ONC Issues Guide on HIPAA Privacy and Security and Meaningful Use

May 8, 2012 By Leave a Comment

ONC has recently released a new “Guide to Privacy and Security of Health Information” which incorporates tips on complying with HIPAA Privacy and Security as well as meeting related meaningful use measures.  The guide is designed for clinical providers and focuses on the following:

  • Privacy & Security and Meaningful Use
  • Security Risk Analysis and Management Tips
  • Working with EHR and Health IT Vendors
  • A Privacy & Security 10-Step Plan
  • Health IT Privacy and Security Resources

Specifically, with regard to Meaningful Use, the guide describes Meaningful Use measures 12 and 15:

#12. Provide patients with an electronic copy of their health information (including diag­nostics test results, problem
list, medication lists, medica­tion allergies) upon request.  To learn more about this measure click here.

#15. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.  To learn more about this measure click here.

If you have questions regarding HIPAA Privacy and Security or Meaningful Use please contact Elana Zana.

 

Filed Under: HIPAA, HITECH, Meaningful Use Tagged With: , ,

$100,000 HIPAA Settlement Due to Misuse of Online Calendar & More

April 18, 2012 By Leave a Comment
The U.S. Department of Health and Human Services (HHS) has entered into another settlement for the violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this time with a small physician practice that violated HIPAA while using Internet-based calendar and email services.
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay HHS a $100,000 settlement after it was reported that the physician practice violated HIPAA by posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.  The HHS Office for Civil Rights’ (OCR) investigation also revealed that Phoenix Cardiac Surgery violated HIPAA by emailing patient information from an Internet-based email account to workforce members’ Internet-based email accounts.
The OCR investigation also revealed the following issues:
• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to patients’ electronic protected health information (ePHI).
Leon Rodriguez, director of OCR, said “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.  We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
This settlement highlights the need for all providers, regardless of their size, to understand the implications of the technology they use in their practices, to implement policies and procedures for HIPAA compliance, and to obtain business associate agreements where needed.
A press release and more information can be found on HHS’s website.
Filed Under: HIPAA, HITECH Tagged With: ,

ICD-10 – Delayed

February 17, 2012 By

HHS announced yesterday its intent to delay the ICD-10 requirement.  Entities covered under HIPAA were required to comply with ICD-10 by October 1, 2013, HHS will now delay that date by a new compliance deadline yet to be announced.  To read the complete press release click here.

Filed Under: HIPAA

Health Data Privacy Protections to Increase

May 30, 2011 By Leave a Comment

As we wait for the HITECH Act updates to HIPAA to be finalized, yet another article signals the administration’s intent to strengthen privacy protections for health data– http://www.nytimes.com/2011/05/31/business/31privacy.html

Filed Under: HIPAA, HITECH Tagged With: , , ,

Proposed Rule on Accounting of Disclosures Issued

May 27, 2011 By

Following much anticipation, the Office of Civil Rights released today the proposed rules on HIPAA Accounting of Disclosures implementing the new HITECH provisions.  To access the proposed rules click here.  The proposed rules were printed in the federal register on May 31st and comments will be accepted for sixty days thereafter.

Filed Under: HIPAA, HITECH

HHS Says Push for EHRs Overlooks Security Gaps

May 17, 2011 By

It seems HHS is laying the groundwork for the issuance of the updates to HIPAA privacy and security rules under the HITECH Act.  As reported May 16th in the Washington Post:

“The nation’s push to computerize medical records has failed to fully address longstanding security gaps that expose patients’ most sensitive information to hackers and snoops, government investigators warn.”

http://www.washingtonpost.com/politics/hhs-inspector-general-says-push-for-electronic-medical-records-overlooks-some-security-gaps/2011/05/16/AFpaH54G_story.html

Filed Under: HIPAA, HITECH Tagged With: ,

$12 Million in New Grant Funding to Assist Physicians with EHRs

May 4, 2011 By

As reported in Healthcare IT News “The Health Resources and Service Administration has made available $12 million in grants for rural healthcare network organizations to help them become meaningful users of certified electronic health records.” According to HRSA officials “the grants may support health IT activities, such as development of a strategic plan for electronic health records (EHRs), workforce analysis, purchase of health IT equipment and installation of broadband for connectivity.” For more details see http://www.healthcareitnews.com/news/hrsa-puts-12m-rural-health-networks.

Filed Under: Critical Access Hospital, HIPAA, HITECH

WSHA Publishes Updated HIPAA Law Enforcement Guide

August 25, 2010 By

The Washington State Hospital Association recently published an update to its Hospital and Law Enforcement Guide to Disclosure of Protected Health Information.  This guide will assist providers in assessing both HIPAA and state law when disclosing protected health information to law enforcement.  The guide also provides a sample patient authorization form.  Updates to the guide include:

  • registered domestic partnership patient information authorization;
  • when hospitals are required to make an affirmative report regarding the admission of unconscious patients; and
  • the release of information relating to involuntarily committed patients. 

To access the guide click here.

Filed Under: HIPAA, Washington

Final Rule for Breach Notification Delayed

July 29, 2010 By

HHS announced this week that it will be delaying publication of the HIPAA breach notification final rules.  These rules were originally expected to be published in the Federal Register later this summer.  HHS is expected to delay the publication of these rules for several more months.

Below is the text of the HHS press release:

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009.  During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010.  At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations.  This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur.  We intend to publish a final rule in the Federal Register in the coming months.

If you have questions regarding the interim breach notification rules please contact David Schoolcraft or Elana Zana.

Filed Under: HIPAA, HITECH

Proposed Rules Released Regarding Business Associate Agreements and HITECH Updates to HIPAA

July 21, 2010 By

On July 14, 2010, the Federal Register published the “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the HITECH Act – Proposed Rules.”  Comments related to the Proposed Rule are due on September 13, 2010 and can be submitted and accessed at www.regulations.gov.

“The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans.  In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.” – HHS

Key provisions of the Proposed Rule regarding Business Associates include:

  • Allowance of additional time to revise Business Associate agreements to bring them into compliance with the HITECH Act, including continued operation under the existing Business Associate agreements for up to one year beyond the compliance date.
  • Subcontractors of Business Associates will be required to enter into business associate agreements with the Business Associate.  Business Associate aware of noncompliance by a subcontractor is required to respond by curing the noncompliance (breach) or terminating the agreement.
  • Business Associates subject to potential civil and criminal penalties.

Key provisions of the Proposed Rule regarding HIPAA include:

  • Many provisions of the HITECH Act took effect on February 18, 2010, however OCR intends to allow 180 days after the final rules come into effect for entities to come into compliance.
  • Authorization requirements for disclosures of PHI in exchange for remuneration.
  • Update to the  marketing rules.
  • Restrictions on disclosures to health plans if the patient pays out-of-pocket.
  • Patient rights to receive electronic copies of their PHI.
  • Updates to the Notice of Privacy Practices.

To read more about the Proposed Rule click here.

If you have questions regarding the Proposed Rule or if you need assistance in drafting a comment please contact Elana Zana.

Filed Under: HIPAA, HITECH
«Previous Page
Next Page»