Though on Aug. 4 it withdrew its Interim Final Rule regarding HIPAA security breach notifications, the Department of Health and Human Services (HHS) has since clarified on its Web site that the suspended rule of Sept. 23, 2009, remains in effect.

"This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," the site explained.  "We intend to publish a final rule in the Federal Register in the coming months."

The breach notification rule is required due to the passage of the Health Information Technology for Clinical and Economic Health (HITECH) Act of 2009, which augmented the 1996 Health Insurance Portability and Accountability Act (HIPAA).

A breach refers to the unauthorized public exposure of protected health information (PHI) in electronic or print format.

Please visit Personnel Concepts’ HIPAA and COBRA Compliance section on our Web site for a wide array of tools and kits available to help your business master all medical record and health insurance requirements.

Coming under criticism for allowing covered entities (in this case, those health care providers and others who maintain health records) to police themselves in matters of maintaining the privacy of Protected Health Information (PHI), the Department of Health and Human Services (HHS) has withdrawn its breach rule of September 2009.

The already-in-effect interim final rule, called for under terms of the Health Information Technology for Economic and Clinical Health (HITECH) Act of February 2009, had long before been submitted to the Office of Management and Budget (OMB) for official implementation when HHS on July 28 decided it was "a complex issue" and withdrew the rule to start over again. 

The breach notification interim final rule required health providers and plans and their business partners to provide notification within 60 days of a breach of unsecured sensitive data to individuals and in cases involving more than 500 individuals to HHS and the media as well. With more than 120 public comments received, the department realized that allowing affected businesses to determine what is and what is not a breach was not going to fly.

“The administration is committed to ensuring that individuals’ health information is secured to the [fullest] extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," HHS said in its announcement.

Personnel Concepts will continue to monitor developments in breach notification regulations and keep everyone informed of further changes. Meanwhile, you should visit the Personnel Concepts HIPAA and COBRA Compliance section on its Web site for products and programs to help keep your company in compliance.

There are some cautionary tales and lessons in the strange case of Huping Zhou, 47, who once worked for the UCLA Health System–until he was fired for poor performance–and who now finds himself facing hard time for HIPAA privacy violations.

Here’s where it gets strange for both UCLA and the Chinese surgeon.

First, UCLA gave Zhou advance notice that he was going to be let go based on performance issues. Second, Zhou then decided it was time to snoop on his administrators’ and coworkers’ medical files. Third, he didn’t stop there, and soon he was copping looks at celebrity health records. When he was done, he had accessed patient records 323 times, all in violation of the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA).

A couple of weeks back, circumstances caught up with Zhou, and the long arm of the law sentenced him to four months in a federal prison for his illegal prying. Zhou thus becomes the first person ever to serve time for HIPAA violations, according to the U.S. Attorney’s Office for the Central District of California.

The lesson for Zhou, of course, is work hard and don’t break the law, and for UCLA it’s "don’t telegraph termination notices." Do it on the spot (with proper record-keeping and justification, of course).

Employers who offer health insurance to their workforces and who thus handle any type of private health-related information are also subject to the HIPAA privacy and security rules. For tools to help you understand and apply these rules, please visit the Personnel Concepts’ Web section on HIPAA & COBRA Compliance.

Though HITECH (the Health Information Technology for Economic and Clinical Health act) took full effect this past Feb. 17, provisions regarding business associates were still vague, as we noted at the time.

Now, the Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS), the law’s oversight agency, is promising to issue proposed rules soon, which typically would be followed by a public commentary period.

Most of the vagueness stems from language in the HITECH act that elevates business associates to the same status as covered entities. Previously, covered entities (generally, health care providers and insurers) had primary responsibility for insuring the security of private health information (PHI) in their possession, but HITECH extended such primary responsibility to those business associates that work with and for covered entities.

Though most customers of Personnel Concepts are probably neither covered entities nor business associates, any company that offers health insurance or retains medical information on its employees is still subject to the rules of HITECH and HIPAA (Health Insurance Portability and Accountability Act of 1996) to protect the confidentiality of employee PHI.

