Health and Human Services (HHS) issued new regulations this week requiring healthcare providers, health plans and other entities covered by HIPAA (Health Insurance Portability and Accountability Act) to notify patients if their electronic health information has been breached.
The regulations were developed by HHS Office of Civil Rights (OCR) and require healthcare providers and other HIPAA covered entities to promptly notify people, the HHS and the media in breaches that affect more than 500 people.
Earlier this week, HHS announced that they delegated the authority for the administration and enforcement of the HIPAA Security Rule to the Office for Civil Rights (OCR).
Any lessons learned from the announcements this week?
Absolutely! If you are a manager working in a “HIPAA covered entity” – which includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, hospitals, insurance companies, HMOs, company health plans, government programs that pay for healthcare and healthcare clearinghouses – then your lesson learned is pretty obvious…make sure you fully implement your privacy and security programs as soon as possible.
Why should you take action as soon as possible?
Because OCR now has authority for:
- the HIPAA Security Rule
- the HIPAA Privacy Rule
- the Breach Notification requirements
And because the Health Information Technology for Economic and Clinical Health (HITECH) Act and American Recovery and Reinvestment Act of 2009 (ARRA) mandate these requirements.
Healthcare managers beware…