Search Results for: privacy

The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived

On January 25, 2013, the Office for Civil Rights of the United States Department of Health and Human Services published the long-awaited final regulation implementing much of the amendments and additions to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules directed by the 2009 Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

Noteworthy provisions of the HITECH Final Rule include:

– Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
– Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
– Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
– Replacing the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
– Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.… Continue Reading

Understanding of Global Data Privacy Regulations Helps Avoid Conflicts in Cross-Border Discovery Disputes

InsideCounsel recently published, “E-discovery: The need for a transnational approach to cross-border discovery disputes,” an article on international discovery issues and the benefit of a respectful approach to document productions outside of the U.S. Written by Reed Smith Records & E-Discovery Group members David R. Cohen, Regis W. Stafford, Jr. and Caitlin R. Gifford, the piece notes that proposed EU Data Protection Directive regulations have the potential to subject multinational companies to sanctions of up to two percent of annual worldwide revenue for serious breaches, including unlawful data transfers to the U.S. In addition, although not binding on U.S. courts, the ABA recently issued a resolution and recommendation that states in part that U.S. courts should “consider and respect the data protection and privacy laws of any foreign sovereign…” This article underscores the importance of a comprehensive global approach to document production in cross-border litigation.… Continue Reading

OCR Launches Privacy and Security Audits

To implement the HITECH Act’s mandate for the Office for Civil Rights (OCR) to perform HIPAA audits, OCR has just announced that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the pilot phase are planned to begin with an initial 20 audits between November 2011 and April 2012. The remaining audits are scheduled to conclude by December 2012. All covered entities and business associates are eligible for audits; however, OCR has indicated that it is focusing on covered entities (range in type and size) in the initial phase. Business associates will be included in future audits.… Continue Reading

HHS Issues Notice of Proposed Rulemaking Regarding the HIPAA Privacy Rules Standard for Accounting of Disclosures Requirements and Access Report

Today the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking implementing provisions of the HITECH Act related to accounting for disclosures of protected health information (PHI). Pursuant to the HITECH Act and its more general authority under HIPAA, HHS proposed to divide the Privacy Rule provisions related to an accounting into two separate individual rights: (1) an accounting and, (2) an access report.… Continue Reading

HHS Issues Notice of Proposed Rulemaking Regarding the HIPAA Privacy Rules Standard for Accounting of Disclosures Requirements

This post was also written by Gina M. Cavalier and Vicky G. Gormanly. Pursuant to the HITECH Act, covered entities and business associates must account for disclosures of PHI for treatment, payment and health care operations if the disclosures are through an electronic health record. This represents a significant change to the requirements under the current … Continue Reading

HHS Announces First Ever Civil Money Penalty for Violations of HIPAA Privacy Rule

Earlier today the Department of Health and Human Services’ (HHS), Office for Civil Rights (OCR) announced the imposition of the first ever civil money penalty for violations of the HIPAA Privacy Rule. The penalty – which is $4.3 million – was assessed against Cignet Health of Prince Georges County, a health insurer. The underlying HIPAA … Continue Reading

Final HITECH Privacy and Security Rule Expected Soon

According to a senior health information technology and privacy specialist at HHS Office for Civil Right (OCR), regulations finalizing the July 14, 2010, proposed rule implementing many of the HITECH Act’s privacy, security, and enforcement requirements could be published by the end of 2010 or in early 2011. Additionally, OCR, developing a HITECH Act required “periodic audit” plan, which will be targeted to ensure that covered entities and business associates comply with the requirements of the Privacy and Security Rules.… Continue Reading

HITECH Privacy and Security Regulations Currently Being Drafted

The Health Information Privacy page of the U.S. Department of Health and Human Services (HHS) website has formally announced that regulations implementing the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act will soon be published (along with a comment period) relating to (1) business associate liability; (2) new limitations on the sale of protected health information, marketing and fundraising communications; and (3) stronger individual rights to access electronic medical records and restrict the disclosure of certain information. Although this posting is certainly welcome news, from a timing perspective the announcement only indicates that “OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions.”… Continue Reading

Health Information Privacy and Incentives, Medicaid Funding, and Other Health Care Provisions in the American Recovery and Reinvestment Act

On February 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”). The sweeping $790 billion economic stimulus package includes a number of health care policy provisions. Reed Smith’s Health Care Memorandum summarizes the major health policy provisions of the Act.… Continue Reading

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

On Feb. 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”).1 This memorandum outlines significant changes and additions to the landscape of federal privacy and security law set forth in Subtitle D of the ARRA. In general, the privacy and security portions of the ARRA become effective 12 months after the enactment of the ARRA, which is approximately February 2010. It is also important to note that the ARRA directs the Secretary of the U.S. Department of Health & Human Services (“HHS”) to amend the HIPAA Privacy and Security Rules to implement the legislative changes. As such, the effective dates associated with the rulemaking process will vary.… Continue Reading

LexBlog