You are currently browsing the tag archive for the ‘HITECH Act’ tag.
As for enforcement, Congress promised in ARRA “periodic audits” to ensure HIPAA compliance. Government officials told HealthLeaders Media in September they weren’t sure what that meant, and Apgar says OCR still does not have a definitive plan. Likely, they will not publish a plan until second quarter 2010.
“If you’ve got a headline [because of a major breach], they’re likely going to come and investigate you,” Apgar says. “But they’re wavering on how they will conduct compliance audits. Not because they’re not going to do it, but because they don’t know when yet. The House version of the healthcare reform bill calls for more strict enforcement than ARRA, so they want to wait to see what comes out in healthcare reform.”
via Health Leaders Media. Click link to read more.
This is a long but really great article from Information Week regarding the difficulties and challenges of securing electronic medical records as balanced against the great advantages of having those records available electronically. I recommend reading the entire article.
Concern over Wentworth-Douglass Hospital’s handling of a broad privacy breach into patients’ records has widened with the Attorney General’s Office confirming it is reviewing what happened.
“It is something we’re looking into,” said James Boffetti, who leads the AG’s Consumer Protection & Antitrust Bureau.
Boffetti said he could not divulge specifics, but confirmed the bureau took over the case after a complaint was made to the agency’s Medicaid Fraud Unit.
He also said a relevant state law is RSA 359-C: 20, which requires notification of a security breach, something WDH representatives have acknowledged they did not do after learning of the breach, which lasted from May 2006 to June 2007. An audit wasn’t completed until May.
The hospital reviewed the law at hand but “determined that a report to the AG’s office or notification to the patients was not required by that law,” Noreen Biehl, vice president of community relations at WDH, said in a written response Thursday night. “That statute was not ignored; the hospital simply determined it did not apply to this situation.”
via Fosters. Click link to read more.
Prior post HERE.
Doug Pollack, Chief Marketing Officer for ID Experts, wrote the following article, questioning why we’re not yet seeing any reports of breaches affecting 500 or more posted to HHS’s website under the provisions of HITECH that went into effect September 23. Keeping in mind that not all breaches involving healthcare organizations involve unsecured protected health information, that it takes time to figure out a breach and report it, that HHS gave entities an “out” by inserting a “harm threshold” that Congress did not want or legislate, and that HHS may not have anyone dedicated to updating their web site, I’m not particularly surprised that we’re not seeing anything on HHS’s web site yet. But like Doug, I keep watching their site, too.
via Personal Health Information Privacy. Click link to read Pollack’s Article.
More than 90 percent of health care companies are not ready to comply with the privacy and security provision of the Health Information Technology for Economic and Clinical Health Act, according to a survey conducted by the Ponemon Institute and sponsored by Crowe Horwath. . . . “It is disappointing, though not surprising, to learn that a majority of companies do not believe they are prepared for the latest in health care information security regulations,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Our research consistently finds that a lack of budgetary and moral support from the executive suite is a common barrier to proper data security and management programs, even with the specter of regulatory enforcement looming.”
[Source: EWeek.com]
The HITECH provisions in the American Recovery and Reinvestment Act of 2009 (ARRA) require notification if there is an “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.”
The new rules goes into effect November 30, 2009. That’s eighteen (18) days by my reckoning.
Time for covered entities and their business associates to get there HITECH houses in order.
When is HIPAA cool? Well the amendments have a cool acronym like HITECH, that helps. The truth is, it’s really cool to be compliant. Yes, you heard me, compliance is cool. Here’s what I mean:
- It’s cool to protect your employees, customers and vendors from data breaches.
- It’s cool to protect shareholder value
- It’s cool to impress regulators with proactive and prophylactic compliance programs
- It’s cool to avoid enforcement, fines and long regulatory oversight from US or oversees regulators
- It’s cool to avoid private litigation for data privacy breaches
- And (probably not) last (but certainly not least), it’s cool be able to say you care enough to spend money on all of these cool things.
This is exactly what Sten-tel is telling the world in this PRESS RELEASE.
It is indeed hip to be HIPAA compliant. Data privacy security is not just for the lawyers, it’s for everyone with a stake in an organization’s continued operations, from the employees right up to the shareholders. This is as true for HIPAA covered entities and their business associates as it is for all organizations (small and large) that control personal information.
The Health & Human Services Department today published an interim final rule that strengthens its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) by aligning it with tougher privacy terms of the stimulus law.
“The Department`s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual`s healthinformation,” said Georgina Verdugo, the director of HHS Office for Civil Rights(OCR).
Under the previous HIPAA rule, HHS could not fine healthcare organizations more than $100 for each violation and imposed a ceiling of $25,000 for all similar violations of the same provision.
The new rule significantly increases the maximum individual penalty for civil violations of HIPAA
Under the new rule:
The minimum civil penalty is $100 per violation if the covered entity was unaware of it and, by exercising reasonable diligence, would not have known about the violation.
