The most important and noticeable changes include the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions along with changes in penalties to be imposed in case of breach of HIPAA.

With changes in HIPAA, the penalties can now be imposed on covered entities along with individuals in position to the previous law where penalties could only be imposed on covered entities. As such, if someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Also, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.

Protected health information can be released by covered entities without authorization only for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.

With new laws, patients will have a greater ability to try to find out who has accessed their protected health information. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.

In order to make sure that they are HIPAA compliant, the covered entities should keep an eye on releases from HSS about changes, consult with their legal representative, make sure that their designated privacy officer is properly trained and that he or she is training their employees and keep their lines of communication open with business associates and make sure any contracts they have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.

This software from Catbird harnesses the power of virtualization to deliver the industry’s most comprehensive security and compliance solution for virtual and cloud systems. The software introduces a new model for data center security and enforces controls on virtual machines, their network attributes, virtual networks, and the switch fabric – protecting the whole data plane.

“Security and compliance are critical components for every IT infrastructure. As environments are virtualized, new risks are introduced due to a loss of process control across four change dimensions,” says David Poarch, VP, security of Forsythe. “Catbird has developed a solution specifically for virtualized environments that delivers dynamic, elastic security and integrated compliance for sensitive and mission-critical applications.”

“Recent guidance from PCI, NIST and SANS proves that relying on traditional physical firewalls and physical network inspection is risky and will not pass an audit. Catbird vSecurity® was built from the ground up to do virtual and cloud security better, faster and cheaper,” said Edmundo Costa, Catbird CEO. “Forsythe’s extensive experience in integrating not only virtualized solutions, but also physical infrastructure solutions, across security, servers, networks and storage make them a strong partner in helping our virtualization clients with their security needs.”

“Virtualization security opens the door for mission-critical applications that have traditionally been left out of virtualization roll-outs,” added Costa. “vSecurity will provide Forsythe customers with the ability to meet the new requirements and maximize their virtualization and cloud ROI by being able to include in their deployment plans most applications that were previously excluded, such as, for example, applications that handle PCI data.”

This transition will also help HAC to produce more accurate records as well as conduct more detailed population assessments and studies. Additionally, the ICD-10 migration will improve the HAC’s payment systems for veterans and their family members with more accurate billing information. The Harris team, along with subcontractors 7 Delta Inc. and Vangent Inc., will complete all phases of the ICD-10 integration and software development life cycle.

International Statistical Classification of Diseases and Related Health Problems (ICD) Codes are used to classify diseases and other medical problems under a single standard and promote international comparability with treatment and billing. As part of the Health Insurance Portability and Accountability Act (HIPAA) 5010 transition, the U.S. Department of Health and Human Services (HHS) has mandated that all covered healthcare entities be ICD-10 compliant by Oct. 1, 2013.

“The ICD-10 transition will enable the HAC to improve the accuracy and efficiency of claims processing for veterans and their family members,” said Jim Traficant, president, Harris Healthcare. “By migrating to ICD-10, the Health Administration Center continues to lead the healthcare industry in adopting the latest standards to better serve our veterans.”

In a press release accompanying the release of the survey results Dr Peel said “No matter how you look at it, Americans want to control their own private health information. They overwhelmingly believe that they are the only people in the right position to make decisions about how their information can be used. Researchers do not get a free pass.”

The survey reveals that many of the Americans want to be in control of all of their electronic medical records and have the right to limit with whom their doctors, insurance companies and even the government can allow the information to be given to. Some of them showed their worry about the fact that their sensitive information was at risk of being accessed by employers, researchers, ex-spouses and abusive partners.

Dr Peel’s Austin, TX based advocacy group is calling for the creation of a “do not release” list, something that would work along the same lines as the “do not call” lists that telemarketers must abide by. 73% of those surveyed said they would sign up if such a list were ever to be created.

The webinar which has been entitled, “What does HIPAA Compliance mean to an IT Manager?” will be a case study with Catholic Healthcare West. The webcast will explore how Catholic Healthcare West is managing the challenges of rapidly building their healthcare managed file transfer (MFT) ecosystem while continuing to adhere to Health Information Portability and Accountability Act (HIPAA) compliance. Catholic Healthcare West will share their secrets as to how they ensure patient privacy, and build partner networks that make end-to-end management of certain patient files possible.

The webinar will include discussions between Axway and Catholic Healthcare West on how to leverage technology in a way that allows to access critical health information while maintaining security and the public’s trust at the same time. Various companies participating in the webinar will also get an opportunity to share their experiences designing internal project support for building large-scale MFT infrastructure projects and impart lessons learned during deployment.

According to the Security rule, all HIPAA entities must provide a security plan with safeguards in the following areas:

Administrative safeguards: As per HIPAA Security Rule, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level. It should also designate a security official who is responsible for developing and implementing its security policies and procedures.

Physical safeguards: A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.

Technical safeguards: A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).

HIPAA Security Rule is especially applicable to HIPAA compliant web designers and web-hosting providers. HIPAA entities looking for secure solutions must make sure that whatever solutions they implement must comply with the security specifications defined in the rule.

URAC’s HIPAA Security Accreditation program provides an emphasis on the fundamentals of ongoing risk managemen. It enables health care organizations to validate their security compliance program to safeguard Protected Health Information (PHI) in accordance with the HIPAA Security Rule. Thus, this rpogram ensure healthcare organizations’ commitment to fair information practices, and also helps them show others that they have taken the necessary steps to protect health information privacy in accordance with the HIPAA Privacy Rule.

“We are thrilled to achieve this high level in health care information security and privacy,” said Jana Skewes, chief executive officer of Shared Health. “The URAC accreditations highlight our commitment to delivering the most secure, best privacy protection practices in our industry through innovative health information technology solutions at the point of care, which is the perfect prescription for better health nationwide.”

Shared Health has shown lead by implementation of a comprehensive security compliance plan, rigorous management policies and procedures, administrative, physical and technical safeguards and special requirements for group health plans. It also met stringent standards for privacy protection, including implementation of a privacy compliance plan, strict policies and procedures, workforce training, disclosures, complaints and special requirements for health plans, group health plans, hybrid entities, health care providers, affiliated covered entities and organized health care arrangements.

“By applying for and receiving the HIPAA Security and Privacy Covered Entity accreditations, Shared Health has demonstrated a commitment to quality health care,” said Alan P. Spielman, URAC president and CEO. “Quality health care is crucial to our nation’s welfare and it is important to have organizations that are willing to measure themselves against national standards.”

Of the 356 practices that MGMA surveyed, just 15.2% had conducted an impact analysis to examine what the practice needed to do to prepare. Most practices said they had either not started preparing (45.2%) or were less than 25% done preparing (26.4%).

However, whether the medical practices participated in the event of 15th June was not revealed by the survey. The Centers for Medicare & Medicaid Services had declared June 15 as National 5010 Testing Day. The American Medical Association and the MGMA had suggested that CMS conduct such an event.

When media circulated various videotaped incidents in a variety of cities across United States in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. Rite Aid pharmacy stores in several of the cities were highlighted in media reports. Following this, OCR, which enforces the HIPAA Privacy and Security Rules, opened its investigation of RAC and found it guilty.

Now, Rite Aid Corporation and its 40 affiliated entities has decided to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. It has also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act. Along with this, it has also agreed to take corrective action to improve measures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information.

“It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA,” said Georgina Verdugo, director of OCR. “We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process.”

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years.