|
HIPAA
[Guidance Overview] Simple Mailing Mistakes Could Now Be HIPAA Violations Under New HHS Fundraising Rules
Excerpt:"The new regulations propose strengthening the language regarding the opt-out notification, stating that CEs must provide individuals with a'clear and conspicuous'opportunity for the individual to elect not to receive future fundraising communications."(AIS Health.com)
[Guidance Overview] HHS's Proposed HITECH/HIPAA Privacy, Security and Enforcement Guidance
Excerpt:"HHS has requested comments on the proposed HITECH regulations on or before September 13, 2010. Once the final regulations are issued, HHS has indicated that covered entities will generally have 180 days to comply with the new rules. HHS also indicated that there would be no additional delay of the application of the regulations, once finalized, to small health plans."(McDermott Will&Emery)
[Guidance Overview] Important Changes to HIPAA Privacy, Security and Enforcement Rules Proposed by HHS (PDF)
8 pages. (Poyner Spruill LLP)
[Guidance Overview] Proposed Modifications to HIPAA Privacy, Security, and Enforcement Rules According to HITECH Act (PDF)
3 pages. Excerpt:"The stated purpose of the proposed regulations is to implement statutory amendments under HITECH, to strengthen the protection and security of health information, and to improve the workability and effectiveness of the HIPAA Rules."(Paul, Hastings, Janofsky&Walker LLP)
[Guidance Overview] A Break Down of the Proposed Changes to HIPAA
Excerpt:"The proposed rule contains numerous changes to the HIPAA Privacy Rule; of those changes, CDT considers the [following four] to be the most consequential. 1.Business Associates 2.Enforcement 3.Marketing 4.Research"(Center for Democracy&Technology)
[Guidance Overview] Simple Mailing Mistakes Could Now Be HIPAA Violations Under New HHS Fundraising Rules
Excerpt:"The new regulations propose strengthening the language regarding the opt-out notification, stating that CEs must provide individuals with a'clear and conspicuous'opportunity for the individual to elect not to receive future fundraising communications."(AIS Health.com)
[Guidance Overview] Proposed Modifications to HIPAA Privacy and Security Rules
Excerpt:"A determination of whether a business associate or subcontractor is an agent for whom the principal is vicariously liable under the Proposed Rule or is instead an independent contractor requires a case-by-case inquiry based on the facts of the relationship, including the covered entity's level of control over the vendor's conduct."(Merion Matters)
[Guidance Overview] Newly Proposed HIPAA Regulations Contain Some Surprises
Excerpt:"At present, these new changes are only proposals. It's possible that the final regulations will change. Thus, you shouldn't make any changes quite yet. If you have any opinions on these proposed changes, the Department of Health and Human Services is taking comments until September 13, 2010."(Warner Norcross&Judd LLP)
Thousands of'Subcontractors'May Soon Have to Comply with HIPAA
Excerpt:"Perhaps the biggest surprise in HHS's July 14 proposed rulemaking was a concept that went beyond language contained in the HITECH Act, namely the appearance of the term'subcontractors'in the list of organizations that would have to comply with the same privacy and security regulations as business associates."(AIS Health.com)
[Guidance Overview] HIPAA Isn't a Shield Against Third-Party Payor Audits
Excerpt:"A frequent question of physicians, medical practices and other providers I represent is whether the HIPAA Privacy Rule prohibits them from providing third-party payors with access to medical records for the purposes of an audit."(Warner Norcross&Judd LLP)
[Guidance Overview] What Does HIPAA Say About Patients Who Want to Hide Information from Their Health Plan?