The minimum civil penalty is $1,000 per violation for those that were the result of “reasonable cause” involving circumstances that would make it unreasonable for the covered entity to comply.
The minimum penalty is $10,000 for violations that result from willful neglect and are subsequently corrected.
The minimum penalty is $50,000 for violations that result from willful neglect but are not corrected.
The maximum penalty for multiple violations is $1.5 million per calendar year.
The new penalty amounts apply to HIPAA violations occurring on or after Feb. 18.
The law also removes a defense under HIPAA that barred HHS from imposing civil penalties on a so-called “covered entity” that could demonstrate “it did not know that it violated the HIPAA rules,” according to an HHS statement. Now, under the new rule, “A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.”
The new rule goes into effect November 30, 2009, The Office for Civil Rights is accepting comments on the interim final rule until Dec. 29.
The Health & Human Services Department today published an interim final rule that strengthens its enforcement of the Health Insurance Portability and Accountability Act (HIPAA) by aligning it with tougher privacy terms of the stimulus law.“The Department`s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual`s healthinformation,” said Georgina Verdugo, the director of HHS Office for Civil Rights(OCR).
Under the previous HIPAA rule, HHS could not fine healthcare organizations more than $100 for each violation and imposed a ceiling of $25,000 for all similar violations of the same provision.
The new rule significantly increases the maximum individual penalty for civil violations of HIPAA
Under the new rule:
- The minimum civil penalty is $100 per violation if the covered entity was unaware of it and, by exercising reasonable diligence, would not have known about the violation.
- The minimum civil penalty is $1,000 per violation for those that were the result of “reasonable cause” involving circumstances that would make it unreasonable for the covered entity to comply.
- The minimum penalty is $10,000 for violations that result from willful neglect and are subsequently corrected.
- The minimum penalty is $50,000 for violations that result from willful neglect but are not corrected.
- The maximum penalty for multiple violations is $1.5 million per calendar year.
The new penalty amounts apply to HIPAA violations occurring on or after Feb. 18.
The law also removes a defense under HIPAA that barred HHS from imposing civil penalties on a so-called “covered entity” that could demonstrate “it did not know that it violated the HIPAA rules,” according to an HHS statement. Now, under the new rule, “A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.”
The new rule goes into effect November 30, 2009, The Office for Civil Rights is accepting comments on the interim final rule until Dec. 29.
UPDATE – October 22, 2009: Consumer Watchdog joins the fray and urges HHS to eliminate the harm standard. See article here. See the Consumer Watchdog letter here.
October 14, 2009. Congressmen who were prominent in the adoption on the HITECH Act provisions of ARRA have sent a letter requesting that Secretary Sebelius delete so-called “harm” thresholds from the breach notification provisions in the HHS draft regulations. The HITECH Act (Section 13402 of ARRA) provides that notification is required if there is an “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.”
The letter expressed that they were “deeply concerned about the high bar.” Under the interim final rules, a notification would only be necessary if the breaching entity decides there is a significant risk of financial, reputational or other harm to the individual.”
In omitting such a harm standard, Congress intentionally eliminated any discretion on the part of the breaching entity. If the information was leaked, the notification was required.
Part of the Congressional intent was to provide “strong safeguards that protect the privacy and security of individuals’ personal health information” in order to help promote health information technology advances.
I, for one, would be less trusting of a system which gave discretion to the offender to self-report a breach. If the risk of harm turns out to be minimal, the impacts of the breach will be minimal. The risk assessment, however, belongs to the owner of the PII – that is, the individual.
A comparison of compliance programs for HITECH, Safe Harbor and New Mass. Regs.
Wouldn’t that be nice? I will work on it. Perhaps we are witnessing the beginnings of a convergence due to an increase in overlapping requirements that may make concurrent compliance programs more manageable.
Hmm.
Congressmen who were prominent in the adoption on the HITECH Act provisions of ARRA have sent a letter requesting that Secretary Sebelius delete so-called “harm” thresholds from the breach notification provisions in the HHS draft regulations. The HITECH Act (
Section 13402 of ARRA) provides that notification is required if there is an “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information.”
The letter expressed that they were “deeply concerned about the high bar.” Under the interim final rules, a notification would only be necessary if the breaching entity decides there is a significant risk of financial, reputational or other harm to the individual.”
In omitting such a harm standard, Congress intentionally eliminated any discretion on the part of the breaching entity. If the information was leaked, the notification was required.
Part of the Congressional intent was to provide “strong safeguards that protect the privacy and security of individuals’ personal health information” in order to help promote health information technology advances.
I, for one, would be less trusting of a system which gave discretion to the offender to self-report a breach. If the risk of harm turns out to be minimal, the impacts of the breach will be minimal. The risk assessment, however, belongs to the owner of the PII – that is, the individual.
Mirror site to http://privacyregulation.com 
Recent Comments