The Office for Civil Rights (OCR) has issued advisories that a HIPAA covered entity or business associate that is affected by the “WannaCry” ransomware attack or other malware should respond to the incident as a reportable breach under the HIPAA/HITECH Breach Notification Rule.
Thus far in 2017, the Office for Civil Rights (OCR) has announced that they have negotiated settlements or levied penalties in seven cases that have resulted in covered entities and business associates paying over $14.3 million. In all but one of these cases, organizations have also been saddled with multi-year corrective action plans in which HHS will exercise oversight of their compliance with the HIPAA standards. At this pace, OCR will eclipse its record-setting performance of 2016 in which there were 13 formal enforcement actions that had covered entities and business associates paying $23.5 million in fines and penalties for HIPAA violations.
Earlier this month, New Mexico became the forty-eighth state to enact a data breach notification law. Only Alabama and South Dakota remain without such requirements. The Data Breach Notification Act goes into effect on July 1, 2017. Organizations that are subject to the requirements of the HIPAA breach notification standards are exempt from the statute.
CynergisTek is alerting you to a number of changes the Centers for Medicare & Medicaid Services (CMS) is proposing to the requirements of the EHR Incentive Program that would apply to the program in either 2017 or 2018. The changes to the EHR Incentive Program, which would primarily apply to hospitals, are contained in a proposed rule, Medicare Program: Hospital Inpatient Prospective Payment Systems for Acute Care Hospitals and the Long Term Care Hospital Prospective Payment System and Proposed Policy Changes and Fiscal Year 2018 Rates, which is due to be published in the Federal Register on April 28th. The publication of the 2015 MU proposed rule in the Federal Register will start the customary 60-day public comment period which would be scheduled to end June 27, 2017.
It is said that the only two certainties in life are death and taxes. If you are a HIPAA covered entity, you can add reporting breaches of unsecured protected health information (PHI) to the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). For breaches involving less than 500 individuals, the Breach Notification Rule requires a covered entity to submit information to HHS at least annually through OCR’s breach reporting portal on the HHS website. For the 2016 calendar year the deadline for reporting breaches affecting fewer than 500 individuals is March 1, 2017.
On February 1, 2017, OCR announced that it levied a $3.2 million civil money penalty against Children’s Medical Center of Dallas (Children’s). The enforcement action ends a nearly six-year long investigation into Children’s health information privacy and security practices.
OCR recently published its January Cyber Awareness Newsletter that provides guidance on how organizations should comply with the audit controls standard. The HIPAA Security Rule (45 CFR 164.312(b)) requires a covered entity or business associate is required to implement hardware, software, and/or procedural mechanisms that record and examine activity in electronic information systems that contain or use electronic protected health information.
The University of Massachusetts at Amherst (UMass) agreed to a settlement with the Office for Civil Rights (OCR) over allegations that it had violated the HIPAA Privacy and Security Rules after a 2013 incident that resulted in the unauthorized disclosure of patient information of 1,670 individuals. The settlement includes a $650,000 penalty and a two-year corrective action plan.
The Office for Civil Rights (OCR) of the Department of Health and Human Services has announced a new initiative, expanding review and investigations into the causes of breaches that affect fewer than 500 people. There were 232,000 breaches of PHI affecting fewer than 500 individuals reported to OCR by covered entities and business associates between October 2009 and June 2016.
Last week OCR reported that it had faced challenges in identifying and selecting a diverse pool of organizations to participate in the Phase 2 HIPAA Audit Program. In an effort to expand the roster of covered entity candidates, OCR sent up to 10,000 emails to prospective covered entities in a single “e-mail blast” asking for recipients to confirm if the recipient was associated with an organization that was a HIPAA covered entity, and to provide the contact information for appropriate