OCR proposes to expand PIMS in HITECH Act
The Office for Civil Right (OCR) in the Department of Health and Human Services (HHS), in accordance with the Privacy Act, has proposed to modify the Program Information Management System (PIMS), regarding its use of data from organizations concerning breaches of protected health information (PHI).
Published in the Federal Register earlier this month, the notice seeks:
The HITECH Act requires HIPAA covered entities to provide notice to the Secretary of a breach of unsecured PHI within 60 days of discovering a breach that effects 500 or more individuals.
According to the notice, the federal Privacy Act permits OCR to disclose information or records pertaining to an individual without that individual’s consent if the information is to be used for a purpose for which the information was collected. Any such disclosure is known as “routine use,” stated OCR.
OCR proposes to add the following new purposes of PIMS:
Public comment on this notice will be accepted during a 40-day comment period that began April 13. The modified system of record, including routine uses, will become effective at the end of the 40-day period, unless OCR receives comments that require alterations to the notice.
Published in the Federal Register earlier this month, the notice seeks:
- To add the HITECH Act as an authority from which OCR would collect information;
- To add three new purposes of PIMS and six new routine uses to PIMS;
- To expand the categories of information stored in PIMS to include information that covers entities under HIPAA and their business associates that report to the HHS Secretary with respect to a PHI breach.
The HITECH Act requires HIPAA covered entities to provide notice to the Secretary of a breach of unsecured PHI within 60 days of discovering a breach that effects 500 or more individuals.
According to the notice, the federal Privacy Act permits OCR to disclose information or records pertaining to an individual without that individual’s consent if the information is to be used for a purpose for which the information was collected. Any such disclosure is known as “routine use,” stated OCR.
OCR proposes to add the following new purposes of PIMS:
- To collect, maintain and post on the HHS website a list of covered entities that experience breaches of unsecured PHI affecting more than 500 individuals using information reported to the secretary by covered entities (or a business associate on behalf of a covered entity);
- To develop an annual report to Congress regarding breach notification using information reported to the Secretary by covered entities (or a business associate on behalf of a covered entity); and
- To provide technical assistance, training and guidance materials regarding breaches of protected health information.
Public comment on this notice will be accepted during a 40-day comment period that began April 13. The modified system of record, including routine uses, will become effective at the end of the 40-day period, unless OCR receives comments that require alterations to the notice.