HIPAA Privacy and Security, and HITECH Act Breach Notification Policies and Procedures Need to be Implemented Now

At the HIMSS Conference in Orlando, FL on February 24, 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) outlined its compliance audit intentions for 2014, starting with a survey of covered entities and business associates pertaining to readiness for audit.  In an earlier posting in this blog, we highlighted changes coming in May 2014 in the insurance industry that will necessitate separate cybersecurity coverage as breach coverage will be excluded from standard commercial liability policies.

OCR to Increase HIPAA Privacy, Security, Breach Notification Compliance and Enforcement in 2014

Sue McAndrew, Deputy Director for Privacy of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), said on February 24, 2014, at the HIMSS Conference in Orlando, FL, that “’[c]ompliance and enforcement is really where the action is going to be’ in 2014” for HIPAA Privacy and Security and HITECH Act Breach Notification Rules.

OCR Announces Survey of HIPAA Covered Entities and Business Associates to Assess Suitability for Compliance Audit

The Department of Health and Human Services’ Office for Civil Rights (OCR) published in the February 24, 2014, Federal Register a Notice indicating that OCR would conduct a HIPAA Covered Entity and Business Associate [Compliance] Pre-Audit Survey, for which OCR is requesting public comment on the type of information to be collected and the collection burden.  Public comment on the Information Collection Request (ICR) is due on or before April 25, 2014.

 

Failure to Implement Appropriate HIPAA/HITECH Act Safeguards Puts Covered Entities and Business Associates at Risk of Breach

The importance of covered entities and business associates conducting a risk analysis, implementing safeguard policies and procedures, and training workforce members is illustrated by the February 2014 Redspin Breach Report 2013:  Protected Health Information (PHI), which is available online at:  http://www.redspin.com/resources/whitepapers-datasheets/Request-2013-Breach-Report-Protected-Health-Information-PHI-Redspin.php.

Secure Electronic Protected Health Information as Safe Harbor for Breach Notification

This posting examines the definition of unsecured protected health information and the Office for Civil Rights’ (OCR) Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, as discussed in the January 25, 2013, Final Rule:  “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Unser the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules,” which is available on line at:  http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

Successful Breach Notification is Based on Having Administrative Requirements in Place and Meeting the Burden of Proof

An important provision of HITECH Act Breach Notification, Administrative Requirements and Burden of Proof, at 45 CFR 164.414, was not modified in the January 25, 2013, Final Rule:  “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Unser the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules,” which is available on line at:  http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.  Nevertheless, the preamble or commentary in the Final Rule makes two important points about this provision:

NIST Publishes “Framework for Improving Critical Infrastructure Cybersecurity (Version 1.0)”

On February 12, 2014, the National Institute of Standards and Technology (NIST) published Version 1.0 of “Framework for Improving Critical Infrastructure Cybersecurity.”  The first two paragraphs of the Executive Summary describe the background of this document:

The HIPAA/HITECH Act Role of Subcontractors in Safeguarding Protected Health Information

The January 25, 2013 HITECH Act Final Rule that modified HIPAA Privacy and Security Rules and the HITECH Act Breach Notification Rule and required compliance by September 23, 2013, specified that subcontractors were business associates.  [78 Federal Register 5566-5702]  The Final Rule defines subcontractor as “as person to whom a business associate delegates a function, activity, or service, other than in the capacity of the member of the workforce of such business associate.”  [78 Federal Register 5689]

Stiff Penalties for Noncompliance with HIPAA/HITECH Act PHI Safeguards

Before enactment of the HITECH Act, civil penalties for HIPAA safeguard violations were $100 for each violation or $25,000 for all violations of the same provision in a calendar year.  [74 Federal Register 56131]  Under the HITECH Act, penalties were significantly raised and have been divided into four tiers.  The maximum penalty for all violations of an identical provision in a calendar year increased 60-fold to $1.5 million.  

 

HHS Publishes Final Rule Amending CLIA Program and HIPAA Privacy Rule Giving Patients Access to Test Reports

On Thursday, February 6, the Department of Health and Human Services (HHS) published in the Federal Register its Final Rule amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and HIPAA Privacy Rule to facilitate patients’ access to their test reports.  This Final Rule is effective on April 7, 2014, and requires compliance by HIPAA covered entities by October 6, 2014.  Here is a summary of the Final Rule (79 FR 7290):

Categories



Archives

  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)