HIPAA-HITECH FAQ

Frequently Asked Questions about the HIPAA Security Rule and The HITECH Act

The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, significantly modified and strengthened many aspects of the HIPAA Security Rule, including the penalties that the U.S. Department of Health and Human Services (HHS) could impose for violations of the HIPAA rules.

Benefit from our expertise by completing a HIPAA Security Rule refresher and learn about the sweeping changes to HIPAA overall, the Security Rule and the Contingency Planning standard, in particular. Then, jump-start your Security Rule compliance efforts with our specific guidance, especially around online data backup and recovery, the HIPAA Contingency Plan standard and disaster recovery.

Q1. Why do I need to be HIPAA Security compliant?

01/08/2010 – The HIPAA law requires all health care Covered Entities (CEs) and their Business Associates (BAs) to safeguard the privacy of patient health information. The HIPAA law also requires CEs and BAs to implement required security measures to protect patient health information.

Download the complete HIPAA-HITECH FAQ White Paper as a PDF (coming soon!)

Q2. What is a "Covered Entity?"

01/08/2010 – Covered Entities (CEs) include all health care providers (doctors, dentists, therapists, psychologists, pharmacists, etc.), health care clearinghouses, and health plans (i.e., health insurance companies) that electronically store, process or transmit electronic protected health information (EPHI).

Previously, any Business Associate (BA) of these CEs who by agreement has access to this EPHI was required to comply with the Security Rule as well by means of a so-called BA Agreement.

The HITECH Act now explicitly places the same comprehensive Security Rule requirements on BAs to ensure that the same level of security is consistent throughout whenever health information is accessed or exchanged between organizations.

Q3. What is a "Business Associate?"

01/09/2010 – A Business Associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI. A Business Associate is not a member of the health care provider, health plan, or other covered entity's workforce. A health care provider, health plan, or other covered entity can also be a business associate to another covered entity. Examples of business associates are:
• A third party administrator that assists a health plan with claims processing
• A CPA firm whose accounting services to a health care provider involve access to protected health information
• An IT service provider who may view unencrypted protected health information
• An attorney whose legal services to a health plan involve access to protected health information
• A consultant that performs utilization reviews for a hospital
• A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer
• An independent medical transcriptionist that provides transcription services to a physician.
• A pharmacy benefits manager that manages a health plan’s pharmacist network.

Q4. What are the objectives of the HIPAA Privacy and Security Rules?

01/08/2010 – The objectives of these rules are to:

• Ensure confidentiality, integrity, and availability of all EPHI that a CE or BA creates, receives, maintains, or transmits
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such EPHI
• Protect against any reasonably anticipated losses or disclosures of EPHI

Q5. What is the difference between the HIPAA Privacy Rule and the HIPAA Security Rule?

01/08/2010 – The Security and Privacy Rules are distinct rules, but they are inextricably linked. The privacy of information depends in large part upon existence of security measures. The HIPAA Security Rule defines the standards that CEs must implement to provide basic safeguards to protect EPHI. The Privacy Rule sets the standards spelling out how CEs should control EPHI.

In general, the Privacy Rule covers protected health information (PHI) in all forms while the Security Rule only covers PHI in electronic form.

The HITECH Act makes significant changes to all provisions of HIPAA of which the Privacy Rule and Security Rule are a part.

Download the complete HIPAA-HITECH FAQ White Paper as a PDF (coming soon!)

Q6. What does HIPAA mean by "EPHI" and "electronic media?"

01/12/2010 – In general, patient health information that has been converted to, stored in, or transmitted by electronic media is deemed to be "EPHI" and as such is to be controlled and protected under the HIPAA Privacy and Security Rules.

"Electronic media" is defined as:

• Any electronic storage media including memory in computers (hard drives)
• Any removable or transportable digital memory medium (magnetic tapes or disk, optical disk, or memory card)
• Transmission media used to exchange information electronically (Internet, leased lines, dial-up, intranets, and private networks)

Q7. Does the Security Rule cover all patient health information?

01/12/2010 – There is an exception. PHI transmitted by FAX or telephone is not covered by the HIPAA Security Rule, although this information is covered by the HIPAA Privacy Rule.

