October 2018 marks the 15th annual National Cyber Security Awareness Month. In honor of this occasion, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. But remember, the HIPAA Security Rule does not require a “one-size-fits-all” approach to security.
Articles Discussing HIPAA.
Secretary Tom Price of the U.S. Department of Health and Human Services (HHS) announced his agency needs “to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches.” Accordingly, HHS’ Office of Civil Rights has launched a revised web tool providing information about HIPAA breaches. The tool, the HIPAA Breach Reporting Tool (HBRT), features improved navigation helping those looking for information on breaches and ease-of-use for organizations reporting incidents. It also gives health care providers, health plans and business associates easy access to a database from which they can gain a better sense of the common types of breaches and the steps HHS is calling for in order to resolve HIPAA breach cases.
The HIPAA breach notification rule has two buckets for classifying data breaches – those that involve “protected health information” (PHI) of 500 or more individuals and those that involve fewer than 500 individuals. Since the breach notification rule became effective, the Office of Civil Rights’ (OCR) focus has been on the 500 and over bucket. But no more.
Yesterday, the federal Office for Civil Rights (OCR) announced Phase 2 of its HIPAA Audit Program (Program). In its announcement, the OCR reports that the Program is underway and provides some helpful FAQs for covered entities and business associates about the Program. Preparation is critical and there are some key points covered entities and business associates should focus on.
Earlier this month, the Office for Civil Rights (OCR) issued guidance on an individual’s right to access the individual’s health information. That an individual has a broad right to access has been recognized in the HIPAA privacy regulations since they became effective in 2003. OCR has found, however, that individuals are facing obstacles to accessing their health information, and believes this needs to change. To help covered providers, plans and business associates better understand the right to access, the agency issued a comprehensive set of frequently asked questions (FAQ). These FAQs address a number of access issues, but they also provide practical insight on some key points, one of which is summarized below.
In the last two weeks, the Office for Civil Rights (OCR) announced two substantial settlements under HIPAA that together totaled $4.35 million. These large amounts seem to be driven not by actual harm to individuals, but in significant part by alleged HIPAA compliance failures identified by OCR following investigations commenced in response to receipt of data breach reports. It is a mistake to believe that timely and otherwise compliant reporting of supposed “no harm, no foul” data breaches will result in minor, if any, enforcement activity; that is, if the agency believes you have not satisfactorily complied with the privacy and security standards.
One of your employees discloses your organization’s patient information to a soon-to-be new employer for use in generating business at the new employer’s competing business, and your company has to settle with the New York State Attorney General for HIPAA violations. Make sense?
Reality television fans and others were saddened recently when news of a Kardashian family member’s overdose hit the news. Lamar Odom, sometime beau of Khloe Kardashian, was hospitalized after the incident, and his privacy was reportedly violated when staffers at the medical center where he was treated took pictures of him. The staffers were immediately fired due to this conduct. Lamar’s plight contains a teachable lesson for those employers who must comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which protects the privacy of personal health information (PHI).
Responding to a Department of Health and Human Services Office of Inspector General (OIG) report recommending stronger oversight of covered entities’ compliance with the HIPAA Privacy Rule, the Office for Civil Rights (OCR) stated that in early 2016 it will launch Phase 2 of its audit program measuring compliance with HIPAA’s privacy, security and breach notification requirements by covered entities and business associates.
According to a Bloomberg article, the second phase of HIPAA audits by the Office for Civil Rights (OCR), originally set to commence in 2014, may be coming soon. This update came at a HIPAA conference co-hosted by OCR during which OCR Director Jocelyn Samuels said the agency was in the process of confirming contact information of those entities that would be audited. Reason for the delay – budgetary limitations and gaps in personnel.
On September 2, the Office for Civil Rights (OCR) reported that it agreed to settle potential violations of the HIPAA privacy and security regulations with Cancer Care Group, Inc. The dollar amount of the settlement, $750,000, is significant, and the agreement to adopt a robust, multi-year corrective action plan under the watchful eye of the government is likely to be an unwanted strain on the business.
The Omnibus Final Rule (the “Omnibus Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), was issued in January, 2013 effective March 26, 2013, but with a general compliance deadline of September 23, 2013. Compliance with the Omnibus Rule required changes to many HIPAA compliance practices and related documents, including business associate agreements, the HIPAA notice of privacy practices and breach assessment policies and procedures.
On March 28, 2014, the U.S. Department of Health and Human Services launched a new security risk assessment (SRA) tool to help health care providers in small- to medium-sized offices conduct risk assessments of their organizations in order to comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Summary: On October 31, 2013, the Internal Revenue Service (IRS) issued Notice 2013 -71 (the “Notice”), which made two significant changes affecting the administration of cafeteria plans under section 125 of the Internal Revenue Code. First, the Notice modifies the proposed regulations under section 125 to add a limited exception to the “use it or lose it” rule for health flexible spending arrangements (“FSAs”). Next, the Notice clarifies the “transition relief” that was provided in the preamble to those regulations allowing certain participants in non-calendar-year plans to make mid-year elections that are necessitated by the Affordable Care Act, even though there may not be a “change in status.”
The U.S. Department of Health and Human Services (HHS) has made available a series of model Notices of Privacy Practices for health care providers and health plans. Changes to privacy regulations known as the HIPAA/HITECH Omnibus Final Rule went into effect in late March 2013. The safe harbor compliance period ends on September 23, 2013. Among other changes, the Omnibus Rule requires that health plans and healthcare providers notify individuals about their privacy rights regarding their personal health information. In addition, individuals have a right to be informed about their health plans’ and healthcare providers’ privacy practices.