von Briesen Health Law Blog

HHS’ Office of the Inspector General (OIG) plans to audit CMS’ management of the stimulus package’s incentive payment program.  The program will provide roughly $30 billion to hospitals and doctors through the year 2016. The OIG also called for CMS to upgrade its IT systems to comply with the ‘meaningful use’ rules, which are due out shortly.

Doctor and staff sentenced for accessing news anchorwoman’s’ records – first HIPAA “snooping” prosecution by a State AG.

http://www.justice.gov/usao/are/news_releases/PDFs_2009News_Releases/2009_index.html

Effective September 23, 2009, if you are a health care provider, clearinghouse, or health plan that is a “Covered Entity” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), you must notify affected individuals of certain breaches of their individually identifiable health information by you or your Business Associates.

This new “Rule” goes into effect on September 23, 2009; however, sanctions will not be imposed until after February 22, 2010. Read more…

The grants will be awarded under the American Recovery and Reinvestment Act of 2009 (ARRA) and will help health care providers qualify for new incentives that will be made available in 2010 to doctors and hospitals that “meaningfully use” electronic health records. Click here to read the press release. Click here for more information about applying.

To track the progress of HHS activities funded through the ARRA, visit www.hhs.gov/recovery. To track all federal funds provided through the ARRA, visit www.recovery.gov.

The U.S. Department of Health and Human Services (HHS) issued new regulations today that require health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached.

The regulations require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, and, in cases where a breach affects more than 500 individuals, to notify the HHS Secretary and the media.

Link to HHS press release.

The Federal Trade Commission published its final rule requiring vendors of web-based personal health records to notify consumers when security of their information has been breached. Impacted vendors include many that do not have to comply with HIPAA, such as occupational health vendors that host employee health records and vendors who sell devices that include an option to upload data to a personal record. The rule can be found on the FTC web site.

The Office of the National Coordinator for Health Information Technology recently published an operating plan to meet all the statutory requirements of the HITECH Act and Recovery Act. While we continue to say “don’t do anything yet”, it looks like providers, health plans and entities that furnish services to providers and health plans should be ready to make significant changes to their policies and practices relating to information technology beginning in mid-August, 2009. The Implementation Plan can be viewed here.

The U.S. Department of Health and Human Services (HHS) published guidance regarding technologies and methodologies to secure health information and prevent harm by rendering health information unusable, unreadable, or indecipherable to unauthorized individuals. The American Recovery and Reinvestment Act required publication of the guidance by April 18. This builds on the existing requirements of the HIPAA Privacy and Security Rules, which are unchanged.

The guidance issued provides steps entities can take to secure personal health information and establishes the trigger for when entities must notify that patient data has been compromised. This guidance is related to “breach notification” regulations, which will be issued by HHS and the Federal Trade Commission (FTC) respectively. The HHS regulations will apply to entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC regulation will apply to vendors of personal health records and certain others not covered by HIPAA. The Recovery Act requires that these regulations be published within 180 days of enactment.

The guidance must be updated annually but HHS may update and reissue it this year, after public comment is considered and at the same time HHS’ breach notification regulation is published.