Q8. What is the definition of "common control?"

01/12/2010 – "Common control" exists if a CE has the power, directly or indirectly, to influence or direct the actions or policies of another entity (e.g., a business associate) in a significant way. This means that CEs as custodians of PHI must secure this information and take appropriate actions to ensure that outside vendors they contracted with also take the necessary safeguards to control and protect this PHI. The HITECH Act now makes the compliance, enforcement and penalties for BAs explicitly clear in that they are also completely covered by the law.

Q9. What is a "standard" as defined by the Security Rule?

01/12/2010 – A standard is a provision of the Security Rule that all CEs and BAs must comply with, specifically with respect to EPHI. There are no exceptions. There are 18 standards defined in the Security Rule. With HITECH, the number of Standards has not changed; however, more explicit guidance and clarity is provided in many areas of the Security Rule and the Privacy Rule as well.

Download the complete HIPAA-HITECH FAQ White Paper as a PDF (coming soon!)

Q10. What are "implementation specifications?"

01/12/2010 – Generally, a standard defines what a CE must do while an "implementation specification" describes how it must be done. There are two types of specifications, those that are "required" and those that are "addressable." Required implementation specifications are critical and CEs and BAs, must implement them.

Addressable implementation specifications may or may not be implemented depending on the outcome of a security risk analysis. For an addressable specification, a CE or BA must:

• ASSESS whether the specification is a reasonable and appropriate safeguard,
• AND implement the specification if it is reasonable and appropriate,
• OR document why it is not reasonable and appropriate,
• AND implement an equivalent alternative measure if one can be identified as reasonable and appropriate.

For years, we have been advising both CEs and BAs to treat both "required" and "addressable" specifications as "required". First, it simply makes good business and risk management sense. Second, data and information is becoming more and not less vulnerable and privacy and security laws are only going to become more stringent over time.

Q11. What is a "risk analysis?"

01/13/2010 – A fundamental design principle in the Security Rule was that "one size does not fit all". That is, organizations needed to first understand the law, second assess their risks vis-à-vis the law and, third, take appropriate actions for their organization to mitigate their risks in order to comply with the law.

"Risk" is defined as the degree or likelihood that a certain threat or vulnerability will occur, resulting in a breach of safeguards designed to provide control or protection of patient health information. Risk is quantified by taking into account two factors involving (1) the likelihood and (2) the impact (criticality) of loss.

A "risk analysis" is a systematic and comprehensive assessment of all aspects of information including electronic conversion, processing, storage, or transmission that could potentially compromise the integrity of patient health information. Thus, the scope of a risk analysis should address all facets of the CEs and BAs computer hardware, software, and networks and associated electronic equipment and systems.

The initial risk analysis should alsoassess security policies and procedures and technical safeguards, to determine the extent to which they meet the standards contained in the Security Rule. Then CEs and BAs must perform ongoing risk analyses in response to environmental or operational changes.

Risk analysis findings should identify levels of risk and make recommendations to reduce these risks to a reasonable and appropriate level. These findings and their remedies should be documented and retained as a permanent component of the HIPAA Security Rule compliance program. This documentation should take the form of:

• Security Gap Analysis (depicting the difference between the current and the optimal levels of risk)
• Risk Remediation Plan (outlining the process for achieving the optimal levels of risk)

A CE or BA can choose to have a third party perform the risk analysis and thus provide an independent assessment of the organization’s security with respect to the HIPAA Security Standards.

Q12. What kinds of threats to security do CE’s face today?

The Security Rule was designed to protect the confidentiality, integrity, and availability of EPHI. Health information that is stored on a computer, processed or transmitted across computer networks, including the Internet, is vulnerable to and must be protected from:

• Hacker and disgruntled employee abuse
• Untrained personnel mishandling
• Exploitation by people not having a "need to know"
• Unplanned system outages
• Burglary and theft
• Fire, flood, and other natural disasters

The Security Rule requires CEs and BAs to assess their exposure to these and other threats.

Q12. What kinds of threats to security do CE’s face today?