Excerpt:"If you are a health care provider, . . . the HITECH amendments to HIPAA include a new right: When a patient receives treatment and pays for that treatment entirely out of his or her own pocket, the patient may request that you not share information about the treatment with the patient's health plan -- and you must honor that request."(Warner Norcross&Judd LLP)
HHS Withdraws HIPAA Security Rules
Excerpt:"The Department of Health and Human Services . . . has announced the withdrawal of its interim final regulations addressing security notification for breaches of information that involve protected health information . . . subject to [HIPAA]."(Wolters Kluwer)
[Guidance Overview] HHS Proposed Rule Fine-Tunes HITECH and HIPAA Requirements (PDF)
8 pages. (BNA's Health Law Reporter via Morgan, Lewis&Bockius LLP)
[Guidance Overview] HHS's Notice of Proposed Rulemaking to Address the HITECH Act Amendments to HIPAA
Excerpt:"[F]or the time being, covered entities and business associates may want to take the opportunity to reexamine their compliance efforts and determine what, if anything, they might need to address if these regulations are adopted as proposed."(K&L Gates LLP)
[Guidance Overview] $1 Million Payment Required in Agreement to Settle Potential HIPAA Privacy Rule Violations
Excerpt:"The settlement follows an [HHS's Office for Civil Rights] investigation triggered by media reports that Rite Aid's pharmacies were disposing of prescriptions and labeled pill bottles with individuals'identifiable information in dumpsters that were accessible to the public."(Employee Benefits Institute of America)
[Guidance Overview] HIPAA HITECH Regulations Proposed
Excerpt:"This alert summarizes the specific changes to the rules as well as the effective dates of those changes."(Seyfarth Shaw LLP)
[Guidance Overview] Proposed Modifications to HIPAA Privacy and Security Rules to Implement HITECH Act (PDF)
19 pages. Excerpt:"This White Paper addresses the following notable provisions of the Proposed Rule: Part 1: New privacy and security standards imposed on business associates and their subcontractors; Part 2: Restrictions on marketing involving protected health information; Part 3: Restrictions on the sale of PHI; Part 4: Revisions to the requirements for use and disclosure of PHI for research purposes; Part 5: Other significant revisions to the Privacy Rule; Part 6: Revisions to the Enforcement Rule."(McDermott Will&Emery)
Industry Still Making Sense of Federal E-Health Regs
Excerpt:"Health care industry players are still sorting out the latest regulations on an up-to-$36 billion federal program to encourage doctors and hospitals to use electronic medical records."(Henry J. Kaiser Family Foundation)
[Guidance Overview] Proposed Rule Implements HITECH Act and Amends HIPAA Rules (PDF)
5 pages. Excerpt:"As required by the HITECH Act, the rule would require the DHHS to conduct a compliance review when a preliminary review of the facts of a complaint indicates a possible violation due to willful neglect."(Dechert LLP)
[Guidance Overview] What Do Employers with HIPAA-Covered Health Plans Really Need to Know About Recently Proposed Revisions to HIPAA Regulations?
Excerpt:"Employers should note that [HIPAA] applies only to a narrow subset of employee health information, i.e., individually identifiable health information created or received by, or on behalf of, a group health, dental, vision, or pharmacy benefit plan, employee assistance program, health care reimbursement flexible spending account, or certain long-term care plans."(Littler Mendelson P.C.)
[Guidance Overview] HITECH Requirements: HHS Proposes Amendments to HIPAA Regulations
Excerpt:"Although HITECH generally became effective on February 18, 2010, business associates and covered entities will have 180 days after the effective date of the final regulations to comply with their requirements. The preamble indicates this 180-day compliance rule is expected to apply to future modifications of the HIPAA rules as well."(Deloitte via BenefitsLink.com)
[Guidance Overview] Major Changes Looming for Business Associates and Subcontractors under Proposed HIPAA/HITECH Rules (PDF)
11 pages. Excerpt:"Notably, the Proposed Rule expands the definition of'business associates'and makes considerable changes to various provisions relating to the use and disclosure of protected health information (PHI) by covered entities and business associates."(Alston&Bird LLP)
[Guidance Overview] HITECH Act Proposed Rules Would Modify HIPAA Privacy, Security, and Enforcement Requirements
Excerpt:"EBIA Comment: There is a tremendous amount of detail contained in these proposed rules -- some of the modifications are not specifically under the HITECH Act but, according to HHS, are designed to'eliminate ambiguities in the rules and/or make them more workable and effective.'"(Employee Benefits Institute of America)
Changes to HIPAA privacy, security and enforcement rules proposed
Excerpt:"Proposed changes to [HIPAA's] privacy, security and enforcement rules would clarify requirements created by the HITECH provisions of the 2009 stimulus package."(Mercer LLC)
[Official Guidance] Text of Proposed HHS Regs Implementing HIPAA Changes Under HITECH Act (PDF)
58 pages. (U.S. Department of Health&Human Services)
OBRA vs HIPAA: Who Has the Right to Demand Access to Medical Records?
