Proposed rule to give people the right to know who has accessed their protected health information

[Minuteman]

Not directly (or possibly even remotely) related to circumcision, but may be of interest to readers from the United States.

http://www.hhs.gov/news/press/2011pr...20110531c.html

Quote:

News Release

FOR IMMEDIATE RELEASE
May 31, 2011


Contact: HHS Press Office
(202) 690-6343
HHS announces proposed changes to HIPAA Privacy Rule

HITECH lets people know who has accessed their health information

A Notice of Proposed Rulemaking concerning the accounting of disclosures requirement under the Health Insurance Portability and Accountability (HIPAA) Act Privacy Rule, is available for public comment. The proposed rule would give people the right to get a report on who has electronically accessed their protected health information.

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is proposing changes to Privacy Rule, pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH is part of the American Recovery and Reinvestment Act of 2009.

“This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,” said OCR Director Georgina Verdugo. “We need to protect peoples’ rights so that they know how their health information has been used or disclosed.”

People would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information. Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this information with people.

The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates.

People may now read the proposed rule at: http://www.federalregister.gov/ and submit comments to http://www.regulations.gov/ (search for Proposed Rule) through August 1, 2011.

People who believe a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule, may file a complaint with OCR at http://www.hhs.gov/ocr/privacy/hipaa...nts/index.html. Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr.


###

[Minuteman]

"University of California settles HIPAA Privacy and Security case involving UCLA Health System facilities" HHS Newsroom 7 July 2011.

http://www.hhs.gov/news/press/2011pr...20110707a.html

Quote:

News Release

FOR IMMEDIATE RELEASE
July 7, 2011


Contact: HHS Press Office
(202) 690-6343
University of California settles HIPAA Privacy and Security case involving UCLA Health System facilities

UCLAHS to improve policies and procedures to better safeguard patient information

Following an investigation by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the University of California at Los Angeles Health System (UCLAHS) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with the rules.

The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.

Through policies and procedures, entities covered under HIPAA must reasonably restrict access to patient information to only those employees with a valid reason to view the information and must sanction any employee who is found to have violated these policies.

“Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider,” said OCR Director Georgina Verdugo. “Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.”

The corrective action plan requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years.

“Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity,” said Director Verdugo.

HHS OCR enforces the HIPAA Privacy and Security Rules. The Privacy Rule gives people rights over their protected health information and sets rules and limits on uses and disclosures of that health information. The Security Rule protects health information in electronic form by requiring entities covered by HIPAA to implement physical, technical and administrative safeguards to ensure that people’s electronic protected health information remains private and secure.

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at: http://www.hhs.gov/ocr/privacy/hipaa...nts/index.html.

The HHS Resolution Agreement and CAP can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa...CLAHSracap.pdf.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa...les/index.html.


###

Note: All HHS press releases, fact sheets and other press materials are available at http://www.hhs.gov/news.

Last revised: July 7, 2011

Cross-posted on this thread http://www.foreskin-restoration.net/...ead.php?t=8131

[Minuteman]

"HHS settles HIPAA case with BCBST for $1.5 million" HHS Newsroom 13 March 2012.

http://www.hhs.gov/news/press/2012pr...20120313a.html

Quote:

First enforcement action resulting from HITECH Breach Notification Rule

Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR), announced today. BCBST has also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.

The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”

In addition to the $1,500,000 settlement, the agreement requires BCBST to review, revise, and maintain its Privacy and Security policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan.

HHS Office for Civil Rights enforces the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The HIPAA Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure.

The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis.

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at: http://www.hhs.gov/ocr/privacy/hipaa...nts/index.html.

The HHS Resolution Agreement can be found at http://www.hhs.gov/ocr/privacy/hipaa...ment/examples/
resolution_agreement_and_cap.pdf.

Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa...les/index.html.

[Minuteman]

"Alaska Medicaid settles HIPAA security case for $1,700,000" HHS Newsroom 26 June 2012.

Having background information about transgressions of state Medicaid programs may be helpful in future attempts to have circumcision removed from their coverage.

http://www.hhs.gov/news/press/2012pr...20120626a.html

Excerpt:

Quote:

The Alaska Department of Health and Social Services (DHSS), the state Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle possible violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries.

The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHSS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHSS employee. Over the course of the investigation, OCR found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI. Further, the evidence indicated that DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.

[airpud]

rules, rights, words, regulations...

people just do what they want. they break laws, twist them, hide from them.

we need action, not more words. technically at several levels, circ is already illegal. but ppl interpret, ignore, and disrespect at their whim.

too much wordiness! back to basics. no more wordsmithing.