Tag Archives: Department of Health and Human Services

White House Forms Privacy and Internet Policy Subcommittee

Posted on November 1, 2010 by Hunton & Williams LLP

The White House recently announced on its official blog that the National Science and Technology Council’s Committee on Technology has launched a new Subcommittee on Privacy and Internet Policy.  The subcommittee will be co-chaired by a representative from the Department of Commerce and the Department of Justice and will include representatives from over a dozen other departments and federal agencies, such as the Department of Health and Human Services and the National Security Council.  The goal of the subcommittee is to “develop principles and strategic directions” that will foster “consensus in legislative, regulatory, and international Internet policy realms.”  Some of these principles include “facilitating transparency, promoting cooperation, empowering individuals to make informed and intelligent choices, strengthening multi-stakeholder governance models, and building trust in online environments.” Continue reading…

Tags: , , , ,

Rite Aid Pharmacy Pays $1 Million; Settles FTC and HHS Charges Regarding Data Practices

Posted on July 28, 2010 by Hunton & Williams LLP

Rite Aid has agreed to pay $1 million and implement remedial measures to resolve Department of Health and Human Services (“HHS”) and Federal Trade Commission allegations that it failed to protect customers’ sensitive health information.  The FTC began its investigation following news reports about Rite Aid pharmacies using open dumpsters to discard trash that contained consumers’ personal information such as pharmacy labels and job applications.  The FTC took issue with this practice in light of the pharmacy’s alleged claims that “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously . . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.”  At the same time, HHS began investigating the pharmacies’ disposal of health information protected by the Health Insurance Portability and Accountability Act.

Continue reading…

Tags: , , ,

HHS Issues Modifications to the HIPAA Privacy, Security and Enforcement Rules

Posted on July 8, 2010 by Hunton & Williams LLP

On July 8, 2010, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking to modify the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996.  The modifications implement changes made by the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009.

Continue reading…

Tags: , , , , ,

HHS To Examine Breach Notification and Risk Mitigation Plans

Posted on May 24, 2010 by Hunton & Williams LLP

The Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”) has announced that it will more closely examine covered entities’ breach notification and risk mitigation plans.  OCR noted that small and medium sized covered entities have been particularly vulnerable to data breaches.  The National Institute of Standards and Technology (“NIST”) will publish a guide for covered entities that “outlines the steps to mitigate risks for data breaches, training for how to respond to breaches, and overall preparation in the event of a breach, such as alternate storage facilities for data.”

As previously discussed on this blog, OCR has announced an uptick in HIPAA Security Rule enforcement and issued draft guidance regarding the “risk analysis” implementation specification in the Security Rule.

Tags: , , , , ,

HHS Official Reports Uptick in HIPAA Security Rule Enforcement

Posted on May 14, 2010 by Hunton & Williams LLP

David Holtzman, a health information privacy specialist at the Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), stated at a health privacy conference on May 11, 2010, that OCR has been “vigorously” enforcing the Security Rule, which was promulgated pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”).  Prior to 2009, HHS divided civil enforcement responsibility for HIPAA between OCR, which enforced the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services (“CMS”), which enforced the HIPAA Security Rule.  In July 2009, the Secretary of HHS delegated authority to enforce the HIPAA Security Rule to OCR to “facilitate improvements by eliminating duplication and increasing efficiency.”

Continue reading…

Tags: , , , , ,

HHS Delays Enforcement of HITECH Act Business Associate Provisions

Posted on February 19, 2010 by Hunton & Williams LLP

We understand that yesterday Adam H. Greene (Office of the General Counsel, Civil Rights Division, U.S. Department of Health & Human Services), speaking at the ABA’s 11th Annual Conference on Emerging Issues in Healthcare Law, indicated that enforcement of the business associate provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which became effective on February 17, 2010, will be delayed until final rules addressing those provisions are published.  The HITECH Act’s business associate provisions require business associates to implement the information security safeguards specified by the HIPAA Security Rule, and comply with certain requirements of the HIPAA Privacy Rule.  Similarly, the HITECH Act requires covered entities to provide in their business associate agreements that all of the HITECH Act’s security requirements applicable to covered entities are also applicable to business associates.

