This afternoon, HHS released the attached omnibus final rule modifying the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules as required the Health Information Technology Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA).
Notably, the final rule makes business associates of covered entities directly liable for certain HIPAA Privacy and Security rule requirements; expands individuals’ right to receive electronic copies of their health information; incorporates an increased tiered and civil money penalty structure as provided by the HITECH Act; changes to the “harm” definition included in the HIPAA Breach Notification interim final rule; and modifies the HIPAA Privacy Rule as required by GINA.
Link: HIPAA Final Rule
Covered Entities and HIPAA practitioners should be aware that the Office of Civil Rights (OCR) has issued guidance about methods and approaches to achieve de-identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The full text is available here:
On June 7, 2012, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference hosted in Washington, D.C. by the Department of Health and Human Services Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”), OCR Director Leon Rodriguez said that, given HIPAA’s 15-year history and the substantial technical assistance OCR and NIST have provided covered entities, tolerance for HIPAA non-compliance is “much, much lower” than it has been in the past.
In his remarks, Director Rodriguez indicated that the final omnibus rule modifying the HIPAA Privacy, Security and Enforcement Rules is “very close.” Director Rodriguez reiterated that the modifications will include extending HIPAA liability to business associates, but emphasized that business associates should not wait for the final rule to be enacted to focus on compliance. This is particularly true, according to Director Rodriguez, in light of the ability of state Attorneys General to enforce the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act), as evidenced by Minnesota Attorney General Lori Swanson’s recent lawsuitagainst Accretive Health, a business associate that suffered a security breach compromising patient data. Director Rodriguez stated that he would not be surprised if other state Attorneys General began enforcing the HITECH Act in the business associate context.
By Amy Crafts
Following a two year investigation by the Massachusetts Attorney General’s Office (“AGO”), a local Massachusetts hospital has agreed to pay $775,000 to resolve allegations that it failed to protect the personal and confidential health information of more than 800,000 consumers. The investigation and settlement resulted from a data breach disclosed by South Shore Hospital in 2010, where the information disclosed included individuals’ names, Social Security numbers, financial account numbers and medical diagnoses.
In February 2010, South Shore Hospital retained a third-party service provider to erase 473 unencrypted back-up tapes that contained the personal information and protected health information of over 800,000 individuals. While the third-party service provider was retained before the Regulations were implemented, the AGO noted that South Shore Hospital did not notify the third-party service provider that the tapes contained such sensitive information, and also did not verify that the third-party service provider had adequate safeguards in place to protect the sensitive information.
In June 2010, South Shore Hospital learned that only one of the boxes was accounted for, and that two of the boxes were missing. There have been no reports of unauthorized use of the personal information or protected health information to date. An investigation conducted by South Shore Hospital indicated that the back-up tapes were likely disposed of in a secure commercial landfill and were therefore unrecoverable.
Full Story via Proskauer Privacy Blog
The Health Insurance Portability and Privacy Act of 1996 (HIPAA) is 15 years old this year – still acting a bit like an uncertain, wide-eyed teenager responding to new developments. Although more mature, clarified by regulations, and supplemented by the HITECH Act, at its core HIPAA has remained relatively unchanged since its enactment. Societal changes implicating HIPAA, however, have been significant. Over the past five years alone, we saw the rise of Facebook, the domination of Google, and the introduction of powerful personal electronic devices such as Apple’s iPhone and iPad. In addition, technologies such as cloud computing, wireless communication, and telemedicine have reached a level of reliability and affordability that has allowed healthcare providers to expand their reach and services. With every emerging technology, the specter of HIPAA compliance remains a key concern, while its application becomes more murky.
