HIPAA Business Associate Audits May Be On The Way

Business Associates (“BA’s”) may be audited, in addition to covered entities, in 2012 audits by the Office for Civil Rights (“OCR”).  OCR has a three step audit program in progress. If the initial program “goes well” (whatever that means), then OCR will implement a full range of onsite audits and an evaluation process. BA’s come into contact with significant amounts of protected health information.  Because approximately 20% of HIPAA breaches involve BA’s, consideration is being given to including BA’s as audit targets.

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

HITECH Breach Logs Due March 1

Under the HITECH Breach Notification Rule, covered entities must notify certain parties following a breach of unsecured protected health information (“PHI”).  First, covered entities must notify affected individuals following the discovery of a breach.  If the breach affects more than 500 residents of a State or jurisdiction, covered entities are also required to provide notice to prominent media outlets.

Additionally, covered entities must provide notice of breaches to the Secretary of the U.S. Department of Health and Human Services (“HHS”).  The timing of the notification obligation to the HHS Secretary depends on the number of affected individuals for a particular breach.  If a breach involves 500 or more individuals, the Secretary must be notified “contemporaneously” with the notice to affected individuals.    45 CFR § 164.408(b).   If a breach involves less than 500 individuals, a covered entity is required to maintain a log or other documentation of the breach and provide notice to the Secretary “not later than 60 days after the end of each calendar year.”  45 CFR § 164.408(c). 

By March 1, 2011, covered entities must notify the Secretary of all breaches that occurred during 2010. The notification must be submitted electronically by using the following form: http://transparency.cit.nih.gov/breach/index.cfm. A separate form must be completed for each breach that occurred during the preceding calendar year. 

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

 

HIPAA, HITECH FINAL RULES ANTICIPATED BY EARLY 2011

The HIPAA and HITECH final rules could be published by the end of 2010 or early 2011.

Adam H. Greene, JD, MPH, senior health information technology and privacy specialist for the Office for Civil Rights (“OCR”), announced this prediction on October 4, 2010 during the Fourth Annual HIPAA Summit West: Healthcare Privacy and Security after HITECH and Health Reform.

Greene would not guarantee his prediction.  However, this past summer, Greene accurately said he expected a proposed rule on changes to the HIPAA privacy, security and enforcement rules to be released around July 8, 2010.  That is exactly the date that the display copy of the rule was released.  The proposed rule was published in the Federal Register on July 14, 2010.

© 2010 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com