Download a PDF of the Current Issue 2015 Volume 12 Number 3 July- September

HIPAA – Privacy Regulatory Updates

Heather Noughton -Bokor CHC. Compliance Specialist
Shands HealthCare Corporate Compliance Dept
6-4-3 ◆ HHS / FTC Issues Breach Notification Rules:   The Department of Health and Human Services (HHS) issued rules related to breach notification requirements for providers, health plans, and other entities covered under the Health Insurance Portability and Accountability Act (HIPAA). Additionally, the Federal Trade Commission has issued similar rules impacting vendors of personal health records and certain others not covered by HIPAA. These rules serve to implement provisions of the American Recovery and Reinvestment Act of 2009 (ARRA). The regulations require prompt notification to affected individuals of a breach of the privacy of their unsecured personal health information. In addition, providers and other covered entities are required to notify the HHS Secretary and the media in cases where a breach impacts more than 500 individuals. Breaches affecting less than 500 individuals are to be reported to HHS annually. Notice obligations are effective for breaches occurring on or after September 24, 2009.   ◆ Red Flag Rules Delayed Until November 1, 2009:   The Federal Trade Commission (FTC) announced an additional delay in the enforcement of the “Red Flags” Rule. The Rule requires those with covered accounts, including hospitals, to implement programs to identify, detect, and respond to the warning signs (“red flags”) that could indicate identify theft. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009. At the same time, in order to assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.   ◆ HHS has delegated authority for enforcement of the HIPAA security rule to the Office of Civil Rights (OCR)   Security rule enforcement had been handled by CMS, while OCR has handled only privacy rule enforcement. Under the security rule, the OCR will now be able to impose civil money penalties and issue subpoenas.