Excerpt:"Here's what creates the issue ? most of you know that under [OBRA] regulations for nursing facilities, and state licensure law for both SNFs and assisted living communities, residents have a right to see and obtain a copy of their medical records. But you also know that HIPAA precludes or restricts the disclosure of residents'protected health information . . . , which includes virtually anything in a medical record, except in very limited situations."(Poyner Spruill LLP)
[Guidance Overview] Health Net to Pay $250,000 to Settle First-Ever State HIPAA Privacy Suit
Excerpt:"The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 amended HIPAA to give state attorneys general the power to bring a civil action on behalf of state residents when the attorney general believes they have been victims of a HIPAA violation."(Thompson Publishing Group Inc.)
[Guidance Overview] Proposed HHS Rulemaking Expands HIPAA Privacy and Security Rules
Excerpt:"The Rule modifies the Privacy Rule, the Security Rule and the Enforcement Rule. It will broaden the applicability of the Privacy and Security Rules requirements to business associates, and apply the Privacy and Security Rules to electronic protected health information."(Nixon Peabody LLP)
Proposed Rules Implementing Key HITECH Act Provisions to Be Published in Federal Register
Excerpt:"An advance copy of the proposed rules covering modifications to implement many of the statutory changes under the HITECH Act has just been released. [See http://www.ofr.gov/OFRUpload/OFRData/2010-16718_PI.pdf]"(Employee Benefits Institute of America)
HHS Proposing Changes to Bolster the Existing Federal Health Privacy Law
Excerpt:"A news release from the Department of Health and Human Services (HHS) said the department is proposing changes to the privacy, security, and enforcement rules in the Health Insurance Portability and Accountability Act (HIPAA)."(PLANSPONSOR.com)
Complexities Abound in HIPAA Interactions Between Law Enforcement and Covered Entities
Excerpt:"Meeting with law enforcement agencies is an effective way to educate them on HIPAA and smooth over misunderstandings."(AIS Health.com)
Avoid'Disconnect'Between HIPAA Policies and Practices
Excerpt:"Rather than relying on policies that simply recite the regulations, spell out procedures for your workforce's'least common denominator,'said Amy Yates, director of privacy and data protection at Deloitte and Touche LLP."(Thompson Publishing Group Inc.)