01/13/2010 – The Security Rule was designed to protect the confidentiality, integrity, and availability of EPHI. Health information that is stored on a computer, processed or transmitted across computer networks, including the Internet, is vulnerable to and must be protected from:

• Hacker and disgruntled employee abuse
• Untrained personnel mishandling
• Exploitation by people not having a "need to know"
• Unplanned system outages
• Burglary and theft
• Fire, flood, and other natural disasters

The Security Rule requires CEs and BAs to assess their exposure to these and other threats.

Q13. What safeguards does the Security Rule mandate for the protection of EPHI?

01/13/2010 – The Security Rule mandates certain technology-neutral, flexible, and scalable
administrative, physical, and technical safeguards that outline which technologies,
policies, and procedures should be put in place to ensure adequate ongoing protection
of EPHI. These are all based on information security best practices, many of
which have been around for decades.

The original HIPAA security provisions did not mandate use of any particular
technical system or safeguards. No specific guidance was provided, there was
no mandate on any specific technology or approach and solutions implemented to
protect EPHI were self-risk assessment based.

The HITECH Act changes this, to a degree. HHS must issue guidance annually
on the "most effective and appropriate technical safeguards for use in carrying
out" the HIPAA security standards.

Although the statute does not state that the technical safeguards set forth
in HHS guidance are the only effective and appropriate technical means of satisfying
HIPAA security safeguards, they are the "most effective and appropriate" means
of security compliance. Those CEs and BAs who choose not to comply with the HHS
guidance should justify their choice of technical systems that are not the most
effective and appropriate means of compliance.

Download the complete HIPAA-HITECH FAQ White Paper as a PDF (coming
soon!)

Q14. What are some of the electronic security techniques that CEs may have to consider to be compliant?

01/13/2010 – The HIPAA Security Standards are largely technology-neutral. Standards are categorized into Administrative, Physical and Technical. The five technical safeguard standards are: access control, audit controls, integrity, person or entity authentication, and transmission security. Each standard has implementation specifications, which can be required or addressable. Remember, addressable does not mean "optional."The rule lays out the requirements and it is up to each individual organization to determine how to best meet the requirements, including which specific security technologies to implement. Now, however, on an annual basis, HHS is required to issue "…guidance on the most effective and appropriate technical safeguards". HHS is required to assess advances in information technology and security measures that CEs and BAs may use to control and protect their EPHI including, but not limited to:

• Firewalls
• Encryption
• Password authentication
• Digital signatures
• Secure, remote data backup
• Biometric access methods
• Anti-Spyware and Anti-virus software
• Security Auditing and Logging
• Smart cards
• Computer physician order entry (CPOE) systems

Q15. By what date must CEs and BAs comply with the provisions of the Security Rule?

01/13/2010 – Most CEs were required to be in compliance with the Security Rule by April 21, 2005. However, a large portion of the Privacy Rule required certain Security Rule components to be in place as of April 14, 2003.

BAs must be fully compliant with the Security Rule by February 17, 2010. Remember, HITECH is a game-changer, especially for BAs.
• All of the HIPAA security administrative safeguards, physical safeguards, technical safeguards, and security policies, procedures, and documentation requirements apply directly to all BAs
• HHS (and state attorneys general under the new enforcement provisions) may impose fines directly against BAs of HIPAA covered entities who do not comply with these HIPAA security standards
• New BA security requirements must be added to all business associate agreements
• All civil and criminal penalties applicable to CEs for violating the security provisions are also applicable to BAs

Q16. What are the consequences for non-compliance?

01/13/2010 – The originalproposedSecurity Rule listed penalties ranging from $100 for minor violations and up to $250,000 and a 10-year jail term in the case of malicious harm. However, the final Security Rule stated that a separate regulation addressing enforcement would be issued at a later date. Therefore, under the final Security Rule:
• A penalty could be no more than $100 for each violation or $25,000 for all identical violations of the same provision
• A CE could bar the secretary's imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules
• BAs were not directly subject to liability and penalties

