Data Privacy & Security/HIPAA/HITECH

This post was provided by Debbie Juhnke in Husch Blackwell’s Information Governance group.

According to a recent KPMG report on data loss, the healthcare industry’s greatest exposures for data loss are hard copy loss/theft, PC theft, and social engineering, ranking first (in a tie), second, and third against other sectors respectively for percentage of data

Cyber security is on everyone’s mind.  President Obama signed an executive order in February aimed at increasing protection of our nation’s critical infrastructure, while HHS released its new HIPAA mega rule in January (effective in March) in an effort to strengthen the security of electronic health records.  As providers work to update their HIPAA policies

On Thursday, March 7, 2013, the Office of the National Coordinator for Health Information Technology and the Centers for Medicare and Medicaid Services (CMS) released a notice and request for information concerning using additional policy levers to accelerate the adoption of electronic health record systems (EHRs). In part, the agencies are looking to increase the number of provider practices satisfying the core requirements for Meaningful Use under the Health Information Technology for Clinical and Economic Health (HITECH) Act.

In the notice, the agencies state that they are looking to accomplish this acceleration by “engaging other policy areas” within the jurisdiction of the U.S. Department of Health & Human Services (HHS), and may include a combination of incentives, payment adjustments, and new requirements. The agencies have identified three main areas in which to use the policy levers:

  • Low rates of EHR adoption and exchange of health information among post-acute and long-term care providers;

On January 17, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services issued its final rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The final rule

Pediatric critical care transport teams at the Alfred I. duPont Hospital for Children in Wilmington, Delaware participated in a study using iPads to communicate about the patient’s condition prior to and during transport.  The study, which was funded by the Nemours Fund for Children’s Health, found that use of iPads provided better communication between the transport

The Long-Awaited HIPAA Omnibus Rule was just issued by HHS.

Brown McCarroll is reviewing the  563 page prepublication version of the new HITECH Act rules.  Of importance, there are new requirements for business associates and their subcontractors , as well as significant changes for hospitals and health systems, including provisions requiring changes to the Notice

Recently, the U.S. Department of Health and Human Services (HHS) announced a settlement with the Hospice of North Idaho (HONI) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  The settlement, which was for $50,000, is unique because it is the first settlement involving a breach of electronic

The Director of the Office of Civil Rights (“OCR”), Leon Rodriquez, has made clear that he “absolutely” plans to continue the office’s ongoing efforts to ramp up enforcement of HIPAA with resolution agreements, civil monetary penalties and other enforcement actions.  He has emphasized that privacy and security are issues that “really matter to me personally

The Department of Health and Human Services Office for Civil Rights (OCR) recently released the protocol it developed as a guideline for conducting the HIPAA privacy, security and breach notification audits mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted in 2009. The OCR launched the audit program in 2011 and developed the protocol based on the first 20 audits completed under the program. Three of the initial audits were performed on group health plans, highlighting that employer-sponsored group health plans are subject to the Health Insurance Portability and Accountability Act (HIPAA) as covered entities and are subject to audit under the protocol. The audit program represents a significant shift in HIPAA enforcement from the largely reactive, complaint-based enforcement of the past to proactive compliance monitoring.

The pilot phase of the audit program began in November 2011 and is expected to include audits of 115 covered entities by December 2012. HITECH extended HIPAA compliance requirements to business associates and, therefore, business associates are expected to be included in the audit program following publication of the final HITECH regulations. The OCR indicated that funds have already been appropriated to carry out the audit program in 2013 and 2014.

The Alaska Department of Health and Human Service, the state’s Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  According to a press release issued by the Office of Civil