Weighing in at half the length of Tolstoy’s legendary tome War and Peace, it is no surprise that the thought of the impending deadline for compliance with the 538-page HIPAA Omnibus Rule has left many small clinical practices feeling overwhelmed. HHS Office of Civil Rights (OCR) and the Workgroup for Electronic Data Interchange (WEDI) are co-sponsoring four… Continue Reading
Category Archives: HIPAA/HITECH
Subscribe to HIPAA/HITECH RSS FeedUnderstanding HIPAA: OCR Publishes New Provider and Consumer Guides
Posted in HIPAA/HITECH, Privacy RegulationWritten by Kimberly Gold (Originally posted in Mintz Levin’s Health Law Policy Matters blog) Understanding the complexities of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules is often a challenge for health care providers and consumers. Recognizing the widespread confusion surrounding the interpretation of the rules, the U.S. Department… Continue Reading
Countdown Begins for HIPAA Omnibus Rule Compliance
Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy RegulationWritten by Dianne J. Bourque and Stephanie D. Willis The HIPAA Omnibus Rule goes into effect today, which officially starts the clock for covered entities, business associates, and their subcontractors to begin updating their agreements, forms, policies, procedures, and practices to meet approaching compliance deadlines. Business Associate Agreement (BAA) and Data Use Agreement (DUA) compliance… Continue Reading
The New HIPAA Omnibus Rule & Your Liability — A Detailed Review
Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy RegulationBy Alden J. Bianchi, Dianne J. Bourque, Kimberly J. Gold, and Cynthia J. Larose As we have reported in this blog (here, here, here, here, and here), the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released final regulations containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (Omnibus… Continue Reading
Business Associates Beware
Posted in Data Breach, Data Breach Notification, Data Compliance & Security, HIPAA/HITECHIf you haven’t yet caught up with the new HIPAA Omnibus Rule and its consequences for those businesses who are not themselves healthcare providers, but are service providers to healthcare entities (and even further downstream than that….), you can take a listen to our recent webinar highlighting the most important changes and issues. A recent… Continue Reading
REMINDER — Webinar: The New HIPAA Omnibus Rule and Your Liability: TOMORROW
Posted in HIPAA/HITECH, Legislation, Privacy RegulationDon’t forget to register! Mintz Levin is presenting a webinar on January 30,2013 to discuss the impact of the HIPAA Omnibus Rule - the first, sweeping overhaul of the HIPAA privacy and security rules in a decade. Covered entities will want to participate to catch up on the finer details. Business associates and downstream entities – e.g., subcontractors, cloud providers, data storage… Continue Reading
OCR Releases Sample Business Associate Agreement Provisions
Posted in Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy RegulationWritten By Kimberly Gold The Department of Health and Human Services, Office for Civil Rights (OCR) has posted on its website sample business associate agreement provisions to help covered entities and business associates comply with the new business associate agreement requirements under the final HIPAA Omnibus Rule. The HIPAA Omnibus Rule modified the minimum required… Continue Reading
Webinar: The New HIPAA Omnibus Rule and Your Liability
Posted in HIPAA/HITECH, Privacy RegulationMintz Levin is presenting a webinar on January 30,2013 to discuss the impact of the HIPAA Omnibus Rule – the first, sweeping overhaul of the HIPAA privacy and security rules in a decade. Covered entities will want to participate to catch up on the finer details. Business associates and downstream entities – e.g., subcontractors, cloud… Continue Reading
HIPAA Omnibus Rule Reference Chart
Posted in HIPAA/HITECH, Privacy RegulationBy Dianne J. Bourque, Kimberly J. Gold, Ellen L. Janos, Julie K. Lappas, James Sasso, Kate F. Stewart, and Stephanie D. Willis Mintz Levin is pleased to provide this section-by-section analysis of the HIPAA Omnibus Rule. The chart lists provisions of the proposed privacy, security, and enforcement rules mandated by the Health Information Technology for… Continue Reading
Finally! HHS Office of Civil Rights Releases HIPAA Omnibus Rule With Sweeping Changes to Compliance Requirements and Enforcement
Posted in HIPAA/HITECH, Privacy RegulationBY DIANNE J. BOURQUE AND STEPHANIE D. WILLIS The final regulations1 from Department of Health and Human Services Office of Civil Rights (OCR) containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (Omnibus Rule) have finally been released, but the hard work of interpreting them has just begun for covered entities, business associates, and downstream entities… Continue Reading
HITECH Omnibus Rule Basics
Posted in HIPAA/HITECH, Privacy Regulation, SecurityAs we pore through the 562-page HITECH Omnibus Rule released by the Department of Health and Services late yesterday afternoon, here are some top line bullet points: Effective Date: Rule becomes effective on March 26, 2013. Covered entities and business associates must comply by September 23, 2013. Business Associates are now front and center – During… Continue Reading
Breaking News – HITECH Omnibus Rule Published
Posted in HIPAA/HITECH, Privacy RegulationAfter months of waiting, we have just learned that the HITECH regulations — otherwise known as the Omnibus Rule — have been published. Our team has already started to dive in and we will be publishing detailed analyses both here and at our sister blog, Health Law & Policy Matters. Stay tuned for more -… Continue Reading
OCR Issues Guidance Methods for De-Identification of PHI Under HIPAA
