Under the Health Insurance Accountability and Portability Act (HIPAA) of 1996, individuals currently have a right to obtain such information from covered entities that retain their personal health information (PHI), but not if the access pertains to treatment, payment and health care operations—broad loopholes that virtually shut the door to access.

Using language in the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, HHS now seeks to open individual access even for treatment, payment and health care operations—but only if the information accessed is stored in an electronic format.

Personnel Concepts will continue to monitor changes regarding HIPAA security and privacy rules and keep you alerted. Meanwhile, to help businesses better comply with relevant rules and regulations, we offer a variety of programs, posters and kits on our Web section HIPAA and COBRA Compliance.

According to language in the contract, "Site visits conducted as part of every audit would include interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management/medical records director); examination of physical features and operations; consistency of process to policy, observation of compliance with regulatory requirements."

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established privacy and security standards for entities that handle personal health information (PHI). The American Reinvestment and Recovery Act (ARRA) of 2009 strengthened those standards and tightened accountability. Now the audits will test compliance.

KPMG hopes to conclude the process by the end of 2012.

The revamped regulations for the privacy and security rules were mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The year-end rule will provide for data breach notification, strengthen HIPAA enforcement, and expand other privacy and security protections.

McAndrew said a separate rule will be issued to allow patients access to who has viewed their medical information. This rule, she said, will be released in advance of Final Rule.

To better understand both HITECH and HIPAA (Health Insurance Portability and Accountability Act), please visit Personnel Concepts' online HIPAA and COBRA Compliance repository.

With the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH) and its Breach Notification Rule in 2009, covered entities were formally required to report to the OCR data breaches affecting 500 or more individuals as they happen. Thus with a data breach affecting 1.9 million Americans reported by California-based Health Net Inc. on Jan. 21, the total surged past the 10-million mark since monitoring began on Sept. 22, 2009.

The Health Net breach was reported when its business associate IBM said "it could not locate several server drives" containing personal health information (PHI).

The latest report covers breaches through Feb. 8, 2011.

Our All-On-One HIPAA Information Poster details the security and privacy requirements of both HIPAA and HITECH. Get yours today and keep your workforce informed of their rights and obligations.

An OMB review can take anywhere from one to 90 days to complete. After that, the rule generally takes effect in 30 to 60 days.

The rule will require those maintaining electronic health records (EHRs) to make available an accounting of the entities with which it has shared individuals' PHI when the individuals so request the information.

The rule thus implements a change contained in the HITECH (Health Information Technology for Economic and Clinical Health) Act. Prior to HITECH, the prevailing law—HIPAA, or Health Insurance Portability and Accountability Act—did not require such disclosure. HITECH amends and expands HIPAA.

For instance, the limit for 401(k), 457(b) and 403(b) plans remains unchanged at $16,500, with health savings accounts (HSA) holding steady at $3,050 for individuals and $6,150 for families.

In addition, the IRS left the maximum income for FICA tax purposes unchanged at $106,800, meaning that no Social Security taxes will be paid past that amount.

You can stay up to date on all benefit changes with Personnel Concepts’ Benefits Law Quarterly, which comes along with your purchase of the HIPAA Compliance Poster Subscription and Newsletter. Get yours today.

"This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," the site explained.  "We intend to publish a final rule in the Federal Register in the coming months."

The breach notification rule is required due to the passage of the Health Information Technology for Clinical and Economic Health (HITECH) Act of 2009, which augmented the 1996 Health Insurance Portability and Accountability Act (HIPAA).

A breach refers to the unauthorized public exposure of protected health information (PHI) in electronic or print format.

Please visit Personnel Concepts’ HIPAA and COBRA Compliance section on our Web site for a wide array of tools and kits available to help your business master all medical record and health insurance requirements.

The already-in-effect interim final rule, called for under terms of the Health Information Technology for Economic and Clinical Health (HITECH) Act of February 2009, had long before been submitted to the Office of Management and Budget (OMB) for official implementation when HHS on July 28 decided it was "a complex issue" and withdrew the rule to start over again. 

The breach notification interim final rule required health providers and plans and their business partners to provide notification within 60 days of a breach of unsecured sensitive data to individuals and in cases involving more than 500 individuals to HHS and the media as well. With more than 120 public comments received, the department realized that allowing affected businesses to determine what is and what is not a breach was not going to fly.

“The administration is committed to ensuring that individuals’ health information is secured to the [fullest] extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," HHS said in its announcement.

Personnel Concepts will continue to monitor developments in breach notification regulations and keep everyone informed of further changes. Meanwhile, you should visit the Personnel Concepts HIPAA and COBRA Compliance section on its Web site for products and programs to help keep your company in compliance.

Here’s where it gets strange for both UCLA and the Chinese surgeon.

First, UCLA gave Zhou advance notice that he was going to be let go based on performance issues. Second, Zhou then decided it was time to snoop on his administrators’ and coworkers’ medical files. Third, he didn’t stop there, and soon he was copping looks at celebrity health records. When he was done, he had accessed patient records 323 times, all in violation of the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA).

A couple of weeks back, circumstances caught up with Zhou, and the long arm of the law sentenced him to four months in a federal prison for his illegal prying. Zhou thus becomes the first person ever to serve time for HIPAA violations, according to the U.S. Attorney’s Office for the Central District of California.

The lesson for Zhou, of course, is work hard and don’t break the law, and for UCLA it’s "don’t telegraph termination notices." Do it on the spot (with proper record-keeping and justification, of course).

Employers who offer health insurance to their workforces and who thus handle any type of private health-related information are also subject to the HIPAA privacy and security rules. For tools to help you understand and apply these rules, please visit the Personnel Concepts’ Web section on HIPAA & COBRA Compliance.

Now, the Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS), the law’s oversight agency, is promising to issue proposed rules soon, which typically would be followed by a public commentary period.

Most of the vagueness stems from language in the HITECH act that elevates business associates to the same status as covered entities. Previously, covered entities (generally, health care providers and insurers) had primary responsibility for insuring the security of private health information (PHI) in their possession, but HITECH extended such primary responsibility to those business associates that work with and for covered entities.

Though most customers of Personnel Concepts are probably neither covered entities nor business associates, any company that offers health insurance or retains medical information on its employees is still subject to the rules of HITECH and HIPAA (Health Insurance Portability and Accountability Act of 1996) to protect the confidentiality of employee PHI.

A sure way to announce your intention of respecting HIPAA and HITECH and of informing your employees of their rights and obligations under the two laws is by obtaining and posting a copy of our All-On-One HIPAA Information Poster.