Total Articles: 7
HIPAA Privacy and Security Audits Begin in November 2011
The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, requires the United States Department of Health and Human Services (“HHS”) to perform periodic audits of covered entities and business associates to ensure compliance with the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Starting in November 2011, the HHS’s Office of Civil Rights (“OCR”) will begin a pilot audit program, which includes auditing up to 150 covered entities. All covered entities may be subject to an audit, and OCR has stated that it intends to audit a wide range of covered entities, including healthcare providers and health plans of all sizes, during the pilot program.
HHS Releases Proposed Changes To HIPAA Privacy, Security And Enforcement Rules.
On July 14, 2010, Secretary Kathleen Sebelius of the United States Department of Health and Human Services (HHS) published notice in the Federal Register of proposed rulemaking1 aimed at "strengthening" the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and enforcement regulations (collectively referred to as the "HIPAA Rules") and as required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was enacted as a part of the American Recovery and Reinvestment Act of 2009. In highlighting the changes, Secretary Sebelius emphasized that as health information technology systems assist the United States in moving the health care system forward, "the privacy and security of personal health data is at the core of all our work."
HHS Proposes Changes to HIPAA Privacy, Security and Enforcement Regulations.
Contained within the 2009 stimulus package
known as the American Recovery and
Reinvestment Act is the Health Information
Technology for Economic and Clinical Health Act1
(HITECH). Among other things, HITECH
supplemented and broadened a number of the
privacy and security requirements under the
Health Insurance Portability and Accountability Act
of 19962 (HIPAA). On July 14, 2010, the
Department of Health and Human Services, Offi ce
of Civil Rights (OCR), issued a notice of proposed
rulemaking3 (NPRM) implementing certain
provisions of HITECH.
Health and Human Services' Proposed Rule to Modify the HIPAA Privacy, Security, and Enforcement Rules.
On July 14, 2010, the Department of Health and Human Services (HHS) published a Proposed Rule outlining modifications to the Privacy, Security, and Enforcement Rules (HIPAA Rules) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Many of the proposed modifications to the HIPAA Rules are based on requirements imposed by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on February 17, 2009, as part of the American Recovery and Reinvestment Act, while other modifications are technical corrections to the HIPAA Rules. This legal alert will focus on the more substantive proposed changes related to business associates, the Privacy Rule, the Security Rule, and the Enforcement Rule.
Department of Health and Human Services Issues Breach Notification Rules for Unsecured Protected Health Information.
On August 24, 2009, the Department of Health and Human Services ("HHS") issued its interim final rule with regard to breach notification requirements for unsecured protected health information. Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, HHS was required to issue interim final regulations regarding notification provisions in the event of a breach of unsecured protected health information. Generally, the HITECH Act requires HIPAA covered entities (i.e. health plans, health care providers who transmit certain transactions electronically and health care clearinghouses) to provide notification to affected individuals upon the discovery of a breach of unsecured protected health information. A notice is also required to be sent to a major media outlet if more than 500 individuals within a state or jurisdiction are impacted by the breach. Additionally, covered entities are required to notify HHS in the event of a breach of unsecured protected health information impacting 500 or more individuals.
Privacy Notice Reminder.
Group health plans that were required to comply with privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA) by April 14, 2003 (i.e., large health plans) now have an obligation to notify individuals who are covered by the plan that the privacy notice is available, and to tell them how to obtain the notice. This reminder notice must be sent at least once every three years.
HIPAA Compliance Reminders (pdf).
The HIPAA Privacy Rule requires employers who
sponsor a group health plan to notify plan participants at
least once every three years of the availability of the
plans Notice of Privacy Practices (Privacy Notice)
and of how to obtain a copy of the Privacy Notice.
