Tag Archives: HITECH Act

HHS Issues Modifications to the HIPAA Privacy, Security and Enforcement Rules

Posted on July 8, 2010 by Hunton & Williams LLP

On July 8, 2010, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking to modify the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996. The modifications implement changes made by the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009.

Tags: Department of Health and Human Services, HIPAA, HITECH Act, Privacy Rule, Protected Health Information, Security Rule

HHS To Examine Breach Notification and Risk Mitigation Plans

Posted on May 24, 2010 by Hunton & Williams LLP

The Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”) has announced that it will more closely examine covered entities’ breach notification and risk mitigation plans. OCR noted that small and medium sized covered entities have been particularly vulnerable to data breaches. The National Institute of Standards and Technology (“NIST”) will publish a guide for covered entities that “outlines the steps to mitigate risks for data breaches, training for how to respond to breaches, and overall preparation in the event of a breach, such as alternate storage facilities for data.”

As previously discussed on this blog, OCR has announced an uptick in HIPAA Security Rule enforcement and issued draft guidance regarding the “risk analysis” implementation specification in the Security Rule.

Tags: Compliance, Department of Health and Human Services, HIPAA, HITECH Act, National Institute of Standards and Technology, Security Rule

HHS Official Reports Uptick in HIPAA Security Rule Enforcement

Posted on May 14, 2010 by Hunton & Williams LLP

David Holtzman, a health information privacy specialist at the Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), stated at a health privacy conference on May 11, 2010, that OCR has been “vigorously” enforcing the Security Rule, which was promulgated pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”). Prior to 2009, HHS divided civil enforcement responsibility for HIPAA between OCR, which enforced the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services (“CMS”), which enforced the HIPAA Security Rule. In July 2009, the Secretary of HHS delegated authority to enforce the HIPAA Security Rule to OCR to “facilitate improvements by eliminating duplication and increasing efficiency.”

Tags: Compliance, Department of Health and Human Services, HIPAA, HITECH Act, Privacy Rule, Security Rule

Attorney General Launches New HIPAA Investigation

Posted on April 1, 2010 by Hunton & Williams LLP

The Attorney General of Connecticut, Richard Blumenthal, is investigating an alleged breach of medical records at Griffin Hospital in Derby, Connecticut. The hospital believes that a formerly affiliated radiologist gained unauthorized access to its digital Picture Archiving and Communications System (“PACS”), which stores patient information, including names, exam descriptions and medical record numbers. In February, the hospital began receiving inquiries from patients who had been contacted by the radiologist to promote professional services offered at another medical facility. In response to patient inquiries, the hospital conducted an internal investigation that revealed several instances of unauthorized access to the PACS system. The hospital subsequently notified Attorney General Blumenthal.

Tags: Connecticut, Encryption, HIPAA, HITECH Act, Richard Blumenthal, State Attorneys General

HHS Delays Enforcement of HITECH Act Business Associate Provisions

Posted on February 19, 2010 by Hunton & Williams LLP

We understand that yesterday Adam H. Greene (Office of the General Counsel, Civil Rights Division, U.S. Department of Health & Human Services), speaking at the ABA’s 11th Annual Conference on Emerging Issues in Healthcare Law, indicated that enforcement of the business associate provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which became effective on February 17, 2010, will be delayed until final rules addressing those provisions are published. The HITECH Act’s business associate provisions require business associates to implement the information security safeguards specified by the HIPAA Security Rule, and comply with certain requirements of the HIPAA Privacy Rule. Similarly, the HITECH Act requires covered entities to provide in their business associate agreements that all of the HITECH Act’s security requirements applicable to covered entities are also applicable to business associates.

Tags: Business Associate Agreement, Department of Health and Human Services, HIPAA, HITECH Act, Privacy Rule, Security Rule

Privacy and Data Security Risks in Cloud Computing

Posted on February 5, 2010 by Hunton & Williams LLP

Cloud computing raises complex legal issues related to privacy and information security. As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments. In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use of cloud computing.

Tags: Bridget Treacy, Cloud Computing, Data Transfer, Gramm Leach Bliley Act, HIPAA, HITECH Act, Lisa Sotto, Melinda McLellan

Connecticut AG Files First HITECH Act Suit

Posted on January 15, 2010 by Hunton & Williams LLP

In a lawsuit he described as “[s]adly . . . historic,” Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, Inc. for allegedly failing to secure private patient medical records and financial information involving hundreds of thousands of Connecticut enrollees and promptly notify consumers endangered by the security breach. The case marks the first action by a state attorney general under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to enforce provisions of the Health Insurance Portability and Accountability Act (“HIPAA”). The suit also alleges a violation of Connecticut’s breach notification statute.