Here again, HITECH raises the ante literally in a very significant way.ANew Civil Monetary Penalty (CMP) System makes monetary penalties mandatory for violations involving "willful neglect" as of Feb. 17, 2011. Subsection 13410(c), which requires civil penalties that are collected under the HITECH Act to be funneled back into the Department of Health and Human Services' Office of Civil Rights enforcement budget.Section 13410(d) of the HITECH Act strengthened the enforcement by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A CE and now a BA, can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

The Tiered CMP System:
• Tier A is for violations in which the offender didn’t realize he or she violated the Act and would have handled the matter differently if he or she had.
o $100 fine for each violation, and
o $25,000, maximum total imposed for the calendar year.
• Tier B is for violations due to reasonable cause, but not "willful neglect."
o $1,000 fine for each violation, and
o $100,000, maximum total imposed for the calendar year.
• Tier C is for violations due to willful neglect that the organization ultimately corrected.
o $10,000 fine for each violation, and
o $250,000, maximum total imposed for the calendar year.
• Tier D is for violations of willful neglect that the organization did not correct.
o $50,000 fine for each violation, and
o $1,500,000, maximum total imposed for the calendar year.

The new level of CMPs applies immediately to all violations. HHS will use the CMP proceeds to further enforce the HIPAA privacy and security standards and within 3 years of enactment, HHS must promulgate a regulation to distribute a portion of CMP proceeds directly to harmed individuals. This requirement provides adirect incentive for individuals to report alleged violations to HHS and state attorneys general. It’s going to get exciting depending on which side of a violation you stand!

At the same time, there are other perhaps more serious consequences for CEs than potential penalties. These include the loss of the CE’s reputation and expensive lawsuits. Should a security breach occur in which EPHI is accessed by an unauthorized user, a CE could lose the trust of its patients, members, physicians and partners. HIPAA’s high standard could be cited in civil litigation thereby creating the potential for even larger criminal and civil settlements.

Q17. In summary, what are the most significant changes brought about by the HITECH Act?

01/13/2010 – Before, during and after the HIPAA Security Final Rule went in law in April 2005 there was confusion and turmoil from CEs, BAs, security professionals and government officials. It took years for people to figure out their roles and requirements under the then-new rules… and many still have not complied.

Now, with the issuance of changes under the HITECH Act, as part of American Recovery and Reinvestment Act (ARRA) of 2009, it’s still surprising to hear some of the mis-statements.

o "Our XYZ product is HIPAA compliant"
o "The HITECH Act doesn’t change HIPAA, it just pushes electronic medical records."
o "It doesn’t apply to my small medical practice."
o "Business Associates have to comply just as they did before."
o "Installing the EMR doesn’t change the what we do in our office."
o "Enforcement is only for Covered Entities; BAs just follow the contract."

As stated above, HITECH is the largest and most consequential expansion and change to the federal privacy and security rules ever. The fifteen (15) change areascomprise new federal privacy and security provisions that will have major financial, operational and legal consequences for all hospitals, medical practices, health plans, their BAsandnow some vendors and service providers that were not previously considered BAs.

Following is a list of key things to know about changes brought about by The HITECH Act:

Enforcement is strengthened significantly
1. Penalties are increased in the new Civil Monetary Penalty (CMP) System
2. Enforcement is more proactive, more punitive and by more parties
3. Additional audit authority is now provided to HHS to audit CEs and BAs
Business Associates and others are fully and completely "in scope"
4. BAs are now statutorily obligated to comply with the relevant regulations
5. New temporary breach notification requirements are added and apply to vendors of personal health records
Security Provisions are strengthened and clarified
6. Data protected is expanded beyond EPHI to include other personal information
7. More specific guidance on technical safeguards is provided by HHS annually
8. New data breach notification requirement is first-time Federal legislation on same
Privacy Provisions are strengthened and clarified
9. Individual right to request restrictions on use and disclosure of PHI is now mandatory
10. The definition of "minimum necessary" PHI to use/disclose is clarified
11. Disclosure accounting is strengthened – eliminates any exceptions from the disclosure accounting rules
12. There are now tighter restrictions on use of protected health information for marketing purposes
13. Individuals must be offeredclear and conspicuous opt-out opportunity for fund-raising communications
14. Consumers now have the right to receive an electronic copy of their PHI
15. Prohibits a CE or BA from receiving payment in exchange for any PHI

Download the complete HIPAA-HITECH FAQ White Paper as a PDF (coming soon!)

