Changes to HIPAA Privacy Rule Proposed by HHS - Find Out Who Has Accessed Your Health Records
On May 31, 2011 the Department of Health and Human Services Office for Civil Rights issued a notice of proposed rulemaking that would add substantial data privacy requirements to the HIPAA Privacy Rule. One of the requirements the HHS proposed pursuant to both the HITECH Act and its more general authority under HIPAA is for individuals to have the right to request from a covered entity (such as a health care provider or a health plan) a list of any individuals or entities that have accessed the individuals’ electronic health records. Currently, HIPAA and HHS regulations require covered entities to track access to health records, but they covered entities are not required to provide that information to patients. The proposed rule would give patients the right to request an “access report” which would document the identities of those who electronically viewed their protected health information. “This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,” said Georgina Verdugo, Director of the Office for Civil Rights. “We need to protect peoples’ rights so that they know how their health information has been used or disclosed.”
Continue Reading...February Brings a Privacy Enforcement Storm: HHS, FTC and FINRA Act
This month, federal agencies and FINRA have announced significant privacy enforcement actions that have resulted in millions of dollars in fines. The U.S. Department of Health and Human Services (HHS) imposed a $4.3M fine on a health plan for violations of the HIPAA Privacy Rule; the Federal Trade Commission (FTC) settled with several resellers of consumer reports allegations that the resellers failed to adequately safeguard consumer information; and FINRA imposed a $600K fine on two securities firms for failure to safeguard access to customer records. Here are the details:
Continue Reading...Health Net Agrees to $250,000 Fine and "Corrective Action Plan" to Settle Loss of PHI
It didn't take long for an Attorney General to latch onto Title XII of the American Recovery and Reinvestment Act of 2009 (a/k/a the Health Information Technology for Economic and Clinical Health Act [the HITECH Act]) in order to convince a covered entity to enter a data loss-related settlement. Indeed, Heath Net of the North East, Inc. and its various related affiliates (collectively, “Health Net”) consented to a Stipulated Judgment (Civ. No. 3:2010CV-00057(PCD)), available here, with the Connecticut Attorney General's Office and the State of Connecticut (the “Judgment”), which stands as the first example of a state Attorney General independently enforcing HIPAA violations since the HITECH Act authorized state attorneys general to do so.
Continue Reading...FAQ on the Proposed Modifications to the HIPAA Rules: Part Two
This post is Part Two of my FAQ on the proposed modifications to the HIPAA Rules issued by HHS last week. Part One can be found here. Part Two focuses on the proposed modifications to the Privacy Rule.
Continue Reading...FAQ on the Proposed Modifications to the HIPAA Rules: Part One
As reported last week, on Thursday the Department of Health and Human Services ("HHS") issued its long-anticipated Notice of Proposed Rulemaking ("NPRM") on Modifications to the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act (the "HITECH" Act). For those of us who subscribe to numerous technology and law listservs, this meant emailboxes flooded with opinions, criticism, speculation, and flat-out fear mongering. We thought people might like to know what the proposed modifications actually say, and what they mean. So, this post provides Part One of a FAQ on the 234 page NPRM. This post, Part One, addresses general issues (including significant changes involving subcontractors) and proposed modifications to the HIPAA Security and Enforcement Rules. Part Two, later this week, will address the proposed modifications to the HIPAA Privacy Rule.
Continue Reading...InfoLaw Alert: HHS Issues Proposed Mofications to HIPAA Security and Privacy Rules
The Department of Health and Human Services released proposed modifications to the privacy and security rules related to HIPAA. We are still reading through the 234 page document, but it appears that the new rules expand HIPAA responsibilities for business associates. In addition, HHS has set up a web portal that provides a summary of the breaches reported to HHS. There is a 60 day comment period on this proposed rule change. More to come from the Information Law Group in the coming days.
