Know your 5010 from your ICD-10
|
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published in the May 31, 2011, Federal Register the Notice of Proposed Rule Making (NPRM) entitled HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act (76(104), pp. 31426-31449). Comments on the NPRM are requested to be submitted on or before August 1, 2011. HHS expects to review comments and publish the Accounting of Disclosures Final Rule by the end of 2011, which means that compliance with the accounting of disclosures requirement would begin sometime during the summer of 2012.
|
|
OMB cleared on May 23, 2011, Notice of Proposed Rule Making relating to HITECH Act accounting of disclosures that modifies HIPAA Privacy Rule relating to such disclosures.
|
|
As of April 4, 2011, HHS's Office for Civil Rights (OCR), responsible for enforcing HIPAA and HITECH Act privacy and security regulations, has reported on its Web site a total of 256 breaches have impacted 10,202,051 persons, in breaches reported by covered entities from September 22, 2009—the day prior to the effective date of the Breach Notification Rule—to February 8, 2011. California-based Health Net
|
|
The HHS Office for Civil Rights (OCR), which is responsible for privacy and security enforcement under the Health Insurance Portability and Accountability Act (HIPAA) and HITECH Act provisions that strengthened privacy and security enforcement, is required to post those breaches on its Web site. As of March 17, 2011, OCR had posted on its Web site 249 breaches that had impacted 8,289,236 individuals reported by covered entities. With regard to the 177 privacy and security breaches involving electronic PHI, 104, or approximately 59%, involved laptops and portable electronic devices (PEDs)—not otherwise identified. All but 4 of these reported breaches of laptops and PEDs involved theft or loss. These breaches should not be occurring! Covered entities and business associates should be encrypting their electronic PHI on portable and mobile devices. Clearly, they should be emphasizing safeguard policies and procedures such as encryption of electronic PHI, and initiating a meaningful training program for workforce members on "awareness and understanding" of and abiding by those policies and procedures.
|
|
January 7, 2011. The Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) published today in the Federal Register the final rule for Establishment of the Permanent Certification Program for Health Information Technology (HIT). This regulation is effective on February 7, 2011. The temporary certification program final rule, published on June 24, 2010 in the Federal Register, will continue in effect until it sunsets on December 31, 2011, or at a later date when permanent certification program operational processes are completed.
|
|
On Tuesday, December 7, the House by voice vote joined the Senate in passage of S.3987, the Red Flag Program Clarification Act of 2010. On November 30, 2010, the Senate passed this legislation by unanimous consent. The bill has been cleared to the White House for signature. Healthcare providers as Covered Entities under HIPAA Administrative Simplification, while exempt from FTC Red Flag identity theft detection and protection provisions under S 3987, are not exempt from HIPAA and HITECH Act privacy and security rule obligations to safeguard patient identity data elements that are protected health information (PHI) identifiers.
|
|
December 2, 2010. As of today's posting by the HHS Office for Civil Rights (OCR) on its Website, there were 200 privacy or security breaches of protected health information (PHI) involving 5,887,170 individuals that had been reported by covered entities. Under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, covered entities are required to report to the Secretary of the Department of Health and Human Services (HHS) any breach affecting 500 or more individuals within 60 days of discovery of the breach by the covered entity or its business associate. OCR, which is responsible for HIPAA privacy and security enforcement, is required to post these HIPAA privacy or security breaches publicly.
|
|
The HIPAA Administrative Simplification; Notification in the Case of Breach Final Rule (Regulation Identifier Number (RIN) 0991-AB56) has been at the Office of Management and Budget (OMB) since May 14, 2010, for Executive Order (EO) 12866 review and approval prior to publication in the Federal Register. On July 28, 2010, HHS "withdrew" this Final Rule, "to allow for further consideration, given the Department’s experience to date in administering the regulations.
|
Syndicate this site
Sign up for email updates
Follow HIPAA.com on Twitter