[Guidance Overview] HIPAA: Audits, Breaches, and Fines
Excerpt:"How exactly do you review your HIPAA privacy and security compliance program and ensure that all the requisite bases have been covered? . . . . Your first step is to identify all your legal requirements."(Poyner Spruill LLP)
[Guidance Overview] HHS Issuance of Request for Information on HITECH Act Requirement for Accounting for Disclosures Through an Electronic Health Record
Excerpt:"The Office for Civil Rights of the U.S. Department of Health and Human Services published a Request for Information on the HITECH Act provisions that require HIPAA covered entities to account for disclosures of protected health information through an electronic health record for treatment, payment and health care operations purposes to facilitate its issuance of a proposed regulation implementing the HITECH provisions."(McDermott Will&Emery)
Jail Time for Hospital Employee for HIPAA Privacy Violation -- Snooping Celebrities'Medical Records
Excerpt:"[Mr. Huping Zhou] . . . accessed the UCLA patient records system 323 times, with most of the accesses involving well recognized celebrities."(HealthLeadersMedia.com)
[Guidance Overview] HHS Requests for Information About Health Privacy Disclosures Under HITECH Act Changes to HIPAA Privacy Rule (PDF)
3 pages, in Federal Register. Excerpt:"[T]he Health Information Technology for Ecnomic and Clinical Health (HITECH) Act expands an individual's right [HIPAA] to receive an accounting of disclosures of protected health information made by HIPAA covered entities and their business associates. In particular, [it] requires [HHS] to revise the HIPAA Privacy Rule to require covered entities to account for disclosures of protected health information to carry out treatment, payment, and health care operations if such disclosures are through an electronic health record. This document is a request for information (RFI) to help us better understand the interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform [HHS'] rulemaking in this area."(Office for Civil Rights, U.S. Department of Health and Human Services)
HIPAA Regulations Will Come Next Month
Excerpt:"The Department of Health&Human Services (HHS) released its semi-annual regulatory agenda in the Federal Register Monday and wrote that modifications to the HIPAA privacy, security and enforcement rules will be coming in May."(HealthLeadersMedia.com)
[Guidance Overview] Health Care Reform Law Augments HIPAA Transaction Standards
Excerpt:"The massive health reform law enacted March 23 includes amendments to HIPAA's electronic data interchange (EDI) provisions that require greater uniformity of HIPAA-standard transactions, including governmental adoption of'operating rules.'The HIPAA changes in Section 1104 of the Patient Protection and Affordable Care Act (PPACA; Pub. L. 111-148) also add an'electronic funds transfer'(EFT) transaction. In addition, this section seeks to jumpstart the U.S. Department of Health and Human Services'(HHS) long-delayed rules on unique health plan identifiers, which HHS is directed to finalize by Oct. 1, 2012, and standard claims attachments, which are now due Jan. 1, 2016. The EFT rules must be issued by Jan. 1, 2014."(Thompson Publishing Group Inc.)
[Guidance Overview] HHS's Delay in Enforcement of HITECH Rules as Applied to Business Associates
Excerpt:"In a recent post to its website, HHS's Office of Civil Rights has let it be known that a proposed rule implementing the HITECH Act's privacy and security provisions as they apply to business associate liability is in the works."(Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C.)
[Guidance Overview] Fix COBRA, HIPAA and Other Group Health Plan Violations Quickly: Here's Why
Excerpt:"The Internal Revenue Code imposes an excise tax on employers who fail to comply with various federal mandates for group health plans like COBRA and HIPAA. . . . The IRS [has] issued final regulations for self-reporting (and paying) the excise tax for such violations and a new form (Form 8929) to use to self-report, starting this year."(Miller Johnson)
[Guidance Overview] HIPAA Covered Entities Face Complex Challenges with Medical Records of Minors
Excerpt:"HIPAA's approach to minors and PHI may be one of the clearest in theory, but its application can get tricky. HIPAA defers to state laws, which generally allow parents access to their children's medical records until they're 18 -- with some exceptions."(AIS Health.com)
[Guidance Overview] Federal Government Delay in Enforcement of Certain HITECH Changes to HIPAA Privacy and Security Rules
Excerpt:"[T]he Office for Civil Rights (OCR) within the Department of Health and Human Services, posted a notice on its Web site that appears to indicate that enforcement and compliance regarding certain provisions of HITECH will occur when OCR completes its rulemaking process for those requirements."(The Segal Group, Inc.)