Tags: Connecticut, Encryption, HIPAA, HITECH Act, Richard Blumenthal, State Attorneys General

Interim Final Rule Implements Increased Penalties for HIPAA Violations

Posted on October 30, 2009 by Hunton & Williams LLP

The Department of Health and Human Services (“HHS”) released an interim final rule to incorporate the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) categories of violations and tiered civil penalty amounts. The interim final rule is expected to be published in the Federal Register on October 30, 2009 and takes effect on November 30, 2009. The rule applies to violations of the Health Insurance Portability and Accountability Act of 2003 (“HIPAA”) that occur on or after February 18, 2009.

Tags: Department of Health and Human Services, HIPAA, HITECH Act, Protected Health Information

HHS Posts Breach Notice Reporting Form

Posted on October 2, 2009 by Hunton & Williams LLP

The Department of Health and Human Services (“HHS”) has posted to its website a notification form that may be used to report breaches of unsecured protected health information to the agency. Although some state agencies requiring notice of a breach employ a standard reporting form, the form issued by HHS has several unique features and requests more information than a typical breach reporting form. Some interesting features of the form include:

The form may be used to report both breaches affecting 500 or more individuals, as well as breaches affecting fewer than 500 individuals, although the former must be notified to the agency within 60 days of discovery and the later need only be logged over the course of the year and reported to the agency on an annual basis.
The form requires that, if the breach occurred "at or by" a business associate, that business associate must be identified by name and contact information must be provided. The form is, however, required to be completed by the covered entity.
The form requires a description of the breach and provides drop-down lists to facilitate the description of the type of breach (e.g., theft, loss, improper disposal, etc.), the location of the "breached information" (e.g., laptop, desktop computer, network server, etc.) and the type of PHI affected (e.g., demographic information, financial information, clinical information or "other").
The form further requests a description of the safeguards that were in place prior to the breach and a description of actions taken in response to the breach, again via selection from a drop-down list. Actions taken in response to the breach also may be described in narrative form.
The form requires completion of an attestation that the information provided is accurate, and acknowledgement that the Office of Civil Rights ("OCR") may be required to release information provided via the form pursuant to the Freedom of Information Act, that some of the information will be posted to HHS’s web site, and that OCR will use the information to provide an annual report to Congress, as required by the HITECH Act.
The form also may be used to submit an "initial breach report" or an "addendum to previous report," implying that covered entities could submit the form based on then-available information and later file an addendum, which may be necessary in some cases to avoid missing the 60-day reporting deadline.

The form, which is intended to be submitted electronically, includes all of the required elements specified by the HITECH Act and HHS’s implementing regulations. HHS also has provided instructions for completing the form.

Tags: Department of Health and Human Services, Freedom of Information Act, HITECH Act

Becoming HITECH: Actions Covered Entities and Business Associates Should Take Now to Comply with the Requirements of the HITECH Act

Posted on September 23, 2009 by Hunton & Williams LLP

The Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which was signed into law in February 2009 as part of the economic stimulus package, substantially impacts requirements imposed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The HITECH Act creates several new and potentially burdensome obligations that affect the relationship between covered entities and business associates. Because these changes are quite substantial and necessitate revisions to existing business associate agreements (“BAAs”), covered entities and business associates should begin compliance efforts as soon as possible. Read more on actions to take to comply with the requirements of the HITECH Act.

Tags: Business Associate Agreement, HITECH Act, Protected Health Information

Privacy and Information Security Law Blog - Global privacy and information security law updates and analysis

Tag Archives: HITECH Act

HHS Issues Modifications to the HIPAA Privacy, Security and Enforcement Rules

HHS To Examine Breach Notification and Risk Mitigation Plans

HHS Official Reports Uptick in HIPAA Security Rule Enforcement

Attorney General Launches New HIPAA Investigation

HHS Delays Enforcement of HITECH Act Business Associate Provisions

Connecticut AG Files First HITECH Act Suit

Interim Final Rule Implements Increased Penalties for HIPAA Violations

HHS Posts Breach Notice Reporting Form

Becoming HITECH: Actions Covered Entities and Business Associates Should Take Now to Comply with the Requirements of the HITECH Act

Published By Hunton & Williams

Search

Subscribe

Topics

Recent Updates

Blogroll

Privacy News