January 24, 2013
On January 17, 2013, the Department of Health and Human Services (HHS) posted Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules [PDF] (the Final Rule) under the authority of the HITECH Act and the Genetic Information Nondiscrimination Act (GINA), as well as under the general authority of HHS. The Final Rule, scheduled to be published in the Federal Register on January 25, 2013, will be effective on March 26, 2013. Thankfully, however, in general covered entities and business associates will have an additional six months, until September 23, 2013, to come into compliance. The Final Rule does not address the Proposed Rule on Accounting for Disclosures [PDF], published May 31, 2011.
This client alert provides an overview of the principal changes in the Final Rule. Look for a complete Ober|Kaler review and analysis of the Final Rule in the coming days.
Read More »
January 2, 2013
Today, HHS announced that it entered into the first breach settlement for less than 500 patients. HHS settled for $50,000 with Hospice of North Idaho for violations of the HIPAA Security Rule including a failure to maintain security policies and procedures and maintain secure mobile devices. In June 2010, an unencrypted Hospice of North Idaho laptop was stolen containing information of 441 patients. In the HHS press release, OCR Director Leon Rodriguez stated that “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” For more information see: www.hhs.gov/news/press/2013pres/01/20130102a.html
July 26, 2012
Joshua Freemire was recently interviewed by BNA with regard to the Meaningful Use Audits. The resulting article is here: http://www.bna.com/meaningful-participants-begin-n12884910824/
July 26, 2012
I spoke today with an editor at EHR Intelligence regarding the hospital and professional audits of Meaningful Use program compliance being conducted by Figloiozzi & Company. You can read the full interview here: http://ehrintelligence.com/2012/07/26/meaningful-use-audits-qa-with-oberkalers-joshua-freeman/
July 26, 2012
A number of health care providers that attested to Meaningful Use for Stage 1 have received a letter from an Figloiozzi and Company, acting as CMS’s auditor for the EHR Incentive Program (the “Program” or “Meaningful Use Program”), requesting certain records related to the attestation. CMS has not, as of this writing, made any announcement of this audit initiative or of the engagement of Figloiozzi and Company. While it is always good policy to confirm the identity and authority of any entity claiming a right to review or audit records, these letters are legitimate. Citing its statutory authority under the American Recovery and Reinvestment Act (ARRA), and without any fanfare, CMS has begun to audit the attestation materials. Read More »
July 26, 2012
Covered Entities and Business Associates may be breathing a little easier lately, after the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) made public the detailed audit protocols used by KPMG during the first round of random audits. The protocols contain some surprises, but, at a minimum, their publication ends what had been a nonpublic process. Covered entities and business associates alike should review the protocols even if they were not selected for an audit during this past cycle; the protocols offer some surprising indications of government enforcement priorities and provide a fairly granular “road map” of HHS OCR’s interests. Read More »
July 26, 2012
A recent action by the Connecticut Medical Examining Board (a unit of that state’s Department of Public Health) should serve to remind covered entities and business associates that it is not only the federal government that can act to enforce HIPAA’s privacy requirements. In a consent order dated the 21st of March [PDF] but officially accepted in mid-June, Dr. Gerald Micalizzi accepted a $20,000 fine, six months probation, and additional education requirements for inappropriately accessing the records of patients at Connecticut’s Griffin Hospital. Read More »
July 24, 2012
In its first enforcement action against a state agency, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled last month with Alaska’s Department of Health and Social Services (DHSS) for HIPAA security violations it reported as required by HITECH. DHSS entered into a settlement agreement and agreed to pay $1,700,000 after a USB hard drive (an electronic storage device) potentially containing electronic protected health information (ePHI) was stolen from the vehicle of a DHSS computer technician in October 2009. Read More »