The Office for Civil Rights of the Department of Health and Human Services (HHS) is charged with enforcing the security and privacy rules of the Health Insurance Portability and Accountability Act (HIPAA), which protect individuals' personal health information (PHI) in both electronic and paper forms. Under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, OCR is further required to make an annual report to Congress on both rules and their enforcement.

The privacy rule took effect in 2003, and the security rule, dealing with electronic PHI, took effect in 2005.

In its just-released report to Congress, OCR said it has received 57,375 complaints of violations of the privacy rule since its 2003 effective date Of those, 52,339 (91 percent) have been resolved, and 5,036 (9 percent) remain open. The agency said it has received 803 security rule complaints since the rule took effect, and has resolved 577, or 72 percent, of them, leaving 226, or 28 percent, open.

Under the Health Insurance Accountability and Portability Act (HIPAA) of 1996, individuals currently have a right to obtain such information from covered entities that retain their personal health information (PHI), but not if the access pertains to treatment, payment and health care operations—broad loopholes that virtually shut the door to access.

Using language in the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, HHS now seeks to open individual access even for treatment, payment and health care operations—but only if the information accessed is stored in an electronic format.

Personnel Concepts will continue to monitor changes regarding HIPAA security and privacy rules and keep you alerted. Meanwhile, to help businesses better comply with relevant rules and regulations, we offer a variety of programs, posters and kits on our Web section HIPAA and COBRA Compliance.

The revamped regulations for the privacy and security rules were mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The year-end rule will provide for data breach notification, strengthen HIPAA enforcement, and expand other privacy and security protections.

McAndrew said a separate rule will be issued to allow patients access to who has viewed their medical information. This rule, she said, will be released in advance of Final Rule.

To better understand both HITECH and HIPAA (Health Insurance Portability and Accountability Act), please visit Personnel Concepts' online HIPAA and COBRA Compliance repository.

With the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH) and its Breach Notification Rule in 2009, covered entities were formally required to report to the OCR data breaches affecting 500 or more individuals as they happen. Thus with a data breach affecting 1.9 million Americans reported by California-based Health Net Inc. on Jan. 21, the total surged past the 10-million mark since monitoring began on Sept. 22, 2009.

The Health Net breach was reported when its business associate IBM said "it could not locate several server drives" containing personal health information (PHI).

The latest report covers breaches through Feb. 8, 2011.

Our All-On-One HIPAA Information Poster details the security and privacy requirements of both HIPAA and HITECH. Get yours today and keep your workforce informed of their rights and obligations.

An OMB review can take anywhere from one to 90 days to complete. After that, the rule generally takes effect in 30 to 60 days.

The rule will require those maintaining electronic health records (EHRs) to make available an accounting of the entities with which it has shared individuals' PHI when the individuals so request the information.

The rule thus implements a change contained in the HITECH (Health Information Technology for Economic and Clinical Health) Act. Prior to HITECH, the prevailing law—HIPAA, or Health Insurance Portability and Accountability Act—did not require such disclosure. HITECH amends and expands HIPAA.

"This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," the site explained.  "We intend to publish a final rule in the Federal Register in the coming months."

The breach notification rule is required due to the passage of the Health Information Technology for Clinical and Economic Health (HITECH) Act of 2009, which augmented the 1996 Health Insurance Portability and Accountability Act (HIPAA).

A breach refers to the unauthorized public exposure of protected health information (PHI) in electronic or print format.

Please visit Personnel Concepts’ HIPAA and COBRA Compliance section on our Web site for a wide array of tools and kits available to help your business master all medical record and health insurance requirements.

The already-in-effect interim final rule, called for under terms of the Health Information Technology for Economic and Clinical Health (HITECH) Act of February 2009, had long before been submitted to the Office of Management and Budget (OMB) for official implementation when HHS on July 28 decided it was "a complex issue" and withdrew the rule to start over again. 

The breach notification interim final rule required health providers and plans and their business partners to provide notification within 60 days of a breach of unsecured sensitive data to individuals and in cases involving more than 500 individuals to HHS and the media as well. With more than 120 public comments received, the department realized that allowing affected businesses to determine what is and what is not a breach was not going to fly.

“The administration is committed to ensuring that individuals’ health information is secured to the [fullest] extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," HHS said in its announcement.

Personnel Concepts will continue to monitor developments in breach notification regulations and keep everyone informed of further changes. Meanwhile, you should visit the Personnel Concepts HIPAA and COBRA Compliance section on its Web site for products and programs to help keep your company in compliance.

Now, the Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS), the law’s oversight agency, is promising to issue proposed rules soon, which typically would be followed by a public commentary period.

Most of the vagueness stems from language in the HITECH act that elevates business associates to the same status as covered entities. Previously, covered entities (generally, health care providers and insurers) had primary responsibility for insuring the security of private health information (PHI) in their possession, but HITECH extended such primary responsibility to those business associates that work with and for covered entities.

Though most customers of Personnel Concepts are probably neither covered entities nor business associates, any company that offers health insurance or retains medical information on its employees is still subject to the rules of HITECH and HIPAA (Health Insurance Portability and Accountability Act of 1996) to protect the confidentiality of employee PHI.

A sure way to announce your intention of respecting HIPAA and HITECH and of informing your employees of their rights and obligations under the two laws is by obtaining and posting a copy of our All-On-One HIPAA Information Poster.

Though breach notification rules under HITECH (Health Information Technology for Economic and Clinical Health Act) went into effect in September 2009, a grace period provided HHS (and the FTC in cases involving vendors) with a window of discretion. Consequently, when the grace period expired on Feb. 22, HHS began posting breaches involving 500 or more individuals.

According to HITECH regulations, breaches involving 500 or more people must be reported immediately, but breaches involving fewer than 500 persons need only be reported annually.

The breach notifications are available here on the HHS Web site.

What I found a bit curious about the list is a series of five thefts/unauthorized accesses occurring on Sept. 27 at a "private practice" in Torrance, Calif. The list of breaches involves, in succession, 6,145, 5,166, 5,257, 857, and 952 individuals, but the question lingers about why they were listed separately. My conclusion is that the theft/unauthorized access occurred at roughly the same time, but involved five different sets of records. It would be hard to imagine five separate occasions of theft involving the same private practice on the same day. However, anything is possible.

For your convenience and compliance, Personnel Concepts has compiled all HITECH breach regulations into one compact but comprehensive HITECH Act Security Rule Poster. Get yours today so your employees know their rights and responsibilities under HITECH.

Nonetheless, a Medicaid payment processor in California named CalOptima has mostly complied with the breach rule after the company discovered the loss of claims forms for some 68,000 persons. The digitized forms contained personally identifying information on the 68,000 and were lost during shipment by the United States Postal Service.

CalOptima has posted a breach notification on its Web site and also has notified federal and state agencies. The company says it will also notify each of the 68,000 affected individuals. The postal service, for its part, says it will continue to search for the missing data disks.

It is unclear whether CalOptima also notified the media of the breach, which is required when a data loss affects 500 or more people.

Employers who offer health insurance are covered by both HIPAA and the new breach rule, so you may want to sign up for Personnel Concepts’ HIPAA Compliance Poster and Subscription Service to keep yourselves and your employees informed of all rights and responsibilities.

POSTSCRIPT: The missing CDs with encrypted data later were found at a secure postal facility in Atlanta, apparently untampered with. CalOptima subsequently scrapped its plan to mail out individual breach notices to the 68,000 affected individuals.