Total Articles: 30
Department of Health and Human Services Commences HIPAA Pilot Audit Program
Among other things, 2012 will be the year of the Department of Health and Human Services ("HHS") Office of Civil Rights ("OCR") pilot audit program to assess compliance with the Health Insurance Portability and Accountability Act ("HIPAA") Privacy and Security Rules and Breach Notification standards. The American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act, required that HHS conduct periodic audits to monitor and ensure compliance with HIPAA. OCR will implement this requirement through a pilot program of 150 audits from November 2011 through December 2012, including an initial wave of 20 audits that will inform how the remaining audits will be conducted. OCR has established a HIPAA Audit Program website.
Are You Ready for a HIPAA Audit?: OCR's HIPAA Audit Program is Underway
Executive Summary: The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) recently launched a pilot audit program as part of its HIPAA enforcement efforts. OCR intends to audit a range of HIPAA-covered entities and plans to use resulting audit reports to determine what types of technical assistance should be developed and what types of corrective action are most effective. Audits conducted during the pilot phase will conclude by December 2012. In addition to the audit program, OCR will continue to accept HIPAA-related complaints from individuals.
HIPAA Privacy and Security Audits Begin in November 2011
The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, requires the United States Department of Health and Human Services (“HHS”) to perform periodic audits of covered entities and business associates to ensure compliance with the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Starting in November 2011, the HHS’s Office of Civil Rights (“OCR”) will begin a pilot audit program, which includes auditing up to 150 covered entities. All covered entities may be subject to an audit, and OCR has stated that it intends to audit a wide range of covered entities, including healthcare providers and health plans of all sizes, during the pilot program.
HHS ANNOUNCES IMMEDIATE HIPAA AUDIT INITIATIVE
The Office for Civil Rights ("OCR") of the Department of Health and Human Services has announced an audit initiative under which it intends to conduct audits of up to 150 covered entities to review compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The audit will focus on the HIPAA privacy and security requirements. The OCR will select a broad range of entities, including health plans and health care providers of all sizes. HIPAA audits begin immediately.
Dramatic Increases In HIPAA Privacy And Security Enforcement
Health and Human Services' (HHS) Office for Civil Rights (OCR) has sent a strong message about its commitment to enforcement of the HIPAA Privacy and Security Rules by announcing two HIPAA Privacy Rule enforcements within one week, one of which includes the first ever use of civil monetary penalties for a HIPAA Privacy Rule violation.
HHS Imposes First Civil Monetary Penalty for HIPAA Violation
In the first civil monetary penalty (CMP) imposed by the U.S. Department of Health and Human Services (HHS) Office
for Civil Rights (OCR) for a covered entity’s violation of the provisions of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), HHS notified Cignet Health, Cignet Health Center, Cignet Health Plan, and/or
Cignet Health Care (Cignet) in a Notice of Final Determination, dated February 4, 2011, that Cignet had violated HIPAA
and was subject to a CMP in the amount of approximately $4.3 million.
Mass General Hospital Pays $1Million to Settle Potential HIPAA Violations.
On February 14, 2011, The General Hospital Corporation and Massachusetts General Physician Organization, Inc. (Mass
General) entered into a Resolution Agreement with the U.S. Department of Health and Human Services (HHS), Office of
Civil Rights (OCR) to settle claims that Mass General violated the Health Insurance Portability and Accountability Act of
1996 (HIPAA) by failing to safeguard the protected health information (PHI) of 192 patients of Mass General’s Infectious
Disease Associates outpatient practice, including patients with HIV/AIDS.
SIGNIFICANT MONETARY PENALTIES ASSESSED FOR HIPAA VIOLATIONS
The U.S. Department of Health and Human Services (HHS) has recently imposed significant penalties against two entities for violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), signaling the government's intent to seriously enforce the HIPAA privacy requirements. In one case, Cignet Health (Maryland) was fined $4.3 million dollars for failing to comply with the HIPAA requirement to provide patients with access to their medical records (actually, $1.3 million for failing to provide the records, and $3 million for not cooperating wit the government's investigation). The allegations involved the alleged failure of Cignet to provide 41 individuals access to their records between September 2008 and October 2009. During the course of the investigation, Office for Civil Rights (OCR) of the HHS (the office of enforcement of the HHS for HIPAA privacy issues) determined that Cignet willfully neglected the obligation to cooperate with OCR and did not attempt to resolve the patient issues. The penalty, which was significant in amount, is the first such assessment by HHS for failure to comply with the HIPAA requirements.
HHS Releases Proposed Changes To HIPAA Privacy, Security And Enforcement Rules.
