Tag Archives: HIPAA

HHS Guidance HIPAA Privacy Rule and Same-sex Marriage

The HHS Office of Civil Rights (OCR) has released guidance on “HIPAA and Same-sex Marriage: Understanding Spouse, Family Member, and Marriage in the Privacy Rule.” The guidance stems from a Supreme Court decision in United States v. Windsor striking down Section 3 of the Defense of Marriage Act (DOMA), which had provided that federal law … Continue Reading

Stolen Unencrypted Laptops Results in HIPAA Settlements for Two Health Companies

Two more health care companies have settled potential violations of the HIPAA Privacy and Security Rules arising from the theft of unencrypted laptops by paying a total of almost $2 million and agreeing to continued oversight by the HHS Office for Civil Rights (OCR). In both instances, the breaches were self-reported and the settlements resulted … Continue Reading

CMS Posts Final HIPAA Administrative Simplification Transaction Testing Checklists

CMS has released additional tools to help health plans, vendors, and providers prepare to demonstrate that they are compliant with Administrative Simplification Transaction Testing standards and operating rules and that they have completed end-to-end testing with their trading partners. Specifically, CMS has released payer, large provider, small provider, vendor-to-provider, and vendor-to-payer checklists to assist these … Continue Reading

Final HIPAA Rule Gives Patients Right to Access Test Results Directly from Labs

On February 6, 2014, the Department of Health & Human Services (HHS) published a final rule making changes to the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations to provide individuals with a greater ability to directly access their laboratory test reports. The rule is … Continue Reading

OIG Concludes OCR Slow to Enforce HIPAA Security Rule and Comply with Cybersecurity Requirements

The OIG has concluded that the HHS Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule. In short, the OIG found that OCR failed to provide for periodic audits, as mandated by HITECH, to ensure that covered entities were in compliance with the Security Rule, and instead continued to … Continue Reading

HHS Proposes HIPAA Amendments Addressing Gun Background Checks

On January 7, 2014, HHS published a proposed rule that would modify the HIPAA Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the FBI’s National Instant Criminal Background Check System (NICS) the identities of individuals who are prohibited under federal law from shipping, transporting, possessing, or receiving a firearm for reasons related … Continue Reading

HHS Proposed Rule on Health Plan Certification of Compliance Requirements

On January 2, 2014, HHS published a proposed rule to promote more consistent testing processes for “controlling health plans” (CHP) to enable these entities to better achieve and demonstrate compliance with HIPAA standards and operating rules. Specifically, the rule would require a CHP to submit documentation demonstrating compliance with HIPAA standards and operating rules for … Continue Reading

HHS OCR Releases HIPAA Privacy Rule Guidance Documents

As reported on our sister blog, http://www.lifescienceslegalupdate.com/, the HHS Office for Civil Rights (OCR) has made a number of recent announcements regarding HIPAA Privacy Rule implementation. First, OCR has issued guidance on how the changes to the HIPAA Privacy Rule’s marketing provisions under the Health Information Technology for Economic and Clinical Health (HITECH) Act and … Continue Reading

Hard Drives on Used Photocopiers Result in HIPAA Violations and $1.2M Settlement to the OCR

As covered on Reed Smith’s Life Sciences Legal Update blog, Affinity Health Plan, Inc. (Affinity) recently reached a $1.2 million settlement with the HHS Office for Civil Rights related to potential violations of the Health Information Portability and Accountability Act of 1996 (HIPAA). Affinity self-reported a breach after learning from a CBS Evening News investigative report … Continue Reading

HHS Considering HIPAA Privacy Rule Amendments to Allow Reporting of Mental Health Data to National Instant Criminal Background Check System

HHS is soliciting comments on whether to amend the HIPAA Privacy Rule to expressly permit covered entities holding information about the identities of individuals who are disqualified from possessing or receiving firearms on mental health grounds to disclose limited information to the National Instant Criminal Background Check System. Comments on the rule will be accepted … Continue Reading

Administration Proposes ACA Insurance Waiting Period Rule

On March 21, 2013, the Internal Revenue Service, Employee Benefits Security Administration, and CMS published proposed rules providing that a group health plan (or health insurance issuer offering group health insurance coverage) may not apply any waiting period that exceeds 90 days, in conformance with the ACA. Under the proposed regulations, waiting period would be … Continue Reading

