Dermatology Practice Settles in First-of-Kind Breach
HHS has reached a settlement of $150,000 with a Massachusetts-based dermatology practice. The settlement comes after the practice failed to issue and enforce sufficient policies and procedures in order to avoid and mitigate Health Information Technology for Economic and Clinical Health Act breaches. The practice reported a breach in October 2011 when a flash drive was stolen from an employee’s car. The drive contained unencrypted protected health information (PHI) of 2,200 individuals. However, the practice did not properly analyze the risks of confidentiality in electronic PHI until one year later. Additionally, the practice did not issue policies and procedures, as required by the Health Insurance Portability and Accountability Act (HIPAA), to properly train employees until February 2012.
Proposed Rule for Gun Background Checks
HHS has proposed a rule that will allow HIPAA-covered entities to permissibly disclose information to the National Instant Criminal Background Check System and identify individuals barred from possessing firearms. The individuals subject to this disclosure would be those who are disqualified from receiving, possessing, shipping, or transporting firearms based on the federal mental health prohibition. Comments on this rulemaking are due March 10, 2014. The Department of Justice has also proposed a regulation to clarify the types of individuals and mental illnesses the prohibition and disclosures apply to.
HIPAA Mental Health Guidance
The Department of Health and Human Services Office of Civil Rights has recently issued guidance that clarifies a provider’s ability to share mental health records with a patient’s family and friends. The guidance illuminates provider responsibility under HIPAA’s privacy rule.
Direct Patient Access to Lab Results
CMS has released a final rule that will allow patients to have direct access to laboratory test results. In order to facilitate the access, the rule will modify the Clinical Laboratory Improvement Amendments of 1988 and HIPAA. The rule will preempt any adverse state laws and will take effect April 7, 2014. HIPAA-covered laboratories will have six months to come into compliance with the rule, which requires that they provide patients or their representatives with results within 30 days of a request.