01-22-14 
MG Logo  + What and How
 
The information we provide is our opinion and does not constitute legal advice.
  
We hope you find this column useful. Please let us know.
  
The MalvernGroup Team
MalvernGroup on Twitter
.
Did you know that we post our alerts on Twitter? You can access prior alerts on Twitter here. Retweet us! 
 
HIPAA Checkup
  
Delay of Revision of Notice of Privacy Practices (NPP) HIPAA Requirement for CLIA and CLIA-Exempt Laboratories

 

This is the 5th in the HIPAA Checkups focused on the Office for Civil Rights (OCR) recently published Guidance documents on the changes the within the Omnibus Rule.

 

The Omnibus Rule, published in January 2013, modifies the section in the Privacy Rule that is focused on the Notice of Privacy Practices (Notice). [See 45 CFR 164.520 Notice of privacy practices for protected health information].

 

The changes under the Omnibus rule were to be updated by all Covered Entities September 23, 2013.

 

On September 19, 2013, OCR delayed the implementation of the

Notice updates under the Omnibus Rule indefinitely for certain HIPAA-covered laboratories "until further notice".

 

The delay applies to HIPAA-covered laboratories that are subject to CLIA (Clinical Laboratory Improvements Amendments of 1988) or exempt from CLIA and that are not required at this time to provide an individual with access to their laboratory test reports under � 164.524 (Access of Individuals to Protected Health Information) of the HIPAA Privacy Rule. 

 

The Enforcement Delay does not apply to laboratories that operate as part of a larger entity, such as a hospital or a stand-alone outpatient clinic, and do not have laboratory-specific Notices that differ from the 

entity's notice.  

 

This delay was announced as OCR anticipates publishing an amendment to the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations regarding the right of individuals to receive their test reports directly from CLIA and CLIA-exempt laboratories.

 

These complimentary modifications were proposed in the Federal Register on September 14, 2011 (76 FR 56712).  

 

If the amendment is finalized as it was proposed in September, 2011, it would result in a material change to the privacy practices of the HIPAA-covered laboratories. 

 

As a result, the affected laboratories would need to update their

notices twice in a short period of time, one for the Omnibus Rule material changes, and the new right for a patient to receive test results directly from a HIPAA- covered laboratory.

 

What this means is that OCR will not take enforcement action against the HIPAA-covered laboratories or impose Civil Money Penalties if the

laboratories did not update their

notice by September 23, 2013, with the Omnibus Rule changes. 

 

OCR stated within the guidance that it "will issue a notice at least 30 days in advance to advise the public when this enforcement delay will end".

 

Practically, today many laboratories already send the test results two places:

  • Directly to the requesting provider and;
  • Directly to the patient at the same time.

When the legal modifications an individual's rights for direct access to test results are published in the federal register, HIPAA-covered laboratories will need to update their 

Notices with both the Omnibus Rule changes and the individual right change, however, the requesting provider and the patient may not experience any changes to what occurs now.

 

The industry is now a year beyond the Omnibus Rule, and four months beyond the Notice delay, and there has been no publication in the federal register making final the modifications to � 164.524 for individuals to receive test results at the same time as the ordering provider.

 

We will include a notice in our MalvernGroup Alert when the modifications are published.

 

In Case You Missed Last Week's Checkup click here

Next Alert's Checkup Topic
Enforcement Guidance  
  
       
 
  Here are this week's alerts
 
Hackers Target Health Data in New Breach
 
Click here for the healthcareitnews.com article
  
Southwest General Notifies Obstetrics Patients of Privacy Breach
 
Click here for the cleveland.com article
  
New ONC National Coordinator Dr. Karen DeSalvo: EHR Incentive Program Is on Track  
 
Click here for the healthit.gov article
  
WEDI ICD-10 Testing Concerns
 
Click here for the wedi.org article
  
Will OCR Leadership Changes Affect Healthcare Organizations?  
 
See what Sue Miller, our team member has to say!

Click here for the healthcareit.com article
  
Privacy and Security Tiger Team lays out 2014 Agenda
 
Click here for the healthitsecurity.com article
  
VA, DoD Get Tighter Leash With iEHR Cash
 
Click here for the healthcareitnews.com article
  
Agency Veterans Fill CMS Technology, Oversight Roles
 
Click here for the govhealthit.com article
  
Breach Notification Bills Pile Up in Senate
 
Click here for the govinfosecurity.com article
  
Report: Healthcare Still "Highly Dependent" on Paper Records
 
Click here for the beckershospitalreview.com article
  
Study Calls for Shift in Focus in EHR, Meaningful Use Studies
 
Click here for the anals.org study abstract

Click here for the ihealthbeat.org article
  
ONC Delaying Launch of Blue Button Connector Until February
 
Click here for the ihealthbeat.org article
  
IEEE Partners With Software Company to Foster Interoperability Through Middleware Application
 
Click here for the beckershospitalreview.com article
  
HHS Makes Progress On Health IT Safety Plan With Release Of The SAFER Guides
 
Click here for the healthit.gov article
  
Attack Security Literacy With Brute Force
 
Click here for the techtarget.com article
  
Obama Orders Review on Use of Big Data
 
Click here for the govinfosecurity.com article
  
Why Cyber-Attack Drills Are Important
 
Click here for the healthcareinfosecurity.com article
  
Drumbeat of Data Breaches Sounds Computer Literacy Alarms
 
Click here for the gcn.com article
  
Healthcare InfoSec Survey Closing Soon
 
Click here for the healthcareinfosecurity.com article
  
The Security Themes That Will Define 2014
 
Click here for the csoonline.com article
  
Annual Report Notes "remarkable" Malware Spike In Targeted Industries
 
Click here for the scmagazine.com article

Click here for the CISCO report
  
Insecure healthcare.gov Allowed Hacker To Access 70,000 Records In 4 Minutes
 
Click here for the computerworld.com article
  
Measuring mHealth ROI In Minutes Saved
 
Click here for the mhealthnews.com article
  
Why Aren't Doctors More Tech-Savvy
 
Click here for the nextgov.com article
  
The 25 Worst Passwords Of 2013: 'password' Gets Dethroned
 
Click here for the pcworld.com article
  
In Case You Missed It
  
Data Breach at Phoebe Putney Memorial Hospital Affects 6,700
  
Click here for the beckershospitalreview.com article
  
7 Security Mistakes People Make With Their Mobile Device
  
Click here for the slideshow

 

IRS Seizes 60M Medical Records for Massive Tax Fraud Investigation
  
Click here for the healthcareitnews.com article
Featured Product: Breach Response Policy and Procedures for Covered Entities
 
Click here to see why you need this product
 
About Us

MalvernGroup and its Team Members provide HIPAA privacy, security, and business continuity consulting services. MalvernGroup and Susan A Miller J.D. publish this email newsletter, a weekly commentary on healthcare news and events, comprehensive regulatory analysis, briefings, and how-to documents. Click here for additional information

 Click here to tell us what you need

 See prior MalvernGroup Alerts on twitter

 Thank you for your continued interest

 The MalvernGroup Team