It’s Here: OCR Releases Long Awaited HIPAA/HITECH Final Rule

The Office for Civil Rights ("OCR") of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules. The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act ("HITECH") and the Genetic Information Nondiscrimination Act ("GINA"), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the "HITECH Final Rule"). Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.… Continue Reading

Obama Administration’s Regulatory Agenda Points to Busy 2013 for HHS

On January 8, 2013, the Obama Administration published its latest semiannual regulatory agenda, outlining planned regulatory initiatives in a number of policy areas. The Federal Register version of the agenda includes only a portion of the regulations in the pipeline, however; the full agenda has been posted on the Office of Management and Budget (OMB) web … Continue Reading

CMS Announces 90-Day Enforcement Discretion Period for HIPAA Eligibility & Claim Status Operating Rules

On January 2, 2013, CMS announced a 90-day “enforcement discretion period” with respect to operating rules mandated by the ACA for two transactions: eligibility for a health plan and health care claim status. Specifically, the CMS Office of E-Health Standards and Services (OESS) will not initiate enforcement action until March 31, 2013, with respect to … Continue Reading

Awaiting the Final HITECH Rule: HURRY UP AND WAIT!

As the year draws to a close, industry is speculating about the release date of the long-awaited Health Information Technology for Economic and Clinical Health Act (“HITECH”) final rule, which is expected to address modifications to the Privacy, Security, Enforcement, and Breach Notification Rules. While the publication date has not yet been announced, it is … Continue Reading

OCR Issues Guidance on De-identifying Protected Health Information

The HHS Office of Civil Rights (OCR) recently released guidance on methods to de-identify protected health information in compliance with the HIPAA Privacy Rule. The guidance, which is summarized on the Reed Smith’s Life Sciences Legal Update blog, is intended to assist covered entities and business associates in understanding what de-identification is and how de-identified … Continue Reading

ONC Invites Comments on Stage 3 Meaningful Use Policy

The Office of the National Coordinator for Health Information Technology (ONC) has issued a Request for Comment (RFC) on Stage 3 meaningful use recommendations, which will “target a collaborative model of care with shared responsibility and accountability.” In releasing the RFC, the ONC acknowledges “today’s challenges in setting up data exchanges,” but recommends that Stage … Continue Reading

CMS Publishes Corrections to Administrative Simplification, IPPS/LTCH PPS Rules

On October 4, 2012, CMS published technical corrections to the agency’s September 5, 2012 final administrative transactions rule that adopted a unique health plan identifier standard and delayed the implementation date for the International Classification of Diseases, 10th Revision (ICD-10) coding update from October 1, 2013 to October 1, 2014. CMS also published a rule … Continue Reading

OIG Recommends Improvements to CMS Response to Health Information Breaches

The OIG has given the CMS mixed reviews regarding the extent to which it meets American Recovery and Reinvestment Act (Recovery Act) requirements to notify affected beneficiaries when the privacy or security of their protected health information is compromised. In the report, “CMS Response to Breaches and Medical Identity Theft,” the OIG assesses how CMS … Continue Reading

HHS Adopts Unique Health Plan Identifier, Delays Implementation Date for ICD-10

On September 5, 2012, the HHS published a final rule that establishes new requirements for administrative transactions that are intended to improve the utility of the existing HIPAA transactions and reduce administrative burden and costs. Specifically, the rule adopts the standard for a national unique health plan identifier (HPID) and establishes requirements for the implementation … Continue Reading

HHS Publishes Operating Rules for Health Care Electronic Funds Transfers (EFT) and Remittance Advice Transactions

On August 10, 2012, the Department of Health and Human Services (HHS) published an interim final rule with comment period setting forth operating requirements for EFTs and electronic remittance advice (ERA) transactions. The rule, which was mandated by the ACA, is the third in a series of regulations intended to streamline health care administrative transactions, … Continue Reading

HIPAA Electronic Funds Transfer, Remittance Advance Standards

HHS has announced via a web posting that its adopting without change its January 10, 2012 interim final rule with comment period adopting standards for health care electronic funds transfers (EFT) and remittance advice transaction under HIPAA. HHS did not adopt any changes to the regulation in response to public comments, so “industry implementation efforts … Continue Reading

GAO Examines HHS Action on Privacy and Security of Prescription Drug Data

The GAO has issued a report entitled “Prescription Drug Data: HHS Has Issued Health Privacy and Security Regulations but Needs to Improve Guidance and Oversight.” The report assesses the extent to which HHS has established a framework to ensure the privacy and security of Medicare beneficiaries’ protected health information when data on prescription drug use … Continue Reading