECH Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (GINA). The Omnibus Rule greatly enhances a ...
“Rumor has it” that the long-awaited HIPAA-HITECH Omnibus Rule under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) will be released the week of January 21st or 28th. While similar rumors have abounded for many months, this one may have some merit.
It is reasonable to expect the Office of Management ...
On Thursday, October 4, 2012, in a letter to Secretary Sebelius of the United States Department of Health & Human Services (HHS), the United States House GOP called on HHS to suspend incentive payments for the adoption and implementation of electronic health records (EHRs) otherwise authorized under the Health Information Technology for ...
The promised audits have begun for providers receiving electronic health records (EHR) incentives available under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
In order to receive Medicare EHR incentive payments, providers must attest to CMS that they meet Meaningful Use (MU) criteria using certified ...
On June 22, 2012, the Office of Management and Budget (OMB) announced that it was delaying release of the HIPAA Omnibus Final Rule (HIPAA Rule) under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) from a projected early July date, to a future unspecified date.
The much-anticipated HIPAA Rule contains ...
In our November 2011 blog post, we told you about the launch of HIPAA privacy and security audits mandated by Section 13411 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). KMPG, Inc. was awarded the contract to develop the audit protocol and conduct these audits last fall and, on March 1, 2012, completed its ...
The Office of the National Coordinator for Health Information Technology (ONCHIT) recently released a 47-page Guide to Privacy and Security of Health Information. The Guide provides direction to providers on protecting patient privacy and securing their health information in an electronic health record (EHR) for purposes of complying with ...
Section 13411 of the the Health Information Technology for Economic and Clinical Health Act (HITECH Act) requires United States Department of Health & Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification ...
After the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, the interest in storing and accessing health information online increased, prompting increased concerns about the privacy and security of such information. In September 2011, the Office of the National Coordinator for Health ...
On September 12, 2011, the Office of National Coordinator (ONC) for the United States Department of Health & Human Services (HHS) announced a Proposed Rule that will enable direct access to laboratory test results by patients. Under the Clinical Laboratory Improvement Amendments of 1988 (CLIA), laboratories must hold a CLIA certificate ...
SUMMARY: In June 2011, the United States Department of Health & Human Services (HHS) Office of Civil Rights (OCR)contracted for new periodic audits of covered entities and business associates to ensure compliance with the Privacy and Security Standards found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as ...
The following statement was recently posted on the U.S. Department of Health & Human Services' Office of Civil Rights website:
"The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in ...
On May 13, 2010, the United States District Court for the Southern District of New York rejected the privacy challenge to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) asserted by Beatrice M. Heghmann, a registered nurse, and Robert A. Heghmann, her husband and attorney, against Kathleen Sebelius ...
Editor's Note: Due to the continued popularity of this post, this article was reviewed and updated on September 30, 2013. For the later version, click here.
Update: On August 8, 2010, Medicare issued MLN Matters Article SE1022 on Medical Record Retention and Media Formats for Medical Records, which states that the Centers for Medicare ...
The Office of National Coordinator for Health Information Technology (ONC) and its HIT Policy Committee worked hard throughout the summer to develop a framework for the "meaningful use" standards required to qualify for electronic health record (EHR) adoption stimulus funds available under the Health Information Technology for ...
In a letter to State Survey Agency Directors dated August 14, 2009, the Centers for Medicare and Medicaid Services (CMS) gave state surveyors guidance regarding surveys of facilities that use electronic health records (EHRs). CMS first stated its support and commitment to the goal that, by 2014, most Americans "will have access to health ...
On August 17, 2009, the Federal Trade Commission (FTC) issued its final rule requiring vendors of "personal health records" to notify consumers when the security of their electronic health information is breached. On August 19, 2009, the U.S. Department of Health and Human Services (HHS) issued its interim final rule requiring health care ...
On June 16, 2009, on the same date the ONC HIT Policy Committee released the first draft of "meaningful use" of electronic health records (EHRs), the Centers for Medicare and Medicaid Services (CMS) launched the CMS Health Information Technology Website to address health information technology (Health IT or HIT) under the ARRA's Health ...
Article Summary: The Federal Trade Commission's Red Flags Rule for identity theft applies to most health care providers according to the FTC's current guidance. The FTC makes a clear attempt under the Rule to regulate medical identity theft, as opposed to credit identity theft. The result is that the FTC will have regulatory authority in an ...
On June 9, 2009, from 2:30 pm to 4:00 pm EDT, the Centers for Medicare & Medicaid Services (CMS) will host a national education conference call to address Medicare’s FFS implementation of HIPAA Version 5010. CMS is conducting this call for all Medicare fee-for-service (FFS) providers. The call is to give a general overview of Medicare’s ...
Welcome to my new "HITECH" blog. This blog will track key developments at the federal and state (Kentucky) levels under the American Recovery and Reinvestment Act of 2009 (ARRA) related to that part of ARRA titled, "Health Information Technology for Economic and Clinical Health Act" (HITECH). My primary interest in HITECH concerns the stimulus ...