Q18. What are the most significant changes brought about by the HITECH Act for Business Associates?

01/13/2010 – The two most significant changes in the HITECH Act for business associates of HIPAA covered entities are (a) requirement that business associates comply directly with Security Rule provisions directing implementation of administrative, physical and technical safeguards for electronic protected health information and (b) expanded breach notification rules for both covered entities and their business associates.

Q19. What is the Contingency Plan Standard and what must I do to comply?

01/13/2010 – The Contingency Plan Standard is one of nine (9) standards in the Administrative Safeguards category of the HIPAA Security Final Rule. As a reminder, there are a total of eighteen (18) standards in three safeguards categories: Technical, Physical, and Administrative.It is important to note that the Contingency Plan Standard is not a Technical safeguard; this underscores the importance of contingency planning as an important business risk management problem and not an "IT problem".

This Standard is very explicit about, among risk management actions, backing up EPHI and ensuring its recoverability in the event of a data loss event.Like all others, this standard has implementation specifications, which can be required or addressable. Remember, addressable does not mean "optional."The exact wording in the law follows below:

§ 164.308 Administrative safeguards.
(7) Standard:
(i) Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
(ii) Implementation specifications:
(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
(D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.
(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.

In plain English, CEs and BAs must securely backup and, most importantly, be able to fully restore or recover EPHI in the event of a data loss event. Furthermore, as part of recovery and during any emergency mode operations, the same set of security requirements that apply under normal business operations must also apply during emergency mode – CEs and BAs cannot let their guard down. For example, many practices fail in this regard because their data backup solution does not encrypt the data in storage or during recovery.

Q20. What parts of the Contingency Plan Standard regarding data backup are optional?

01/22/2010 – No parts of the Contingency Plan Standard are optional! – - all CEs, including all providers and specifically medical practices, and BAs must securely backup "retrievable exact copies of electronic protected health information." (CFR 164.308(7)(ii) (A)) For many organizations, having data backups will serve as a last line of defense for business continuity and likely data breach defense.

Q21. The law does not say it’s necessary to get data backups offsite. Why bother?

01/22/2010 – Your data must be recoverable; you must be able to fully "to restore any loss of data." (CFR 164.308(7)(ii) (B)). There are many circumstances in which data backups stored onsite are at risk of loss and, therefore, not in compliance with the law. Therefore, you must get your data offsite – call it common sense or risk management, as required by the HIPAA Security Final Rule (CFR 164.308(a)(1)). How could one defend a data backup / disaster recovery plan that stored backup copies of EPHI in the same location as the original data store?

Download the complete HIPAA-HITECH FAQ White Paper as a PDF (coming soon!)

Q22. Does the Data Backup Plan specification require that I backup my data more than once a day?

01/22/2010 – No! However, you must back up your data frequently – again, call it common sense or risk management, as required by the HIPAA Security Final Rule (CFR 164.308(a)(1)), in today’s real time transactional world, a server crash, database corruption or erasure of data by a disgruntled employee at 4:40pm would result in a significant data loss event if one had to recover from last nights’ data backup. Moreover, the law requires CEs and BAs securely backup "retrievable exact copies of electronic protected health information." Last night’s backup tape or disk would hardly meet the requirement of a "retrievable exact copy".

Q23. Must I encrypt my data backup tapes or disks?

01/22/2010 – Yes! HITECH says encrypt or delete data at rest. HIPAA Security Rule states one must encrypt data in transmissions. Many CEs and BAs fail in this area because tape- or disk-based backups are moved around freely, unencrypted. Unfortunately, if that media is lost or stolen, it will likely be a direct violation of the HIPAA Security Law and a growing number of state privacy laws. Depending on the number of patient records compromised, it will also trigger the Breach Notification Rule of HITECH and may require notification to patients (always required) and. in addition, notification to HHS and local media as well. The business/reputation risk is far greater than the compliance risk, and the latter is no longer trivial.

