Posted on February 18, 2009 by Helen Oscislawski

CVS Reaches $2.25 Million Settlement Agreement

The U.S. Department of Health and Human Services and the Federal Trade Commission announced today that CVS will pay the U.S. government a $2.25 million settlement and take corrective action in connection with the government finding that CVS had violated the HIPAA Privacy Rule by failing to safeguard identifying information during disposal.  CVS Caremark Corp., the parent company of the pharmacy chain, also signed aconsent order with the FTC to settle potential violations of the FTC Act.

The settlement, which applies to all of CVS's more than 6,000 retail pharmacies, follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential HIPAA violations after media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores that were not secure and could be accessed by the public.  At the same time, the FTC opened an investigation of CVS.  OCR and the FTC conducted their investigations jointly. Among other things, the OCR and the FTC found that CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and that it failed to adequately train employees on how to dispose of such information properly.

Click here to review the HHS Resolution Agreement and Corrective Action Plan .  The OCR has also posted new FAQs that address requirements for disposal of protected health information. 

 

Tags:
Posted on February 17, 2009 by Helen Oscislawski

HITECH Act Signed Into Law - High Hopes Follow

Today, President Obama signed the Health Information Technology for Economic and Clinical Health Act (known as the "HITECH Act") into law. The final version of HITECH Act is posted on the Library of Congress' THOMAS website. The HITECH Act addresses various aspects relating to the use of health information technology ("H.I.T."), including providing for federal funding by way of grants and incentive payments in order to promote H.I.T. implementation.  In addition, Subtitle D of the HITECH Act includes new and far-reaching provisions concerning the privacy and security of health information that will directly affect more entities, businesses and individuals than ever before.

Some of the changes this new law has made to privacy and security include:

  • Security Breach Notification - Covered entities, business associates and others are now affirmatively required to notify individuals and others of breaches of unsecured protected health information.
  • Accounting of Disclosures with EHR Use - Covered entities using and disclosing PHI through an EHR are required to provide individuals with an accounting, when requested, for the prior three years. Uses and disclosures of PHI through EHRs include treatment, payment and health care operations.
  • Access Rights to Electronic Format. -  The HIPAA Privacy Rule is amended to give individuals the right to obtain access to their PHI in electronic format, if requested.
  • Health Care Operation - The definition of "health care operations" will be reviewed by the Secretary of DHHS by August 17, 2010 and narrowed or clarified.   .
  • Marketing - is restricted further.
  • Sale of PHI - Covered entities and business associates are prohibited from directly or indirectly receiving any remuneration in exchange for any PHI of an individual unless a valid authorization is obtained from the individual, except in a very limited number of circumstances.

What should affected entities do?

  • Update Notice of Privacy Practices to reflect changes in privacy and security policies
  • Update HIPAA privacy and security policies accordingly
  • Develop a detailed Breach Notification Policy that complies with HITECH and any state law counterpart to the new federal breach notification provisions
  • Expand business associate lists to include vendors and others
  • Update Business Associate Agreements to include expanded new requirements
Tags: ,
Posted on February 12, 2009 by Helen Oscislawski

OCR Revamps Privacy Website

The Department of Health and Human Services, Office for Civil Rights has posted its new Web site, and reports that the health information privacy pages have been "extensively revised to improve organization and ease of use for consumers, covered entities and others seeking reliable advice on the HIPAA Privacy Rule and the Patient Safety Rule."  

I took some time to peruse the new website, and personally I think that it is a vast improvement to its predecessor. Guidance on privacy can now be accessed under such categories as:

Tags:
Posted on February 4, 2009 by Helen Oscislawski

Secure Those Social Security Numbers!

On December 15, 2008, the Division of Consumer Affairs ("DCA") published its Notice of Pre-Proposed Rule for "Identity Theft, Written Security Programs and Violations."  Comments to the Pre-Proposed Rule are due February 13, 2009.

The pre-proposed Subchapter 3 seeks to require every business and every public entity to implement a comprehensive written information security "program" that includes administrative, technical and physical safeguards for the protection of individuals' social security numbers, driver's license numbers, state identification card numbers, or an account or credit or debit card number in combination with a required code or means of access that account (defined as "Personal Information").   Also "pre-proposed" are specific procedures for handling security breach incidents, including when and what agencies and individuals must be notified, and what information must be included in that notification.  

The original draft of Subchapter 3 was pulled when the regulations proposed pursuant to the Identity Theft Prevention Act were adopted last year on April 7, 2008 due to numerous comments submitted in opposition that original draft.   You can keep an eye out for the next draft to follow this "pre-proposed" version of Subchapter 3 on the NJ Division of Consumers website.

Tags: