Archive for HITECH Act
Submit your HIPAA questions to Editor Jaclyn Fitzgerald at email@example.com and we will work with our experts to provide the information you need.
Q: Are there any penalties for sending an unencrypted email containing PHI to the intended recipient? Would this just be a violation of the CE’s policy and not a privacy breach under HITECH?
A: HIPAA and HITECH tell us that every CE must perform a documented risk assessment (preferably annually) to determine the level of risk and how it will handle various privacy and security issues. (For more guidance visit www.hhs.gov/news/press/2014pres/03/20140328a.html.)
You should consider and document the risk of sending unencrypted PHI to patients via email in your risk assessment. More and more CEs are deciding that sending unencrypted emails to patients is not worth the risk it poses.
In addition to the security risk, there is the chance that the patient may email you in an emergency, and you may fail to respond in a timely way. There is also the possibility that email can be forwarded, copied, or altered. Email also presents retention issues as providers will not always print the email exchange for the actual patient record. Fortunately, many organizations are implementing patient portals that not only have encrypted messaging functionality but also retain the exchange in the record.
Editor’s note: Chris Simons, MS, RHIA, the director of HIM and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, New Hampshire, answered this question for HCPro’s Medical Records Briefing. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.
The Office of the Inspector General (OIG) recently released its fiscal year (FY) 2014 Work Plan, which addresses the HIPAA Privacy the Breach Notification Rules with a focus on PHI.
OIG will review and assess Office for Civil Rights (OCR) oversight of covered entities’ (CE) compliance with the HIPAA Privacy Rule. OIG will also determine the compliance of Medicare Part B CEs with certain privacy standards, according to the FY2014 Work Plan. OIG said it would review OCR investigation policies and assess OCR oversight to determine CE compliance with the Privacy Rule.
In addition, OIG will review OCR oversight of CEs’ compliance with the Breach Notification Rule. OIG will review OCR investigations of breaches reported by CEs and will determine Medicare Part B CE compliance with breach standards, according to the FY2014 Work Plan.
In the FY2013 Work Plan, OIG said it would focus on reviewing the following areas related to HIPAA:
- OCR policies for investigating the policies and plans for breach mitigation of Medicare Part B CEs
- OCR oversight of HIPAA Privacy Rule and Breach Notification Rule compliance
- CMS’ oversight of Medicaid compliance with the HIPAA Security Rule with especially where State Medicaid
- Management Information Systems and security controls over Web-based applications were concerned
The Office for Civil Rights (OCR) is not adequately enforcing HIPAA, according to a report released by the U.S. Department of Health and Human Services Office of the Inspector General (OIG).
The OIG sought to determine whether OCR met the federal requirements for oversight and enforcement of the HIPAA Security Rule and whether the OCR computers used to oversee and enforce the Security Rule met federal cyber-security requirements. The OIG investigation found that OCR met the following Security Rule enforcement requirements:
- Providing covered entities (CE) with guidance to promote Security Rule compliance
- Establishing an investigation processes for reported Security Rule violations
- Following federal regulations for penalties for Security Rule violators
The report went on to state that OCR failed to do the following:
- Assess risks, establish priorities, or implement controls for periodic Security Rule audits of CEs, which is required by the HITECH Act.
- Maintain Security Rule investigation files that contain documentation to support key decisions. According to the report, this oversight is a result OCR’s inability to sufficiently review investigation documentation.
- Meet federal cyber-security requirements described in the National Institute of Standards and Technology Risk Management Framework.
The Office for Civil Rights announced today its second-largest settlement for potential HIPAA privacy and security rule violations.
The managed care company WellPoint, Inc., agreed to pay the U.S. Department of Health and Human Services $1.7 million, tying Alaska’s Medicaid division for second place behind CVS Caremark ($2.25 million) on OCR’s HIPAA settlement list.
“This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to web-based applications or portals that are used to provide access to consumers’ health data using the Internet,” according to the OCR press release.
OCR investigated WellPoint following a breach report submitted in 2009 by WellPoint as required by the HITECH Act. The report indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet.
OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule.
OCR has reported 20 large patient information breaches in about a 20-day span this month as of May 29, bumping the total number of breaches listed to more than 600, according to its breach notification website.
OCR, the HIPAA privacy and security enforcer, had reported 543 patient-information breaches affecting 500 or more individuals as of March 1. That number rose to 556 as of March 16 and as of May 10 was at 587, then went up to 607 as of May 29. The total number of breach reports of this kind reached 502 as of late October and 525 to start 2013.
OCR began posting the breaches per HITECH in February 2010. In about three years, OCR has reported an average of about 15 breaches per month, or one every other day. The breaches date back to September 2009 but began appearing online in February 2010.