The HISPC summary report on the work of its final phase is out. Styled an “action and implementation manual,” it presents the work of the privacy and security group’s year-long third phase.

In addition to the summary report, the seven subgroups that comprise the collaboration are presenting their work through free webinars on Tuesdays and Thursdays this month. The sessions focus on the tools and processes developed by each group, as well as how individual, local, regional, and state-level stakeholders can use them. (more…)

On Friday the California Department of Public Health announced an administrative penalty of $250,000 against Kaiser Permanente Bellflower Hospital for failing to prevent unauthorized access to octuplet mom Nadya Suleman’s medical records. According to CDPH, 21 employees and two physicians improperly viewed Suleman’s medical records.

The penalty is the first under California’s strict new privacy laws, which went into effect January 1. The $250,000 fine was the maximum allowed.

Kaiser first reported the breach back in April, when it disciplined and fired employees for accessing Suleman’s records. The CDPH investigation announced Friday involved the facility only. Under a separate law, the state may seek prosecution against the individuals themselves.

If you ever wonder what progress the Office for Civil Rights is making as it works its way through HIPAA privacy rule complaints, the numbers are easy to find. Each month OCR reports top-line results of the HIPAA cases it has received and resolved.

OCR has logged approximately 43,700 complaints since the privacy rule went into effect April 14, 2003. It has resolved 86 percent of them, and as of April 30 it had nearly 6,000 cases still on its to-do list.

OCR enforces the HIPAA privacy rule only. Enforcement of the security rule falls to the Centers for Medicare and Medicaid Services. Violations of either rule that involve possible criminal violations are referred to the Department of Justice. Through April 30 of this year, OCR had referred 456 cases to the DOJ and 306 cases to CMS. (more…)

Healthcare organizations must ensure that their sanctions policies for internal privacy and security breaches are consistent, fair, and objective for all staff members. Organizations that fail to do so send a confusing message to staff, compromise their privacy and security programs, and lose public trust.

The May practice brief “Sanction Guidelines for Privacy and Security Breaches” offers recommendations for the internal application of sanctions related to information privacy and security breaches for healthcare organizations that manage or service protected health information or individually identifiable health information.

The brief includes a sample sanctions determination document that organizations can customize for their investigations and trending. Each incident requires appropriate investigation along with managerial discretion to declare a misdeed.

“No two healthcare organizations will approach sanctioning and enforcement for privacy and security breaches in exactly the same way,” the authors write. “Each healthcare organization needs to show a demonstrated, consistent ability to deal with privacy and security issues in its own way to ensure consumer trust. Inherent to privacy and security professional roles is a firm leadership commitment to consistent policy and enforcement and sanction application for noncompliance.”

One day before the Red Flags Rule were to take effect, the Federal Trade Commission announced a three-month delay. Organizations that would have woken up out of compliance today now have until August 1 to comply.

The rule requires “creditors” and financial institutions to develop and implement written identity theft prevention programs. (For more on the rule, see articles in “Privacy & Security.”)

The FTC also announced that it would release a compliance template for entities that have a low risk of identity theft, such as businesses that know their customers personally.

Continued confusion over the terms of the provision resulted in the delay. ”Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said in the statement.

This is the second delay for the Red Flags rule. The original deadline was November 2008.

The Department of Health and Human Services has published guidance related to the Genetic Information Nondiscrimination Act (GINA) and its effect on researchers.

“Guidance on the Genetic Information Nondiscrimination Act: Implications for Investigators and Institutional Review Boards” provides background on protections provided by GINA and discusses GINA’s impact on investigators who conduct genetic research and the institutional review boards that review it, particularly on criteria for IRB approval of research and the requirements for obtaining informed consent under the HHS regulations for the protection of human subjects (45 CFR part 46).

Final GINA regulations are expected in May.

To review GINA’s provisions, see the July 2008 “Word from Washington” column “Getting to Know GINA.”

The Federal Trade Commission has its ARRA homework well under way. Yesterday it announced its notice of proposed rulemaking (NPRM) on data breach notification.

