January 6, 2015 at 1:42 pm | Posted in Department of Public Health, ePHI, Health and Human Services, HIPAA | Leave a comment
Tags: , , , ,

The Office of Civil Rights  in the Department of Health and Human Services has announced that, among other entities such as healthcare providers, it will audit approximately 100 employer sponsored health plans and 50 business associates in 2015. It is reported that:

  • Covered entities and business associates will have two weeks following receipt to respond to the initial data requests. OCR will not consider data submitted late.
  • OCR will conduct audits remotely through “desk audits.” Desk audits will be made using an updated audit protocol which OCR has not yet made available.
  • Audit participants will not have an opportunity to provide clarifications or supplemental information after responding to the initial data request.

Within 60 days following their submissions, audit participants will be presented with a draft version of OCR’s final report for review prior to publication. If your health plan has access to an employee’s protected health information (PHI), at a minimum, the following should be done:

  • Adopt written HIPAA policies and procedures addressing the HIPAA privacy, security, and breach notification rules;
  • Designate a HIPAA privacy official and a HIPAA security official;
  • Conduct a detailed analysis of the risks and vulnerabilities of electronic PHI;
  • Train those members of your workforce who have access to PHI.
  • Identify any HIPAA Business Associates, make sure you have a HIPAA Business Associate agreement with them and alert them to your expectations of them in regards to safekeeping your plan’s PHI



HHS Announces Personal Health Information (PHI) De-Identification Regulations and Processes

November 27, 2012 at 3:23 pm | Posted in Health and Human Services, Health Care, Regulations | Leave a comment
Tags: , , , , ,

The Department of Health and Human Services (HHS) released today regulatory guidance concerning the process of “de-identifying” PHI for HIPAA covered entities that wish to aggregate data and use it for public or private research purposes.  De-identifying refers to the process of removing PHI from medical records and health care and health insurance data. The regulations released today recognize that some HIPAA covered entities, such as a Health Plan or a business associate which provides services to the Health Plan may want to use information in its control:

“… to facilitate beneficial studies that combine large, complex data sets from multiple sources.  The process of de-identification, by which identifiers are removed from the health information, mitigates privacy risks to individuals and thereby supports the secondary use of data for comparative effectiveness studies, policy assessment, life sciences research, and other endeavors.”

A copy of the HHS announcement can be found here:  http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html

Blog at WordPress.com.
Entries and comments feeds.