Read the full article here: HIPAA and Emerging Technologies Article
At the annual meeting of the Office of the National Coordinator for Health IT yesterday, Leon Rodriguez, the director of the HHS Office for Civil Rights (OCR), said he "fully expects" the government will institute a permanent HIPAA compliance audit program after the current pilot program wraps up in 2012,GovInfoSecurity reports. The agency will conduct 150 audits over the next 11 months. Rodriguez said the audits are intended to help entities improve compliance with HIPAA. During his presentation, he also addressed the call by Sen. Al Franken (D-MN) for the OCR to "hurry up" and release its final rules for HIPAA modifications. "We indeed are hurrying up," Rodriguez said.
Hospitals are facing increased scrutiny over the privacy of patient medical records. An investigation by HHS’s Office of Civil Rights concluded that a Southern California hospital failed to reasonably restrict access to patient information to only those employees with a valid reason to view the information. A link to the OCR's decision is here. As part of the settlement with Department of Health and Human Services, the hospital must implement new privacy and security policies approved by OCR, to conduct regular trainings for all employees with access to protected health information, to sanction offending employees, and to designate an independent monitor who will assess the hospital’s compliance over the next 3 years.
Interestingly enough, this settlement comes on the heals of a dramatic increase in enforcement activity by the HHS. The most recent enforcement action is the third major settlement to be announced this year. In fact, the first monetary penalty imposed by the HHS for violations of the HIPAA Privacy took place on February 22, 2011 when HHS fined Cignet $4.3 million for failing to provide 41 patients with access to their medical records. That same month, Massachusetts General Hospital paid the HHS $1 million in connection with the loss of 192 billing records for HIV/AIDs patients. The HHS confirmed the renewed focus on HIPAA violations in a statement by OCR’s Director Georgina Verdugo stating, "We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement."
As a result, covered entities should take this opportunity to take a close look at their HIPAA compliance programs in light of the HHS’s increased enforcement efforts.
The Office of the National Coordinator for Health Information Technology (ONC) is requesting public comment on its Federal Health Information Technology Strategic Plan: 2011-2015. ONC updated the Plan (last published in 2008) to reflect the major changes to health IT policy contained in the HITECH Act and the Affordable Care Act. The Plan, which reflects ONC’s strategy for realizing Congress’s and the Administration’s health IT agenda over the next five years, focuses on, among other things, new privacy and security protections for electronic health records.
Specifically, Goal III of the Plan highlights efforts to update the government’s approach to privacy and data security issues related to health IT and to foster greater confidence and trust in electronic health records and health information exchange among providers and the public. These efforts will include a major investment in education and outreach strategy to improve the public’s understanding of electronic health information, how this information can be used, and the privacy and security requirements under the HIPAA regulations.
ONC will accept comments on the Strategic Plan through April 22, 2011.
Source: Rachel Grunberge at Inside Privacy
Massachusetts General Hospital and its physicians organization have agreed to pay the federal government $1,000,000 to settle claims related to a worker leaving personal health documents on the subway.
“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” HHS Office of Civil Rights Director Georgina Verdugo said in a statement. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”
The settlement stems from a 2009 complaint from a patient whose personal health information was lost. The federal government subsequently opened an investigation and found that records from 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS, were lost. It was determined that a Mass General employee had left the records on the MBTA while commuting to work on March 9, 2009.
Source: Boston Business Journal.
HIPAA-covered entities need to be aware of new regulations issued this week that require public disclosure of data breaches. The U.S. Department of Health and Human Services has issued new regulations that require providers, health plans, and other HIPAA-covered entities to notify individuals when their health information is breached.
Data breaches involving protected health information must be reported to the Department of Health and Human Services. Breaches affecting less than 500 individuals can be reported to the HHS secretary on an annual basis. However, breaches that affect more than 500 individuals must be promptly disclosed to the affected individuals, the HHS secretary, and the media.
Principal Deputy Director of the HHS Office Robinsue Frohboese has said that “The new federal law ensures that covered entities and business associates are accountable to the department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”
These regulations were issued pursuant to provisions of the Health Information Technology and Economic and Clinical Health Act, which was signed into law in February 2009 by President Obama.
Originally Posted by Scott Koller at Life, Heath and Disability Insurance Blog