Q24. Isn’t just backing up data enough? Do I have to have a written plan?

01/22/2010 – You must have written procedures related to your data backup and recovery plan – - Policies and procedures (CFR 164.312(b)(1)) and documentation (CFR 164.312(b)(2)(i)) are a huge part of the HIPAA Security Final Rule. Again, common sense and business best practices require a documented business resumption plan that includes key components such as a business continuity plan, a disaster recovery plan and a data backup and restoration plan. All key components must be capable of being tested.

Q25. Do I need to test my data backup and recovery plan?

01/22/2010 – You must test your recovery – - Backup is useless if your recovery fails, therefore the law requires that you "Implement procedures for periodic testing and revision of contingency plans." (CFR 164.308(7)(ii) (D)). Unfortunately, testing tape-based or disk-based recovery can be time-consuming and arduous. As a result, most companies rarely test their plans on a regular basis.

Download the complete HIPAA-HITECH FAQ White Paper as a PDF (coming soon!)

Q26. What are the most common mistakes that CEs or BAs make when it comes to data backup and disaster recovery?

01/26/2010 – Let’s focus on the eight (8) deadly sins! Despite the Contingency Plan Standard and the historical challenges, CEs and BAs have had with data backup and recovery, many continue to fail to fix and/or address their problems. Here are the most common "sins" we see committed on a regular basis… Perhaps you can relate to a few of them?

Sin #1: No Backup Plan
Too often, backup is not perceived as a strategic, value-added activity for small businesses. As a result, there is no formal plan and critical data is left at risk. Every CE and BA, regardless of size, needs a data protection strategy to ensure business continuity.

Sin #2: Backup is Not Taken Offsite
To minimize cost, CEs and BAs routinely overlook getting data securely off-site. In some of the "best cases", we hear of tapes or USB drives or "thumb drives" stored in office drawers, pursesor the back seat of a car!

Sin #3: Bad Backup Plan
Many CEs and BAs only back up their data nightly or on a weekly basis. Some don’t even back up the correct data. This leaves a large "window of vulnerability"during which critical data can be lost. Is it sufficient for your business to recover from yesterday’s backup if you’re server crashes at 5pm today?

Sin #4: Over Reliance on Disk Media or Tape Media
Up to seventy (70) percent or recoveries from of tape- or disk-based backups fail. Additionally, most CEs and BAs do not have the IT resources to consistently and reliably handle tape or disk management and off-site storage.

Sin #5: Our Office Manager Can Do It
Forgiveness time! There are simply too many moving parts in tape or disk backup schemes and it’s too much for mere mortals to do. When was the last time your tape or disk backup log was checked?

Sin #6: No Regular Testing of Backup and Recovery
Backup is useless if your recovery fails. Testing tape-based recovery can be time-consuming, and most companies rarely do it. When was the last time you completed a successful restore of your data from a tape or disk media?

Sin #7: "It Won't Happen To Me"
Data loss events are inevitable. Critical data loss can result from a variety of causes including human error, computer virus, hardware or software system failure, power disruption, fire or natural disaster. There are two kinds of businesses: those that have had a major data loss event and those that will.

Sin #8: Backup Data / Media is Not Encrypted
Good news – Bad news. Too often we see tape- or disk-based backup media taken offsite (good news) as part of a data protection plan. Unfortunately, if that media is lost or stolen, it will likely be a direct violation of the HIPAA Security Law and a growing number of state privacy laws.

Q27. Where can I find the complete language in the final Security Rule and HITECH Act?

01/13/2010 – The following link will take you directly to the final Security Rule in the Federal Register:

http://www.DataMountain.com/files/1202/File/HIPAA_Security_Final_Rule.pdf

The following link will take you directly to the final ARRA Law, including the HITECH Act, which isTitle XIII and begins on page 112:

/files/Full_ARRA_Law_incl_HITECH_Act.pdf

Q28. In practical terms, what should I do first?

