Tag Archives: HIPAA

3 Steps to Avoiding HIPAA Breaches

The Department of Health & Human Services has begun to come down hard on Healthcare Providers for HIPAA Breaches. The Department of Health & Human Services has fined the Hospice of North Idaho for failing to encrypt a stolen laptop. The Hospice Organization has agreed to pay a $50,000 HIPAA Penalty for this single violation.

An important note here is that the $50,000 penalty does not include or cover the expenses the Hospice Organization will incur to notify affected patients. That additional cost could be as much as $83,000. All in all that’s a huge impact for a single HIPAA breach. The message for healthcare organizations is clear, it’s time to check on your HIPAA compliance and breach procedure.

Review Policies & Best Practice

HIPAA breaches should never happen. Organizations that properly manage their data and monitor tier procedures won’t suffer breaches. You need to review your security policy and procedure and perform a risk analysis. Cyber security is a vital issue for all organizations that carry personal information. For the healthcare industry that information is more comprehensive and more sensitive, you need to ensure that your data is secure on every level.


Once you have preformed a risk analysis and ensured that you are following best practice, you need to think about insurance. HIPAA breaches don’t happen to organizations that properly manage their data, but that relies on people following procedure. People make mistakes, so you need to ensure you are covered. The cost that the Hospice of North Idaho have incurred will be huge, insurance coverage could really soften that blow.

Create an Internal Plan

When HIPAA breaches do occur, the organization will suffer a variety of setbacks. Alongside the financial cost, there is also the practical issue of informing patients. You will need to create in internal plan for dealing with a breach. That means your organization should have a clear strategy for informing those affected and a contingency plan to ensure that normal service is not affected.

HIPAA breaches can be avoided with effective risk management, but you need to prepare for them anyway. Few medical organizations could deal with the cost incurred in Idaho.

Tagged , , , , , , , , ,

HIPAA Certificates Required During 2014

For plan years beginning on or after Jan. 1, 2014, the Affordable Care Act (ACA) prohibits group health plans and issuers from imposing pre-existing condition exclusions (PCEs) on any enrollees.

Currently, ACA prohibits PCEs for enrollees who are under 19 years of age. ACA’s restrictions on PCEs apply to both grandfathered and non-grandfathered plans.Until ACA’s full prohibition on PCEs takes effect in 2014, the HIPAA rules regarding PCEs will continue to apply. HIPAA currently allows plans and issuers to exclude pre-existing conditions from coverage, but places significant limitations on those exclusions. For example, the length of any PCE must be reduced by the amount of creditable coverage the individual had prior to enrollment in the plan. An individual’s prior creditable coverage is documented in a HIPAA Certificate of Creditable Coverage, provided by the prior plan or issuer.

ACA’s prohibition on PCEs for plan years beginning on or after Jan. 1, 2014, will eventually make HIPAA Certificates unnecessary.

Proposed rules issued on March 21, 2013, state that the requirement to provide HIPAA certificates will be eliminated effective Dec. 31, 2014. The need for plans to continue providing HIPAA Certificates during 2014 recognizes that participants may need HIPAA Certificates during 2014 to avoid PCEs under non-calendar year plans. Although the proposed rule is not yet in final form, plans and issuers should plan on providing HIPAA Certificates during 2014.

Tagged , , , , , , , , , ,

Should I Buy Coverage for HIPAA?

The final rule has been issued on the Health Insurance Portability and Accountability Act. This federal law broadly covers the privacy and security of personally identifiable health information as well as the government’s ability to enforce these rules and request reports on information breaches. The final rule is intended to enhance these privacy protections and provide them with new rights to their health information.

Personal Information

The final rule in HIPAA goes a long way in protecting individuals’ right to access their personal health information and have it protected. Under the Final Rule, individuals’ rights to receive electronic copies of their health information are expanded. The final rule also goes against a 2009 proposal and prohibits most health plans from using or disclosing genetic information for underwriting purposes. Individuals are also reassured by the fact the fact that the government’s abilities to enforce these laws are enhanced in this modification of the law.

There are also changes to authorization requirements that may be needed to gather information on cases such as child immunization proof for schools and enabling access to decedent information by family members or others.

Covered Entities

The final rule in HIPAA has modified the applications of the act to make business associates of covered entities directly liable for compliance with certain Privacy and Security requirements. As well as this it requires modification and redistribution of a covered entity’s notice of privacy practices. There are also limitations imposed on the use and disclosure of protected health information for marketing purposes and prohibits the sale of this information without individual authorization.

Do I Need to Buy Liability Protection for HIPAA Claims?

From a liability perspective, it’s going to depend on the policy itself and the allegations that are made. Some directors & officers, employment practices, and fiduciary liability policies may provide coverage for certain violations of HIPAA. Some may have exclusions specifically related to HIPAA violations. Bottom line, coverage for HIPAA violations may be available, but the key lies in what allegations are made in a claim.

This final rule has done a lot to ensure the security of protected health information while also enhancing the access for the individuals involved. Covered entities are also pushed to be more responsible and hold more accountability for the delicate information in their possession. The HIPAA Final Rule heralds many changes for both the insured individual and their provider.

Tagged , , , , , , , , , , , , , , , , ,

Final Rule Issued on HIPAA Privacy and Security Protections

On Jan. 17, the Department of Health and Human Services (HHS) issued a final rule modifying the HIPAA Privacy, Security, Enforcement and Breach Notification Rules. The final rule is intended to enhance a patient’s privacy protections, provide individuals new rights to their health information and strengthen the government’s ability to enforce the law.

The final rule implements a number of changes to the HIPAA Rules and is made up of the following:

  • Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by the HITECH Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010.
  • Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.
  • Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on Aug. 24, 2009.
  • Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.
Tagged , , , , , ,