[Guidance Overview] HHS Intention to Issue Additional Regulations Implementing the HITECH Act, Including Business Associate Liability
Excerpt:"EBIA Comment: We note that there is no specific indication in the announcement as to when OCR expects to issue new regulations under the HITECH Act. In light of the strengthened enforcement provisions, health plans and their business associates are well advised to comply with the statutory requirements of the HITECH Act while they await issuance of the regulations."(Employee Benefits Institute of America)
[Guidance Overview] ICD-10 Impact on Provider Reimbursement (PDF)
7 pages. Excerpt:"In 2013, entities covered by HIPAA must begin using ICD-10 for HIPAA-covered transactions that contain diagnoses or hospital inpatient procedures. This white paper discusses the short- and long-term effects of the ICD-10 requirement, and also recommends actions that organizations can take to manage the risks associated with the coding change."(Milliman)
[Guidance Overview] HHS List of Covered Entities Reporting Breaches of Unsecured PHI Affecting More Than 500 Individuals
Excerpt:"EBIA Comment: When the breach notification requirements initially went into effect, HHS had indicated that sanctions would not be imposed for failure to provide the required notification for breaches that were discovered before February 22, 2010 -- a date that has since passed. It is all the more important now that covered entities (including health plans) and their business associates ensure compliance with the detailed breach notification requirements, particularly in light of the strengthened enforcement provisions enacted under the HITECH Act."(Employee Benefits Institute of America)
Interview With Douglas A. Grimm: Will Privacy Concerns Slow Electronic Health Record Adoption Rates? (PDF)
4 pages. Excerpt:"Since electronic health records are designed to follow patients wherever they might seek care, HIPAA covered entities and business associates must act in concert, otherwise they will simply become the weakest link in the chain. Ideally, effective data protection practices will be further strengthened by the widespread adoption of electronic health records, and will unlock the means for caregivers to improve patients'lives and for administrators to significantly reduce overhead and administration costs."(ALEXeSOLUTIONS, INC. via Pillsbury Winthrop Shaw Pittman LLP)
[Guidance Overview] Many HIPAA Changes under the HITECH Act Now Effective
Excerpt:"To provide adequate time for Covered Entities and Business Associates to implement and begin good faith compliance with the breach notification final interim regulations, HHS temporarily suspended imposing sanctions for six months. Consequently, the enforcement provisions now become effective for breaches of unsecured PHI discovered on or after Feb. 22, 2010."(McGuireWoods LLP)
Electronic Personal Health Information Exchange: Health Care Entities'Reported Disclosure Practices and Effects on Quality of Care (PDF)
51 pages. Excerpt:"Pursuant to a requirement in the HITECH Act, GAO is reporting on practices implemented by health information exchange organizations, providers, and other health care entities that disclose electronic personal health information."(U.S. Government Accountability Office)
[Guidance Overview] Employers May Need to Monitor Compliance of Business Associates with HITECH Act
Excerpt:"An employer with a health plan that uses the services of one or more business associates should confirm that each business associate providing services to the health plan is aware of its enhanced HIPAA obligations . . . . Such confirmation may already have been obtained by the plan's insurer or third party administrator, but if it has not, communication with the business associate is advised. An employer might also consider seeking an acknowledgement that the business associate is in full compliance with its enhanced obligations under HIPAA."(Cooley Godward Kronish LLP)
'Willful Neglect'Is Difficult to Pin Down, but Can Result in Enormous HIPAA Penalties
Excerpt:"A privacy breach due to'willful neglect'that was corrected within 30 days and affected 100 individuals, which would have cost an organization $10,000 in prior years, will now cost a minimum of $1 million. Covered entities (CEs) -- and also business associates, who are now subject to civil and criminal penalties as of this month -- need to know what actions (or lack thereof) can push them into the'willful neglect'category, which carries the most severe fines."(AIS Health.com)
[Guidance Overview] IRS Issues New Form 8928 on Excise Taxes for Failures to Comply with HSA Comparability, COBRA, HIPAA, and Other Group Health Plan Mandates
