Is your organizaton covered for HIPPA violations?

HIPAA-Covered Entities Must Comply With New Data Breach Rules Issued by Office for Civil Rights

On August 19, 2009, the Office for Civil Rights (OCR) at the federal Department of Health and Human Services (HHS) released new regulations for an interim final rule requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to notify individuals when their health information is breached. Covered entities must comply by September 24, 2009. On July 27, 2009, authority for enforcing HIPAA security provisions was officially moved to OCR from the Centers for Medicare and Medicaid Services, which had enforced HIPAA since 2003.

The move combines the authority for administration and enforcement of new federal standards for health information privacy and existing HIPAA security provisions. OCR will have the following responsibilities:

• Investigate federal civil rights discrimination and health information security statutes
• Impose civil money penalties on covered entities that fail to adhere to HIPAA security standards for the protection of electronic health information
• Issue subpoenas for testimony and evidence related to any matter under investigation or compliance review for failure to comply with HIPAA requirements and security standards
• Make exception determinations when provisions of state laws are contrary to federal standards, but not preempted by federal provisions

CMS retains its enforcement authority for other HIPAA rules. Consumers will be able to continue submitting HIPAA security complaints on-line through the Administrative Simplification Enforcement Tool at https://htct.hhs.gov/aset (accessed August 17, 2009).

In announcing the release of the interim final rule, OCR clarified that security breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate. The Federal Trade Commission (FTC) has issued companion breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA. The interim final rule also includes guidance to determine if information is “unsecured” and notification is required. Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information. Once the interim final rule is published in the Federal Register it will take effect within 30 days. Public comments will be accepted for 60 days after publication.

Posted in UBI NEWS