The American Recovery and Reinvestment Act establishes the first federal requirements on health data breach reporting and notification. It assigns the Department of Health and Human Services to oversee organizations that qualify as covered entities and business associates under HIPAA. It assigns the FTC to oversee everyone else, including vendors of personal health records.

Both HHS and FTC are required to publish final interim regulations by August 16. The provisions become effective 30 days after publication.

According to an FTC press release, the proposed rule:

• Requires “vendors of personal health records and related entities” to notify consumers of a breach
• Requires a service provider to a PHR vendor to notify the vendor of a breach, which in turn must notify its customers
• Defines the triggers for a notice, as well as the timing, method, and content of the notice
• Requires that entities notify the FTC of a breach, which will in turn post the information on its Web site and share with HHS

The NPRM will appear in the Federal Register shortly, according to FTC.

Public comments on the notice of proposed rulemaking are due by June 1. AHIMA’s commentary will available on this site in advance of that date.

Update April 20: HHS released its required guidance on rendering protected health information unreadable on April 17. The guidance relates to both HHS’s and the FTC’s breach notification regulations. HHS is accepting comments until May 21.

Capping off our Health Information Privacy and Security Week series, Federal Trade Commission attorney Steven Toporoff offers tips on complying with the Red Flags Rule, which goes into effect May 1. Toporoff works in the FTC’s Division of Privacy and Identity Protection, Bureau of Consumer Protection.

Millions of Americans each year fall victim to identity theft.  When identity theft involves healthcare, the consequences can be severe. It can result in losses to the healthcare provider from unpaid bills, the exhaustion of the victim’s benefits, or even potentially life-threatening corruption of a patient’s medical records. 

The crime also can play havoc with an innocent consumer’s credit rating.  Medical identity theft may arise when a person seeks healthcare services or prescription pharmaceuticals using someone else’s name or insurance information.  A recent nationwide survey conducted for the FTC found that 4.5 percent of the 8.3 million identity theft victims have experienced some form of medical identity theft.

The Red Flags Rule is designed to help protect patients and providers from suffering the consequences of medical identity theft.  Briefly put, this new law requires “creditors” and “financial institutions” to determine if they have either consumer accounts that permit multiple payments or other accounts for which there is a reasonable risk of identity theft.  If they do, these covered entities must develop and implement a written identity theft prevention program. Each provider has the flexibility to implement a program that best suits its size, complexity, and actual risk of identity theft.    (more…)

Continuing this week’s focus on privacy, today’s guest author Stacie Durkin, RN-C, RHIA, MBA, owner, Durkin & Associates, explains what ARRA’s privacy provisions might mean for health information exchange. Durkin co-chairs an AHIMA/HIMSS collaborative workgroup focused on privacy and security in the HIE/RHIO environment. 

HIPAA has sharper teeth and a wider net due to the American Recovery and Reinvestment Act of 2009 (ARRA).  A section of ARRA called The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is the healthcare portion of the stimulus package that provides $19 billion for health information technology and the Federal financial commitment which supports and promotes the adoption of electronic health records (EHRs) by 2014.  Some of the perceived weaknesses in HIPAA’s privacy and security regulations will be rectified by ARRA, dubbed “HIPAA II.”

There has been much discussion around the privacy and security issues of shared data.   Before the stimulus package, health information exchanges (HIE) were not directly regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new legislation is loaded with requirements, new enforcement provisions and penalties for covered entities, business associates, vendors and others. (more…)

The American Recovery and Reinvestment Act (ARRA), previously known as the stimulus bill, offers new challenges to health information privacy professionals. Today guest author Peter Adler, attorney at law for Pepper Hamilton LLP, looks at new provisions requiring organizations to provide notice in the event of a breach.

The portion of ARRA known as the HITECH Act amends HIPAA with new notice of breach provisions that apply to covered entities and business associates. A breach generally is an unauthorized acquisition, access, use, or disclosure of unsecured protected health information (PHI) which compromises the security or privacy of such information.

The term “unsecured” essentially means that the PHI is unencrypted.  Encryption guidelines are to be specified  by the secretary of Health and Human Services or otherwise meet standards that are developed or endorsed by the American National Standards Institute. (more…)