Excerpt:"EBIA Comment: This Form's publication likely signals increased focus on excise tax assessment for noncompliance with these various mandates. To help keep the excise tax risks to a minimum, cautious plan sponsors (and others, like TPAs and insurers, who may be liable) will follow an approach to compliance designed not only to prevent mistakes from happening but also to catch and correct the ones that inevitably fall through the cracks."(Employee Benefits Institute of America)
[Guidance Overview] Podcast: HITECH's Impact on Benefit Brokers and Advisers
Excerpt:"With enforcement of the HITECH rules slated to begin this month, attorney Christine Roberts provides an overview of the requirements and offers some tips on what to do now to prepare."(Employee Benefit Adviser; free registration required)
[Guidance Overview] Number of HITECH Provisions Will Take Effect or Become Subject to Enforcement This Month (PDF)
Excerpt:"Although HITECH's new breach notification requirements took effect September 23, 2009, HHS adopted a non-enforcement policy allowing HIPAA-covered entities and business associates an additional five months ? or until February 22, 2010 ? to come into compliance with these provisions. . . . Action should be taken immediately to ensure that appropriate procedures are in place by that deadline."(Buck Consultants)
The Health Information Security and Privacy Collaboration
Excerpt:"Established in June 2006 by RTI International through a contract with the U.S. Department of Health and Human Services (HHS), the Health Information Security and Privacy Collaboration (HISPC) originally comprised 34 states and territories. . . . Each project is designed to develop common, replicable multi-state solutions that have the potential to reduce variation in and harmonize privacy and security practices, policies, and laws."(U.S. Office of the National Coordinator for Health Information Technology)
HIPAA HITECH Compliance Steps to Take Now
Excerpt:"Here is a quick checklist of what you should be doing to comply: Send updated agreements to your business associates. . . . Adopt a HIPAA breach notification policy. . . . Amend HIPAA policies and procedures to address the following issues: Updated minimum necessary rule; Additional prohibitions on the use of PHI for marketing; [and,] New individual right to request restrictions on disclosures to health plans. Evaluate your Notice of Privacy Practices . . . . Train staff on new procedures."(Warner Norcross&Judd LLP)
[Guidance Overview] Excise Tax Reporting for HIPAA, COBRA and HSA Violations
Excerpt:"HIPAA, COBRA and certain other laws include excise tax penalties for violations and similar excise tax provisions apply to certain health savings account (HSA) and medical savings account (MSA) contributions. Employers have had little guidance on reporting or paying these excise taxes, but final IRS regulations issued in September 2009 fill that void, describing who is responsible for paying the tax, and how and when to report violations."(Mercer LLC)
[Guidance Overview] Complying with HIPAA Privacy and Security Mandates under the HITECH Act: A Field Guide for Benefits Brokers, Consultants and other Business Associates
Excerpt:"The Act has both raised and broadened the HIPAA compliance bar for business associates. Prior law gave business associates something of a free pass. That was -- as they say -- then. Among other things, business associate agreements will need to be reviewed and updated to comply with HITECH's new rules, and employees with access to PHI will need to be trained. Covered entities and business associates should be aggressively moving to anticipate these rules and to comply with them even in the absence of guidance."(Mintz, Levin, Cohn, Ferris, Glovsky and Popeo P.C.)
[Guidance Overview] Enforcement of HITECH Act Breach Provisions Set to Take Effect in February
Excerpt:"[O]n August 24, 2009, HHS released regulations delineating a covered entity's duty to notify affected persons of a breach of unsecured protected health information (PHI). Although these regulations became effective on September 23, 2009, due to concerns over the period of time necessary to comply with these regulations, HHS delayed enforcement of the regulations for six months. This enforcement delay is set to expire on February 22, 2010."(The ERESA Industry Committee)
Important Dates to Remember in the First Quarter of the Year
Examples: HITECH Act Takes Primary Effect, February 17, 2010; DoDAA Grace Period Extension Period Ends, February 17, 2010; Penalties for HITECH Act Breach Notice Violations Begin, February 22, 2010. (Infinisource)
[Guidance Overview] Year-End Reminders for Health and Welfare Plans: 2009
Excerpt:"As an eventful 2009 draws to a close, this Update highlights federal developments affecting health and welfare plans, including new restrictions on the use of genetic information, coverage expansions, the COBRA subsidy program, new rights for military families, parity requirements for mental health coverage, Medicare secondary payer reporting, and changes in HIPAA privacy and security provisions made by the HITECH Act."(Mercer LLC)
|