On July 14, 2010, Secretary Kathleen Sebelius of the United States Department of Health and Human Services (HHS) published notice in the Federal Register of proposed rulemaking1 aimed at "strengthening" the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and enforcement regulations (collectively referred to as the "HIPAA Rules") and as required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was enacted as a part of the American Recovery and Reinvestment Act of 2009. In highlighting the changes, Secretary Sebelius emphasized that as health information technology systems assist the United States in moving the health care system forward, "the privacy and security of personal health data is at the core of all our work."
HHS Proposes Changes to HIPAA Privacy, Security and Enforcement Regulations.
Contained within the 2009 stimulus package
known as the American Recovery and
Reinvestment Act is the Health Information
Technology for Economic and Clinical Health Act1
(HITECH). Among other things, HITECH
supplemented and broadened a number of the
privacy and security requirements under the
Health Insurance Portability and Accountability Act
of 19962 (HIPAA). On July 14, 2010, the
Department of Health and Human Services, Offi ce
of Civil Rights (OCR), issued a notice of proposed
rulemaking3 (NPRM) implementing certain
provisions of HITECH.
Health and Human Services' Proposed Rule to Modify the HIPAA Privacy, Security, and Enforcement Rules.
On July 14, 2010, the Department of Health and Human Services (HHS) published a Proposed Rule outlining modifications to the Privacy, Security, and Enforcement Rules (HIPAA Rules) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Many of the proposed modifications to the HIPAA Rules are based on requirements imposed by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on February 17, 2009, as part of the American Recovery and Reinvestment Act, while other modifications are technical corrections to the HIPAA Rules. This legal alert will focus on the more substantive proposed changes related to business associates, the Privacy Rule, the Security Rule, and the Enforcement Rule.
HIPAA Training: An Often Underutilized Tool in an Organization's Effort to Prevent Breaches.
On February 17, 2009, the Health Information Technology For Economic and Clinical Health Act, also known as the
HITECH Act, was signed into law. The HITECH Act was one of the provisions contained in President Obamas
American Recovery and Reinvestment Act (ARRA), which in addition to describing Federal initiatives designed to
encourage the use of health information technology, made some significant changes to the existing Privacy and Security
Regulations that are a part of the Health Insurance Portability and Accountability Act or HIPAA. These changes, many
of which became effective in February 2010, include new rules regarding an individuals right to receive an accounting of
disclosures of their protected health information (PHI), provisions regarding business associate accountability and
liability, and new limitations on the use and disclosure of PHI. The HITECH Act strengthened HIPAAs enforcement
provisions, by, among other things, giving State attorneys general the right to bring civil actions in federal courts for
violations of the privacy and security rules, and also increased HIPAAs penalty provisions by creating a tiered penalty
approach to violations, such that the more severe the violation, the higher the penalty. For example, whereas prior to the
passage of the HITECH Act, the U.S. Department of Health and Human Services (HHS) could have imposed a fine of not
more than $25,000 per entity per calendar year, penalties now can be as high as $1.5 million per entity per calendar year
HIPAA Training: An Often Underutilized Tool in an Organization's Effort to Prevent Breaches
On February 17, 2009, the Health Information Technology For Economic and Clinical Health Act, also known as the
HITECH Act, was signed into law. The HITECH Act was one of the provisions contained in President Obamas
American Recovery and Reinvestment Act (ARRA), which in addition to describing Federal initiatives designed to
encourage the use of health information technology, made some significant changes to the existing Privacy and Security
Regulations that are a part of the Health Insurance Portability and Accountability Act or HIPAA. These changes, many
of which became effective in February 2010, include new rules regarding an individuals right to receive an accounting of
disclosures of their protected health information (PHI), provisions regarding business associate accountability and
liability, and new limitations on the use and disclosure of PHI.
Health FSA Uniform Coverage Rule Precludes Recoupment.
In 1989, when the Internal Revenue Service wrote the first proposed regulations for health flexible spending accounts (FSAs), it came up with the requirement that health FSAs must exhibit the risk-shifting and risk-distribution characteristics of insurance. This concept has been translated into of the uniform coverage rule.
Employers May Need to Monitor Compliance of Business Associates with HITECH Act.
The American Recovery and Reinvestment Act of 2009 is commonly known for its provisions designed to stimulate a flagging economy. However, the Act's Title XIII (known as the "Health Information Technology for Economic and Clinical Health Act" or "HITECH Act") has another purposeto impose obligations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") directly on business associates (as defined under HIPAA) with respect to the way they handle certain health-related information in connection with an employer's health plan and to impose civil or criminal penalties for any violations of those obligations. This Alert discusses how business associates are affected by the HITECH Act and what employers should do to monitor the compliance of business associates under the HITECH Act.
