Eventually, 150 covered entities will be subjected to audits.

“Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing compliant investigations and compliance reviews,” stated OCR’s Web site dedicated to the program.

Firms to be audited will be given 30- to 90-days' advance notice, and these firms are then given 10 business days to supply any requested information and materials.

HIPAA refers to the Health Insurance Portability and Accountability Act of 1996. The enforcing agency for the law's subsequent privacy and security regulations is the OCR, which is a wing of the Department of Health and Human Services (HHS). Covered entities are generally health care providers, health insurers, and health administrative services that deal with health records.

Employers, if you offer health insurance, it's strongly advised to get a copy of Personnel Concepts' All-On-One HIPAA Information Poster to keep your employees informed about their rights and obligations regarding HIPAA and its security and privacy rules.

Cignet received the first-ever civil penalty under 2009's Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorized greatly enlarged monetary fines and penalties. Whereas under 1996's Health Insurance Portability and Accountability Act (HIPAA), fines for violating the act's Privacy Rule were capped at $100 per violation with an annual maximum of $25,000, HITECH.upped the ante to a maximum of $50,000 per violation and a yearly total of $1.5 million.

So how did Cignet's penalty reach $4.3 million? The $2.8 million differential represents fines for failing to cooperate with the OCR investigation, which began when 41 patients filed complaints with the Office of Civil Rights that Cignet had not provided them access to their medical records in a timely fashion.

The HIPAA Privacy Rule protects individuals' personal health information (PHI) from being shared with those persons or entities that are not administratively or clinically responsible for them, but it also allows individual patients the right to view their files.

The Office of Civil Rights is located within the Department of Health and Human Services (HHS) and is charged with enforcing the HIPAA privacy rule. The HITECH schedule of fines can be applied only to violations that occur on or after the law's signing date of Feb. 18, 2009

According to language in the contract, "Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, observation of compliance with regulatory requirements."

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established privacy and security standards for entities that handle personal health information (PHI). The American Reinvestment and Recovery Act (ARRA) of 2009 strengthened those standards and tightened accountability. Now the audits will test compliance.

KPMG hopes to conclude the process by the end of 2012.

The revamped regulations for the privacy and security rules were mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The year-end rule will provide for data breach notification, strengthen HIPAA enforcement, and expand other privacy and security protections.

McAndrew said a separate rule will be issued to allow patients access to who has viewed their medical information. This rule, she said, will be released in advance of Final Rule.

To better understand both HITECH and HIPAA (Health Insurance Portability and Accountability Act), please visit Personnel Concepts' online HIPAA and COBRA Compliance repository.

With the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH) and its Breach Notification Rule in 2009, covered entities were formally required to report to the OCR data breaches affecting 500 or more individuals as they happen. Thus with a data breach affecting 1.9 million Americans reported by California-based Health Net Inc. on Jan. 21, the total surged past the 10-million mark since monitoring began on Sept. 22, 2009.

The Health Net breach was reported when its business associate IBM said "it could not locate several server drives" containing personal health information (PHI).

The latest report covers breaches through Feb. 8, 2011.

Our All-On-One HIPAA Information Poster details the security and privacy requirements of both HIPAA and HITECH. Get yours today and keep your workforce informed of their rights and obligations.

This was swiftly followed by a $1-million settlement with Massachusetts General Hospital for an employee's negligence in leaving personal health records on a subway.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established both privacy and security obligations for those companies and individuals who handle, use or store personal health information (PHI). These rules were strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

Now everything is coming full circle with enforcement catching up with regulations. There have been numerous settlements in the past, but Cignet represented the first actual fine.

Under HITECH, fines are now set at $100 per violation up to a maximum of $50,000 a day. In Cignet's case, the company was also fined for failing to cooperate with the OCR investigation, thus reaching a total of $4.3 million in penalties.

HHS is poised to issue new and no doubt strengthened HIPAA privacy and security regulations sometime soon.

In any event, you can protect your company by keeping your employees informed of their rights and obligations under HIPAA and HITECH by posting our All-On-One HIPAA Information Poster. Order yours today.

Plan administrators will now have to provide detailed, plain-language breakouts of all fees and expenses associated with 401(k) and similar retirement accounts.

"This rule provides uniform disclosure to workers about what they pay for investment options in their retirement plans," said Secretary of Labor Hilda L. Solis. "For the first time, workers will have at their fingertips important and accessible investment-related information to comparison shop among the plan options available to them."

This and other important human resource management information is contained in each issue of Personnel Concepts’ Benefits Law Quarterly newsletter, which you can obtaining by purchasing our HIPAA Compliance Poster Subscription and Newsletter.

For instance, the limit for 401(k), 457(b) and 403(b) plans remains unchanged at $16,500, with health savings accounts (HSA) holding steady at $3,050 for individuals and $6,150 for families.

In addition, the IRS left the maximum income for FICA tax purposes unchanged at $106,800, meaning that no Social Security taxes will be paid past that amount.

You can stay up to date on all benefit changes with Personnel Concepts’ Benefits Law Quarterly, which comes along with your purchase of the HIPAA Compliance Poster Subscription and Newsletter. Get yours today.

"This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," the site explained.  "We intend to publish a final rule in the Federal Register in the coming months."

The breach notification rule is required due to the passage of the Health Information Technology for Clinical and Economic Health (HITECH) Act of 2009, which augmented the 1996 Health Insurance Portability and Accountability Act (HIPAA).

A breach refers to the unauthorized public exposure of protected health information (PHI) in electronic or print format.

Please visit Personnel Concepts’ HIPAA and COBRA Compliance section on our Web site for a wide array of tools and kits available to help your business master all medical record and health insurance requirements.

The proposed modifications would extend parts of the HIPAA Privacy Rule and virtually all of the Security Rule to the business associates of HIPAA-covered entities, impose new limits on the use and disclosure of protected health information (PHI) for marketing, prohibit the sale of protected health information without patient consent, expand individuals’ rights to access their information and permit patients to restrict the disclosure of certain information to health plans.  

In addition, the proposed rule will strengthen and expand HIPAA’s enforcement provisions. 

The NPRM is now subject to a 60-day public commentary period before becoming a Final Rule enforceable by the agency.

The modifications to HIPAA follow a strengthening of the act’s provisions contained in the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which elevated business associates to the same direct enforcement status as covered entities. (Business associates often perform the accounting, billing and record-keeping functions of primary health care providers, which are considered covered entities).

The NPRM introduced and entered into the Federal Register today further defines what constitutes a business associate and broadens the category significantly. It also proposes a 180-day grace period for the enforcement of any new HIPAA provisions.

Employers who maintain health insurance and/or health records for their employees will be affected, even if indirectly, by these and subsequent changes to HIPAA. However, you can easily keep abreast of changes and fulfill all compliance requirements with a subscription to Personnel Concepts’ HIPAA Compliance Poster and Newsletter.