Posted in HIPAA/HITECHOriginally posted in Health Law Policy Matters Written by Julie K. Lappas The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has released guidance on the methods that covered entities and business associates can use to de-identify protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act… Continue Reading
Centers for Medicare & Medicaid Services (CMS) Falls Short in Response to Healthcare Data Breaches
Posted in Data Breach, Data Breach Notification, HIPAA/HITECH, Privacy RegulationWritten by Stephen Bentfield and previously published in Mintz Levin’s Health Law & Policy Matters Last week, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released the results of a study entitled CMS Response to Breaches and Medical Identity Theft. OIG had two objectives for commencing this study. First, OIG sought to determine whether… Continue Reading
Mass Eye and Ear Infirmary Hit with $1.5M Breach Settlement
Posted in Data Breach, Data Breach Notification, HIPAA/HITECHOriginally posted by Dianne Bourque in Mintz Levin’s Health Law & Policy Matters blog As the old saying goes, “no good deed goes unpunished….” The most recent, published Office for Civil Rights (OCR) HIPAA enforcement action serves as an important reminder that self-reported breaches can and do lead to investigations and enforcement. Massachusetts Eye and Ear… Continue Reading
HIPAA Audit Protocols Now Public
Posted in Data Compliance & Security, HIPAA/HITECH, Privacy RegulationWritten by: Dianne Bourque and Stephanie Willis As promised by the Department of Health and Human Services’ Office of Civil Rights (OCR) and as reported here on June 11th, OCR has released its HIPAA privacy and security audit protocols. The audit protocols are intended to cover the three main areas of HIPAA privacy and security enforcement: Privacy Rule requirements,… Continue Reading
HITECH: Business Associates Beware – New Rules, Audits and Enforcement on the Horizon!
Posted in Data Compliance & Security, HIPAA/HITECHThe upcoming HIPAA Omnibus Rule is poised to transform an already challenging privacy and security landscape for business associates or those who provide services to HIPAA “covered entities.” The HITECH Act has already imposed greater compliance responsibility on business associates and their subcontractors. The rules are set to change further and failure to comply can result in… Continue Reading
OCR Shares Preliminary HITECH Audit Results; What’s Next??
Posted in HIPAA/HITECH, Privacy RegulationWritten by Dianne J. Bourque Last week at the OCR/NIST conference, Building Assurance through HIPAA Security, Linda Sanches of the Office for Civil Rights provided an extensive update on the pilot HITECH audit program, including preliminary findings, what regulated entities can expect next and suggestions for covered entities concerned about being audited. Mintz Levin attended… Continue Reading
HHS Office of Civil Rights Director Speaks
Posted in HIPAA/HITECH, Privacy RegulationOur colleagues over at the Mintz Health Law & Policy Matters blog have been attending this week’s HIPAA Security Conference and have posted an update here. Two big takeaways — Office of Civil Rights (the agency that enforces the HIPAA privacy and security standards) Director Leon Rodriguez says that HIPAA compliance expectations are higher than ever… Continue Reading
Ignorance of HIPAA Provisions No Excuse
Posted in HIPAA/HITECHAs the old canard goes: “Ignorance of the law is no excuse.” The Ninth Circuit agrees, particularly when it comes to misdemeanor charges under HIPAA for “wrongful disclosure.” Our colleagues at the Mintz Health Law & Policy Matters blog tell the story here.
Navigant: Reports of Data Breaches On the Increase Across Industries
Posted in Data Breach, Data Breach Notification, Data Compliance & Security, HIPAA/HITECH, Privacy Regulation, SecurityNavigant recently published the latest update of its comprehensive Information Security and Data Breach Report, which adds yet another analytic view of the data breach picture. And the view is not a pretty one. You can get a copy of the report here. Some of the “highlights”: Healthcare entities again accounted for the largest percentage… Continue Reading
Getting ready to forward that spreadsheet to your personal email account? Think twice…..then think again…
Posted in Data Breach, HIPAA/HITECH, Identity Theft, SecurityAn employee — former employee — of the South Carolina Department of Health and Human Services found out the hard way after transferring the information of more than 228,000 Medicaid beneficiaries to his personal email account. The data included Medicare numbers (which include Social Security numbers as part of the identifier) linked to the beneficiaries… Continue Reading
The Rising Cost of HIPAA Violations: $100,000 Fine Levied on Physician Group
Posted in Data Compliance & Security, HIPAA/HITECH, SecurityWritten by Kimberly Gold If your company needs another reminder that policies and procedures, risk assessments, documentation and training are critical elements for HIPAA compliance programs, we have another corrective action plan – and monetary fine – that should be utilized as a “teachable moment” for health care providers and business associates alike. Phoenix Cardiac… Continue Reading
The cost of HIPAA non-compliance – $17 million – UPDATE
Posted in Data Breach, Data Breach Notification, Data Compliance & Security, HIPAA/HITECHWritten by Kevin McGinty If it wasn’t clear before, a recent settlement of HIPAA claims brought by the Department of Health and Human Services against BlueCross BlueShield of Tennessee (“BCBST”) underscores the high regulatory cost of non-compliance with privacy requirements. HHS announced on March 13, 2012 that BCBST has agreed to pay $1.5 million… Continue Reading
