Health care providers, health plans and insurers, health care clearinghouses (collectively “Covered Entities”), their business associates, and others concerned about medical privacy regulations or protections should check out two new reports to Congress about breach notifications reported and other compliance data under the Health Insurance Portability & Accountability Act (HIPAA) by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Reviewing this data can help Covered Entities and their business associates identify potential areas of exposures and enforcement that can be helpful to minimize their HIPAA liability as well as to expect OCR enforcement and audit inquiries.
Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the two new reports discuss various details about HIPAA compliance for calendar years 2011 and 2012. They include the following:
- Report to Congress on Breach Notifications, discussing the breach notification requirements and reports OCR received as a result of these breach notification requirements; and
- Report to Congress on Compliance with the HIPAA Privacy and Security Rules, summarizing complaints received by OCR of alleged violations of the provisions of Subtitle D of the HITECH Act, as well as of the HIPAA Privacy and Security Rules at 45 CFR Parts 160 and 164 .
- Covered entities and their business associates should review the finding reported as part of their compliance practices. Others concerned about medical or other privacy or data security regulations or events also may find the information in the reports of interest.
Under HIPAA, covered entities generally are prohibited from using, accessing or disclosing protected health information about individuals except as specifically allowed by HIPAA, In addition, HIPAA also requires Covered Entities to establish safeguards to protect protected health information against improper access, use or destruction, to afford certain rights to individuals who are the subjects of protected information, to obtain certain written assurances from service providers who are business associates before allowing those service providers to use, access or disclose protected health information when carrying out covered functions for the Covered Entity, and meet other requirements.
The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates. In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.
Enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.
Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the HITECH Act since March 26, 2013 and to have updated business associate agreements in place since September 23, 2013. Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in the Omnibus Final Rule.
Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:
- HIPAA Privacy Rule and Sharing Information Related to Mental Health published on
- Spanish Language Model Notices of Privacy Practices published on 2/13/14
- CLIA Program and HIPAA Privacy Rule; Patients’ Access to Test Reports published on 2/3/14; and
- Proposed Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS) published on 1/7/14.
Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:
- HIPAA Privacy Rule: Disclosures for Emergency Preparedness – A Decision Tool
- The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual
- Health Information of Deceased Individuals
- Student Immunizations; and
- Model Notices of Privacy Practices (English).
With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.
When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same. When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.
For Help With Investigations, Policy Review & Updates Or Other Needs
If you need assistance in auditing or assessing, updating or defending your HIPAA, or other health or other employee benefit, labor and employment, compensation, privacy and data security, or other internal controls and practices, please contact the author of this update, attorney Cynthia Marcotte Stamer at firstname.lastname@example.org or at (469)767-8872.
The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on HIPAA and other privacy and data security, health plan, health care and other human resources and workforce, employee benefits, compensation, internal controls and related matters.
For more than 23 years, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters. She also is recognized for her publications, industry leadership, workshops and presentations on privacy and data security and other human resources, employee benefits and health care concerns. Her many highly regarded publications on privacy and data security concerns include “Privacy Invasions of Medical Care-An Emerging Perspective.” ERISA Litigation Manual. BNA, 2003-2009; “Privacy & Securities Standards-A Brief Nutshell.” BNA Tax Management and Compliance Journal. February 4, 2005; “Cybercrime and Identity Theft: Health Information Security beyond HIPAA.” ABA Health eSource. May, 2005 and many others. She also regularly conducts training on HIPAA and other privacy and data security compliance and other risk management matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others. Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see www.CynthiaStamer.com or contact Ms. Stamer directly.
About Solutions Law Press
Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing some of our other Solutions Law Press resources available at http://www.solutionslawpress.com including:
- CMS Proposes Durable Medical Equipment, Prosthetics, Orthotics, and Supplies (DMEPOS) Pre-Authorization Rule
- Medicare Fraud Strike Force Nails 90 Individuals For Almost $260 Million In False Billing Including 16 Doctors
- 6/30 Comment Deadline For Proposed Inpatient Rehab Payment and Quality Reporting Rules
- Encrypt Mobile Devices & Clean Up Management Documentation Key HIPAA Compliance Messages In New HIPAA Settlements
- Small Smiles Dental Centers Excluded As Federal Health Program Provider For 5 Years
- Latest OCR Resolution Agreement Hits Public Health Department, Shows Needs To Stay Up-To-Date
- NLRB Helps Union Force Another Health Care Employer To Recognize & Bargain With Union
- Hospital Will Pay $75K For Refusing To Hire Disabled Worker
- OCR Assigns More HIPAA Compliance Work To Health Care Providers
- Federal Health Care Fraud Enforcement Recouped Record $4.3 Billion in FY 2013
- CMS Publishes Tools To Help Providers Understand E-Health Administrative Simplification Tools & Processes
- OSHA Hospital Tool Signals OSHA Enforcement RIsk
- Health Insurance Provider Fee Reporting Rules Published
- IRS Extends Existing 501(r) Guidance Reliance Period For ACA-Added Hospital Tax-Exemption Requirements
- HHS “Safer Guides” Tool For Safe EHR Implementation Published
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at www.SolutionsLawPress.com.
©2014 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. All other rights reserved.