Archive for the ‘HIPAA’ Category

Newer Entries »

Congress to HHS: Remove the harm assessment!

Saturday, October 3rd, 2009
Kansas Governor :en:Kathleen Sebelius speaks w...
Image via Wikipedia

In a strongly-worded letter sent and signed by six congressmen to HHS Secretary Kathleen Sebelius the message was clear: remove the harm assessment that lawmakers rejected when writing the privacy regulations into ARRA. The harm standard essentially says that in case of a breach the covered entity must make an assessment of whether or not the breach can cause reputational, financial, and other types of harm.  This leaves open the possibility that a covered entity could decide to act in its own interest and make the decision not to follow the directives written into the breach notification ruling.

..

There are, of course, two sides of the sword. On one hand it’s difficult to enforce a policy with subjective elements present, such as the harm assessment. It is unlikely that a covered entity would risk the substantial fines, now as high as $1.5 million, and the possibility of criminal prosecution to avoid notification in case a serious breach occurs. However, the harm assessment leaves that possibility open.

..

A drawback to removing the harm assessment is that it is possible that, ironically, that too many breach notifications are sent to people, thereby creating a “boy that cries wolf” effect. In a perfect world breaches would never happen, so there would not need to be a reason to notify people. However, we all know that not to be the reality. Breaches do occur, intentional or not. And people need to be notified as soon as possible. Should covered entities be given the privilege of deciding the severity of the harm and potentially choosing not to notify people? We shall see the next steps Congress and HHS will take.

Reblog this post [with Zemanta]

Tags: , , ,
Posted in ARRA, HIPAA, Regulation, Rulings, Section 13402 | No Comments »

Breach notification goes into effect on September 23, 2009

Wednesday, September 2nd, 2009

The new breach notification guidelines go into effect on September 23rd, 2009. Even though breach notification goes into effect on 9/23/09, the Interim Rule states that civil penalties will not be imposed until February 18th, 2010. The government is aware of the ambiguity and clearly states that it has discretion on imposing sanctions for failure to provide notification in case of a breach notification for breaches occurring before 2/18/10.

..

During the 180 period between 8/2009 and 2/2010 covered entities have the perfect opportunity to review the data stored on their IT systems. The Interim Rule is concerned specifically with Data in Motion, Data in Use, Data at Rest, and Data Disposed. Experior can help determine the best plan of action to implement encryption in your IT systems to protect your organization from breach notification requirements.



Tags: , , ,
Posted in ARRA, Encyption, HIPAA, Rulings, Section 13402 | No Comments »

Protected Health Information – What is it?

Monday, August 24th, 2009

The term Protected Health Information (PHI) has its roots in the term “Individually Identifiable Information” that was first used in the context of privacy regulation in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

..
HIPAA explicitly defines this Information as “…any information, including demographic information collected from an individual, that–”(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and ”(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and–”(i) identifies the individual; or ”(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”

..

Protected  Health Information takes that definition and applies and electronic twist to it. The Interim Final Rule on Breach Notification for Unsecured Protected Health Information on page 4 of the preamble defines protected health information as:  “individually identifiable health information held or transmitted in any form or medium by HIPAA covered entities and business associates, subject to certain limited exceptions”.

..

“Subject to certain limited exceptions” can be interpreted to mean additional exclusions listed in Standards for Privacy of Individually Identifiable Health Information; Final Rule, 45 CFR Parts 160 and 164, ss 164.501. Exclusions as written are an employer in its role as a covered entity (covered entities are employers as well) and education records specified in the Family Education Rights and Privacy Act, 20 U.S.C. 1232g.

‘individually
identifiable health information’ means any information, including demographic
information collected from an individual, that–
“(A) is created or received by a health care provider, health plan, employer, or
health care clearinghouse; and
“(B) relates to the past, present, or future physical or mental health or condition of
an individual, the provision of health care to an individual, or the past, present, or
future payment for the provision of health care to an individual, and–
“(i) identifies the individual; or
“(ii) with respect to which there is a reasonable basis to believe that the information
can be used to identify the individual

Tags: , ,
Posted in ARRA, HIPAA, Rulings | No Comments »

Newer Entries »