01/13/2010 – Whether you are a CE or a BA, we recommended following this short checklist of critically important actions as soon as possible:

• Read the original Final Rule to make sure you understand how it applies to you
• Read the provisions in the HITECH Act related to Privacy and Security
• Immediately increase privacy and security as a compliance priority in your practice or business.
• Remember that the HITECH Act significantly alters the entire HIPAA enforcement environment, by increasing the penalties and eliminating in many situations enforcement discretion not to impose penalties. Charter a formal HIPAA Security team of dedicated internal staff members and/or outside experts
• As a BA, anticipate significant amendments to their business associate agreements – consider how they will comply with the host of new privacy and security rules the now apply you
• As a CE, make sure all business associate contracts are modified by February 17, 2010—All of the added HIPAA privacy requirements applicable to covered entities will also be applicable to business associates. As a result, all covered entities must incorporate these new requirements into their contracts with business associates by February 17, 2010 at the latest
• Conduct a complete risk assessment—Your assessment should first and foremost identify all personal health information (PHI) records (both paper and electronic) that you work with in your company. Determine the risks to PHI security that exist in your company and spell out all the controls you have in place for safeguarding PHI
• Conduct a comprehensive HIPAA Security Assessment to ascertain your current security state of affairs
• Prepare a Preliminary Risk Remediation Plan outlining those actions requiring your immediate attention
• Create a plan to mitigate your major risks—Once you’ve done your risk assessment and identified your top risks, you’ll need to then create a written plan with the appropriate controls to address these risks. You’ll also need to implement the controls from your plan into your organization’s business practices
• Update policies and procedures—Take a good look at your policies and procedures and determine what needs to be updated or enhanced for compliance with HITECH. Also, BAs of are now subject to HHS audits and will need to be able to produce documentation (such as policies and procedures) proving that they have formal steps in place to safeguard PHI
• Consider whether all of their uses, disclosures, and requests for protected health information are in compliance with the "minimum necessary" standard, now that a "limited data set" has been defined as compliance with that standard
• Consider whether and how changes to the marketing, fundraising, and restriction request rules affect your operations; and how the new disclosure accounting and breach notification rules factor into your choices regarding health information systems and infrastructure
• Document all decisions made and risks that are deemed accepted
• Ensure that all employees (including all clinicians and upper management) are trained on their roles and responsibilities with respect to the Security Rule and HITECH Act
• Maintain an ongoing program for monitoring your environment and operational processes for HIPAA Security Rule compliance

Q29. How can Data Mountain help?

01/13/2010 – Data Mountain assists health care companies and medical practices throughout the U.S. with all matters related to data protection, data backup and recovery, disaster recovery, and data security – - and in helping our clients comply with HIPAA Security Rule standards and the new HITECH Act provisions.

To assist our customers with the burdensome impact of the HIPAA Security Rule and the HITECH Act security and privacy provisions, we have developed a set of tools and techniques to streamline the HIPAA Security Rule compliance process. We offer these to our customers on a gratis basis.

Our specific business focus is to help our customers comply with the Contingency Plan Standard within the HIPAA Security Rule. (§ 164.308 Section 7. Contingency plan). And, to address the specific Specifications within that Standard, we offer the world’s most secure, most reliable, most utilized and yet easiest-to-use online data backup and recovery solutions:

o LiveVault® Server Backup and Recovery
o Connected® PC and MAC Backup and Recovery
o Virtual File Store®
o Total Email Management Suite®
o Digital Record Center for Medical Images®

Q30. Why Data Mountain for HIPAA-HITECH online data backup and recovery solutions?

01/13/2010 – (1) We know the HIPAA Security Law and HITECH provisions inside and out!
(2) We are experts and business continuity and disaster recovery planning!
(3) We offer the very best online data backup and recovery services in the world, bar none!
(4) We know the nuances, subtleties and ins and outs of healthcare data protection cold!
(5) We backup your entire server to ensure protection and enable the fastest possible recovery!
(6) And, our plans start as low as $134/month for up to 100GBs of data under protection.

If you feel that retaining outside expertise in this area is the right approach for you, we offer a quick and cost-effective solutions and free access to our tools, beginning with our HIPAA Security Assessment (HSA).For more information or to schedule anHIPAA-HITECH Security compliance presentation at your offices, please contact us on (800) 704-3394.