The National Institute of Standards and Technology (NIST) is inviting comments on updating its resource guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. NIST's resource guide was published in 2008. The public is invited to provide input by June 15, 2021. NIST seeks comments on how health care organizations and business associates are using the resource guide to assist in complying with the HIPAA Security Rule. NIST also invites comment on how organizations assess risk to electronic protected health information (ePHI), how health care organizations manage concerns regarding business associates' compliance with the Security Rule, and how organizations document implementation of recognized security practices.
The topic of how recognized security practices are implemented should be particularly important for health care organizations and business associates. Effective January 5, 2021, the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) was amended by P.L. 116-321 to provide that in conducting audits of Security Rule compliance and assessing fines, the Department of Health and Human Services shall consider whether the organization has demonstrated that it had recognized security practices in place. The term "recognized security practices" is defined to include standards, guidelines and best practices developed by NIST.
- Published: 06 May 2021 06 May 2021
The Department of Health & Human Services (HHS) has announced that it is allowing additional time for public comment on proposed changes relating to access to and disclosure of protected health information (PHI). The Office for Civil Rights (OCR) of HHS published significant proposed modifications to the Health Insurance Portability & Accountability Act (HIPAA) Privacy Standards in the Federal Register on January 21, 2021. The proposed rules were focused on supporting the transition to value-based health care by modifying restrictions on use of PHI for care coordination and case management. OCR also proposed significant changes in procedures for individuals’ access to their PHI. The original comment date of March 22, 2021 has been extended to May 6, 2021.
- Published: 10 March 2021 10 March 2021
The Office for Civil Rights (OCR) has issued a notification of enforcement discretion permitting entities covered under the Health Insurance Portability and Accountability Act (HIPAA), and their business associates, to use online or web-based scheduling applications (WBSAs) to schedule appointments for COVID-19 vaccinations during the public health emergency. The notification will be published in the Federal Register on February 24, 2021 and applies as of December 11, 2020.
- Published: 23 February 2021 23 February 2021
An amendment to the Health Information Technology for Economic and Clinical Health Act (HITECH) enacted on January 5, 2021 provides incentive for a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), or a covered entity’s business associates, to adopt recognized security practices. H.R. 7898, enacted as P.L. 116-321, states that the Secretary of the Department of Health and Human Services shall consider whether the covered entity or business associate has adopted recognized security practices, that may mitigate fines or other remedies imposed for HIPAA security violations, or favorable termination of a HIPAA security audit. Recognized security practices are standards, guidelines and best practices developed by the National Institute of Standards & Technology (NIST) or other regulatory guidelines for cybersecurity.
- Published: 19 January 2021 19 January 2021
The Department of Health & Human Services Office for Civil Rights (OCR) announced a $5.1 million settlement with Excellus Health Plan, Inc. relating to a data breach that affected over 9.3 million persons. The breach arose out of a cyberattack that began in December 2013, in which hackers installed malware and conducted reconnaissance activities within the health plan’s information technology system. The attack was not ended until May 2015. In addition to the settlement payment, the health plan agreed to a two-year corrective action plan that requires it to conduct a comprehensive information security risk analysis; adopt an enterprise-wide risk management plan; and update its policies and procedures, including providing for regular review of audit logs, access reports and security incident reports, and adoption of access control measures, including network or portal segmentation and password management.
- Published: 18 January 2021 18 January 2021
The Fifth Circuit Court of Appeals ruled that the Department of Health and Human Services (HHS) violated the Administrative Procedure Act in imposing a $4 million civil monetary penalty on M.D. Anderson Cancer Center. The case arose out of three incidents in 2012 and 2013, in which an unencrypted laptop was stolen, and two unencrypted USB thumb drives were lost.
HHS had determined that M.D. Anderson violated the requirement under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requiring HIPAA covered entities to implement a mechanism to encrypt electronic protected health information (ePHI) or adopt another appropriate method to limit access. HHS also determined that the hospital violated the HIPAA Privacy Rule prohibition on unpermitted disclosure of PHI. Finally, HHS found that the hospital had reasonable cause to know that it had violated these rules and assessed daily penalties of $1,348,000 for the Security Rule violation and $3,000,000 for the Privacy Rule violation. The court ruled that HHS was arbitrary and capricious in applying its regulations and calculating the penalty amounts.
- Published: 15 January 2021 15 January 2021
On January 12, 2021, the Department of Health & Human Services Office for Civil Rights (OCR) reported that it had reached a $200,000 settlement with Banner Health. This is the fourteenth settlement in OCR’s Right of Access initiative, which investigates claims of patients and related parties that they have been denied access to their health records. Under the Health Insurance Portability and Accountability Act (HIPAA), HIPAA covered entities, including health care providers, are required to respond to a request for access to records within thirty days.
The Banner Health settlement is the third six-figure settlement, following settlements in October 2020 with Dignity Health ($160,000) and NY Spine ($100,000). The remaining eleven settlements have been for less than $100,000, with five $25,000 or less. However, the ongoing compliance reporting required by the settlement agreements may be a more substantial burden than the upfront settlement payment, especially for smaller providers. Generally, the settlement agreements require the provider to revise its policies and procedures, train employees, and provide reports to OCR for a two-year period.
- Published: 18 January 2021 18 January 2021