A sure way to announce your intention of respecting HIPAA and HITECH and of informing your employees of their rights and obligations under the two laws is by obtaining and posting a copy of our All-On-One HIPAA Information Poster.

Implementing changes to HIPAA (Health Insurance Portability and Accountability Act) contained in the stimulus package (American Recovery and Reinvestment Act, or ARRA), the Department of Health and Human Services (HHS) on Oct. 30, 2009, published its Interim Final Rule in the Federal Register.

The Final Rule expands the power of the Health and Human Services Secretary to impose civil penalties and fines, which will take effect on Nov. 30 for all HIPAA violations occurring on or after Feb. 18, 2009.

The minimum civil penalty per violation is now $100 for violations that would not normally be detected using due diligence but rises to $1,000 if the violation is "due to reasonable cause and not to willful neglect." Violations that are due to willful neglect and are subsequently corrected will be fined a minimum of $10,000, but that rises to $50,000 if no corrective action is taken.

No covered entity (or business associate, which are now treated the same as covered entities) can be fined more than $1.5 million for all violations of a single provision.

In the past, covered entities could block imposition of any fine if they showed they had no knowledge of the violation. That loophole has been closed, but fines can be avoided if an unknown violation is corrected within 30 days of discovery.

“This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent, detect and quickly correct violations of the HIPAA rules,” said Georgina Verdugo, director of HHS’s Office for Civil Rights, which oversees HIPAA’s privacy, security and breach notification rules.  

The increased penalties in the Final Rule are in addition to breach notification requirements announced earlier this year.

The HHS’s Office of Civil Rights (OCR) will be accepting public commentary on the Interim Final Rule until Dec. 29, 2009.

Provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the stimulus package passed in February, created new security and breach rules for those covered by HIPAA (the Health Insurance Portability and Accountability Act of 1996), but afforded everyone a six-month window to achieve full compliance that runs into 2010.

Nonetheless, a Medicaid payment processor in California named CalOptima has mostly complied with the breach rule after the company discovered the loss of claims forms for some 68,000 persons. The digitized forms contained personally identifying information on the 68,000 and were lost during shipment by the United States Postal Service.

CalOptima has posted a breach notification on its Web site and also has notified federal and state agencies. The company says it will also notify each of the 68,000 affected individuals. The postal service, for its part, says it will continue to search for the missing data disks.

It is unclear whether CalOptima also notified the media of the breach, which is required when a data loss affects 500 or more people.

Employers who offer health insurance are covered by both HIPAA and the new breach rule, so you may want to sign up for Personnel Concepts’ HIPAA Compliance Poster and Subscription Service to keep yourselves and your employees informed of all rights and responsibilities.

POSTSCRIPT: The missing CDs with encrypted data later were found at a secure postal facility in Atlanta, apparently untampered with. CalOptima subsequently scrapped its plan to mail out individual breach notices to the 68,000 affected individuals.

I’m usually not a fan of the stuff in the Huffington Post since it’s–let’s just say–a bit past center politically, but in my ongoing research on HIPAA (the Health Insurance Portability and Accountability Act), I came across a first-person account of how HIPAA and other medical regulations affect the delivery of health care in America.

This was a real eye-opener.

The author, Deane Waldman, is a pediatric cardiologist. In his article, he recounts some regulatory horror stories that help explain why health care delivery is such a mess in the U.S.

Let me just cite a couple of incidents:

Because of mandates by the Joint Commission on Accreditation of Hospitals (JCOAH), Dr. Waldman must ask each patient if he or she smokes (and plans to quit) and whether he or she has suicidal thoughts. The irony here is that many of his patients are in diapers.

Another fine example involves a letter he received mandating that he attend a training session on Part D of Medicare even though, again, his patients have nothing to do with Part D or even Medicare. At stake, should be not complete the training, was the accreditation of the entire hospital, or at the very least potential fines and/or sanctions.

Read “The Bane of My Existence: Come With Me to Work” for further horror stories.

Now, Dr. Waldman is one guy who can truly subscribe to my motto, “Get off my back.”