The U.S. Department of Health and Human Services (HHS) recently released a security risk assessment (SRA) tool as a resource to assist health care providers in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
The Security Rule applies to HIPAA “covered entities”—which include health plans, health care clearinghouses, and most health care providers—that handle electronic protected health information (ePHI). The Security Rule also applies to “business associates” that perform functions or services on behalf of covered entities involving ePHI. The Rule requires covered entities and business associates to conduct a risk assessment to identify possible gaps in their information security programs in order to help ensure that patient information is protected against data breaches or other security events.
The U.S. Department of Health and Human Services sent a strong message to local governments last week when it reached a settlement with Skagit County, Washington over alleged violations of the Health Insurance Portability and Accountability Act. This is the first time that HHS has settled charges against a local—and not state level—government entity for HIPAA violations.
The U.S. Department Health and Human Services Office of the Inspector General issued two reports yesterday criticizing the Centers for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health IT (“ONC”) for doing too little to protect the security of patient health information. The first report, Nationwide Rollup Review of the Centers for Medicare & Medicaid Services HIPAA Oversight, found that CMS oversight and enforcement “were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule.”