Online Reporting Under HIPAA Breach Notification Rule Required by Department of Health and Human Services
In August 2009, the Department of Health and Human Services (HHS) issued its interim final rule with regard to requirements for notification in the event of a breach of unsecured protected health information (PHI). Among other notification requirements (including notice to impacted individuals and in some cases notice to the media), the interim final rule requires covered entities (i.e. health plans, healthcare clearinghouses or certain health care providers) to provide notice to HHS of any breach of unsecured PHI:
HIPAA Breach Notification Rules.
HIPAA Breach Notification Rules.
Department of Health and Human Services Issues Breach Notification Rules for Unsecured Protected Health Information.
On August 24, 2009, the Department of Health and Human Services ("HHS") issued its interim final rule with regard to breach notification requirements for unsecured protected health information. Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, HHS was required to issue interim final regulations regarding notification provisions in the event of a breach of unsecured protected health information. Generally, the HITECH Act requires HIPAA covered entities (i.e. health plans, health care providers who transmit certain transactions electronically and health care clearinghouses) to provide notification to affected individuals upon the discovery of a breach of unsecured protected health information. A notice is also required to be sent to a major media outlet if more than 500 individuals within a state or jurisdiction are impacted by the breach. Additionally, covered entities are required to notify HHS in the event of a breach of unsecured protected health information impacting 500 or more individuals.
HHS Issues HIPAA Security-Breach-Notification Rules: Compliance Deadline Looming
On August 24, 2009, the Department of Health and Human Services (HHS) issued interim final rules regarding the new security-breach-notification requirement of the Health Insurance Portability and Accountability Act (HIPAA). Covered entities and their business associates (service providers to covered entities) only have 30 days after publication (or until September 23, 2009) to comply with these new rules.
A HITECH World - New Law Expands HIPAA Enforcement Power.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17 as part of the American Recovery and Reinvestment Act of 2009 (H.R. 1), also known as the economic stimulus bill. The legislation was designed to advance the use of health information technology, such as electronic health records.
Privacy Notice Reminder.
Group health plans that were required to comply with privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) by April 14, 2003 (i.e., large health plans) now have an obligation to notify individuals who are covered by the plan that the privacy notice is available, and to tell them how to obtain the notice. This reminder notice must be sent at least once every three years.
Stimulus Bill's HIPAA Changes.
The American Recovery and Reinvestment Act (ARRA), signed by President Obama into law on February 17, 2009, included changes to the health information privacy and security rules under HIPAA, the Health Insurance Portability and Accountability Act of 1996.
Economic Stimulus Act Impacts HIPAA Requirements.
The American Recovery and Reinvestment Act ("ARRA") signed into law on February 17, 2009 includes significant changes to the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA). Below are highlights of some of the significant changes and their effective dates.
HEART Act Guidance Clarifies Health FSA Distributions For Reservists.
Under new guidance issued by the Internal Revenue Service (IRS), employers will more easily be able to allow workers who have been called up to active military duty to take full advantage of qualified reservist distributions from their health flexible spending accounts (FSAs).
Court Finds FSA Administrator Violated ERISA by Providing Misleading Benefit Documents.
A federal court in New Jersey has held that a flexible spending account (FSA) plan administrator violated ERISA by providing plan benefit documents that did not clearly state when a medical expense would be deemed incurred under the plan.
New HIPAA Wellness Regulations.
In 2006, the IRS, HHS and DOL, issued HIPAA regulations for wellness programs, outlining how those programs should be designed.
HIPAA Compliance Reminders (pdf).
The HIPAA Privacy Rule requires employers who
sponsor a group health plan to notify plan participants at
least once every three years of the availability of the
plans Notice of Privacy Practices (Privacy Notice)
and of how to obtain a copy of the Privacy Notice.
New HIPAA Compliance Requirements for Group Health Plans (pdf).
Employers who sponsor and administer employee health plans need to take action
to comply with two new sets of rules under the Health Insurance Portability and
Accountability Act (HIPAA).
Security Rule Takes Effect (pdf).
The compliance date for the Security Rule, the next phase
of HIPAA compliance, is upon us.
New HIPAA Health Care Portability Regulations (pdf).
On December 30, 2004, the Departments of Treasury,
Labor and Health and Human Services jointly issued
final and proposed regulations regarding the portability
requirements under the Health Insurance Portability
and Accountability Act of 1996 ("HIPAA").