Continue reading…

Tags: , , , , ,

Interim Final Rule Implements Increased Penalties for HIPAA Violations

Posted on October 30, 2009 by Hunton & Williams LLP

The Department of Health and Human Services (“HHS”) released an interim final rule to incorporate the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) categories of violations and tiered civil penalty amounts.  The interim final rule is expected to be published in the Federal Register on October 30, 2009 and takes effect on November 30, 2009.  The rule applies to violations of the Health Insurance Portability and Accountability Act of 2003 (“HIPAA”) that occur on or after February 18, 2009.

Continue reading…

Tags: , , ,

HHS Posts Breach Notice Reporting Form

Posted on October 2, 2009 by Hunton & Williams LLP

The Department of Health and Human Services (“HHS”) has posted to its website a notification form that may be used to report breaches of unsecured protected health information to the agency.  Although some state agencies requiring notice of a breach employ a standard reporting form, the form issued by HHS has several unique features and requests more information than a typical breach reporting form.  Some interesting features of the form include:

  • The form may be used to report both breaches affecting 500 or more individuals, as well as breaches affecting fewer than 500 individuals, although the former must be notified to the agency within 60 days of discovery and the later need only be logged over the course of the year and reported to the agency on an annual basis.
  • The form requires that, if the breach occurred "at or by" a business associate, that business associate must be identified by name and contact information must be provided.  The form is, however, required to be completed by the covered entity.
  • The form requires a description of the breach and provides drop-down lists to facilitate the description of the type of breach (e.g., theft, loss, improper disposal, etc.), the location of the "breached information" (e.g., laptop, desktop computer, network server, etc.) and the type of PHI affected (e.g., demographic information, financial information, clinical information or "other").
  • The form further requests a description of the safeguards that were in place prior to the breach and a description of actions taken in response to the breach, again via selection from a drop-down list.  Actions taken in response to the breach also may be described in narrative form.
  • The form requires completion of an attestation that the information provided is accurate, and acknowledgement that the Office of Civil Rights ("OCR") may be required to release information provided via the form pursuant to the Freedom of Information Act, that some of the information will be posted to HHS’s web site, and that OCR will use the information to provide an annual report to Congress, as required by the HITECH Act.
  • The form also may be used to submit an "initial breach report" or an "addendum to previous report," implying that covered entities could submit the form based on then-available information and later file an addendum, which may be necessary in some cases to avoid missing the 60-day reporting deadline.

The form, which is intended to be submitted electronically, includes all of the required elements specified by the HITECH Act and HHS’s implementing regulations.  HHS also has provided instructions for completing the form.

Tags: , ,

FTC and HHS Issue Final Breach Notification Rules

Posted on August 28, 2009 by Hunton & Williams LLP

On August 17, the Federal Trade Commission ("FTC") issued a final rule ("FTC Final Rule") addressing security breaches of personal health records ("PHRs").  The FTC Final Rule applies to all breaches discovered on or after September 24, 2009, and to “foreign and domestic vendors of personal health records, PHR related entities, and third party service providers” that “maintain information of U.S. citizens or residents.”  The FTC Final Rule does not apply to covered entities or business associates as defined under regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  Full compliance is required by February 22, 2010.

Continue reading…

Tags: , , , ,

U.S. Department of Health and Human Services Expands Its Health Information Privacy Enforcement Team

Posted on August 10, 2009 by Hunton & Williams LLP

In a move that portends increased enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, the Department of Health and Human Services (“HHS”) has created two new positions on its health information privacy enforcement team.  According to the job listings (here and here), the new Health Information Privacy Specialists at the HHS Office for Civil Rights (“OCR”) will be responsible for “reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR’s authority for ensuring compliance with the privacy of health information requirements” of HIPAA and its implementing regulations.  The website indicates that applications for the positions will be accepted through Thursday, August 13, 2009.

Tags: , ,