Dec 17, 2009
InSPN Newsletter
See link for review of November 2009 meeting presentation by Dr Marc Rogers, InSPN 2010 dates & Board of Directors and recent privacy and security news
Oct 31, 2009
HITECH Act Enforcement Interim Final Rule
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing: Four categories of violations that reflect increasing levels of culpability; Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and A maximum penalty amount of $1.5 million for all violations of an identical provision. It also amended section 1176(b) of the Act by: Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect. This interim final rule conforms HIPAA’s enforcement regulations to these statutory revisions that are currently effective under section 13410(d) of the HITECH Act. This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions. This interim final rule will become effective on November 30, 2009. HHS has invited public comments on the interim final rule, which will be considered if received by December 29, 2009. see MORE to - View the Enforcement Interim Final Rule View the Press Release.
Oct 30, 2009
FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule
At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC. The Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. The Commission previously delayed the enforcement of the Rule for entities under its jurisdiction until November 1, 2009. The Commission staff has continued to provide guidance to entities within its jurisdiction, both through materials posted on the dedicated Red Flags Rule Web site (www.ftc.gov/redflagsrule), and in speeches and participation in seminars, conferences and other training events to numerous groups. The Commission also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form. FTC staff has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members. On October 30, 2009, the U.S. District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys. Today’s announcement that the Commission will delay enforcement of the Rule until June 1, 2010, does not affect the separate timeline of that proceeding and any possible appeals. Nor does it affect other federal agencies’ ongoing enforcement for financial institutions and creditors subject to their oversight. The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,700 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics. MEDIA CONTACT: Office of Public Affairs 202-326-2180
Oct 12, 2009
HIPAA Breach Notification Update: No harm, No foul, No more?
From Hall Render: On August 24, 2009, the Department of Health and Human Services ("HHS") published its interim final rule regarding the breach notification requirements applicable to covered entities and their business associates under HIPAA (the "Rule"). HHS was required to issue the Rule pursuant to the Health Information Technology for Economic and Clinical Health ("HITECH") Act, part of the American Recovery and Reinvestment Act of 2009 ("ARRA"). The Rule became effective September 23, 2009, but HHS will forego imposing sanctions for breaches occurring before February 22, 2010. On October 1, 2009, several Congressmen sent a letter (the "Letter") to HHS Secretary Kathleen Sebelius expressing concern that the Rule is inconsistent with Congressional intent and should be revised because it sets too high of a standard for notification of individuals when an unauthorized use or disclosure of protected health information ("PHI") occurs. This creates an interesting dilemma for covered entities and business associates who are seeking to comply with the Rule. See MORE for further information.
Sep 4, 2009
HHS health IT meetings will focus on privacy, security
The Health IT Committee that is advising the National Coordinator for Health IT is meeting again in the near future. The Committee is open to comments. Here is a recent article about it: By Mary Mosquera Wednesday, September 02, 2009 Both panels that advise the national coordinator for health IT plan to focus on privacy and security standards needed to support meaningful use of electronic health records when they meet later this month, according to notices in today’s Federal Register. The Health IT Policy Committee, led by Dr. David Blumenthal, the national coordinator for health IT, will direct more of its discussion at its upcoming Sept. 18 meeting on health information privacy and security as it makes progress in defining meaningful use under the stimulus law, according to the notice. Likewise, the companion Health IT Standards Committee, which meets Sept. 15, will concentrate on refining standards recommendations made by its privacy and security work group. At the Standards Committee’s previous meeting Aug. 20, its privacy and security workgroup presented standards for authentication, authorization, auditing and secure data transmission of health information in EHR products as well as the infrastructure that hosts them. The work of the panel includes protecting data inside an enterprise as well as data exchange between enterprises, “because security is an end to end process,” noted Dr. John Halamka, the committee’s chairman in a post on his blog, “Life as a Healthcare CIO."