More importantly, I hope the NPRM has some effect on the business leaders and managers of organizations (Covered Entities, Business Associates and, newly proposed, Business Associate “subcontractors”) that ought to be doing something about privacy and security!

This NPRM is a good one! “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act”.

Some pundits are proclaiming they’ve studied the 234-page NPRM! No doubt, that will impress you about the blogger’s reading skills and chronic insomnia. I did read the official 58-page version published in the Federal Register, so there!

In announcing the NPRM, HHS Secretary Kathleen Sebelius said, “To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”

There’s much to discuss, but my comments in this post focus on HIPAA Security and Business Associates. The HIPAA Security Rule is where the greatest amount of neglect, ignorance and non-compliance exists and from which the continued inexplicable and most egregious data breaches emanate. (As of this writing, since HHS started posting “data breachers” in February 2010 on the HHS data breach “wall of shame”, Covered Entities and their Business Associates have impermissibly disclosed the Protected Health Information of ~3.5 million fellow Americans – equivalent, almost, to the entire population of Los Angeles!)

1. Let’s stick with data and facts for those seeking real information, not opinions:
   The official HHS Press Release on this NPRM: http://www.hhs.gov/news/press/2010pres/07/20100708c.html
2. The official NPRM was issued on July 14, 2010: http://hipaasecurityassessment.com/wp-content/uploads/2010/07/Modifications-to-the-HIPAA-Privacy-Security-and-Enforcement-Rules-under-HITECH.pdf
   A Notice of Public Rule Making is not the final regulation. It is a notice and an invitation for public comment.
3. Public comments are due in roughly 60-days; therefore, September 13, 2010.
4. Comments received will be considered and possibly incorporated into the Final Rule over a time period that could extend through the end of the year, December 2010.
5. While it’s important to get started (I’m a strong advocate), as stated in the NPRM, there is some time: “In addition, we recognize that covered entities and business associates will need some time beyond the effective date of the final rule to come into compliance with the final rule’s provisions. In light of these considerations, we intend to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s provisions.”
6. Fundamentally, the standards and the specifications in the HIPAA Security Final Rule stand as written – there are no sweeping, dramatic changes that make compliance any more or less difficult. Compliance is still a (large, non-trivial) business risk management project (not an IT project) and is still a journey, not a destination.
7. As it relates to the Security Rule and as we knew from the HITECH Act statutes, the single biggest changes for Security Rule compliance come in the form of a much, much larger net that is cast to now include not only Business Associates but also Business Associates Subcontractors. “Therefore, consistent with Congress’ intent in sections 13401 and 13404 of the Act, as well as its overall concern that the HIPAA Rules extent beyond covered entities to those entities that create or receive protected health information, we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance.”

What Actions You Should Take Now:

1. Familiarize yourself with the proposed changes; discuss with your attorney and/or HIPAA Consultant
2. Don’t set your hair on fire yet!
3. If you’ve not already done so, start your HIPAA Security Compliance work by completing an honest self-assessment of where you stand (we may be able to assist you).
4. Sink your teeth into this Business Associate and subcontractor matter, whether you are a Covered Entity, Business Associate or Business Associate subcontractor. I predict that all parties in the “chain of trust” or “chain of custody” will be statutorily obligated to comply with the law AND be subject to the new Civil Monetary Penalty system:
   1. Document your “ePHI data life cycle” for all ePHI that you create, receive, maintain or transmit to understand your “chain of custody”
   2. Complete an exhaustive inventory of your upstream and downstream “chain of custody” relationships
   3. Hold a Business Associate conference or webinar or workshop to take a more active role to ensure your Business Associates become compliant with the Privacy and Security requirements
   4. Update your standard Business Associate Agreement to reflect the requirements of the HITECH Act
   5. Start re-executing or executing Business Associate Agreements to get this critical area under control

If we may be of any assistance, please do not hesitate to call or write.

With all the “renewed” interest in HIPAA Security Rule compliance, driven by The HITECH Act, we have designed several new webinars to help Covered Entities (CEs) and Business Associates (BAs) restart their compliance efforts.

In March and April, our Complimentary live webinar offerings are listed below with direct links to see the overview and learning objectives of each webinar:

• HIPAA Security, The HITECH Act and Contingency Planning – Wednesday, 3/17/2010 – 4pm ET / 3pm CT / 1pm PT
• How to Avoid the new Health & Human Services ‘Wall of Shame” – Friday, 3/19/2010 – 2:30pm ET / 1:30pm CT / 11:30am PT – (new!)
• The Truth About HIPAA Security, The HITECH Act and Data Backup – Tuesday, 3/23/2010 – 2:30pm ET | 1:30pm CT | 11:30am PT – (new!)
• A Buyer’s Guide – What to Look For in Online Backup and Recovery Services – Thursday, 3/25/2010 – 2:30pm ET | 1:30pm CT | 11:30am PT – (new!)
• How The HITECH Act Raises the Ante on HIPAA Security Rule Compliance -  Tuesday, March 30, 2010 – 2:30pm ET | 1:30pm CT | 11:30am PT – (new!)

If there is a data protection topic you would like us to cover and do not see it listed, please contact us using the information below.

Attend one of our HIPAA-HITECH Data Protection Webinars… Register Today!

With all the “renewed” interest in HIPAA Security Rule compliance, driven by The HITECH Act, we have designed several new webinars to help Covered Entities (CEs) and Business Associates (BAs) restart their compliance efforts.

In March and April, our Complimentary live webinar offerings are listed below with direct links to see the overview and learning objectives of each webinar:

• PC Encryption Regulatory Compliance – Tuesday, 3/9/2010 – 2:30pm ET | 1:30pm CT | 11:30am PT
• HIPAA Security, The HITECH Act and Contingency Planning – Wednesday, 3/17/2010 – 4pm ET / 3pm CT / 1pm PT
• How to Avoid the new Health & Human Services ‘Wall of Shame” – Friday, 3/19/2010 – 2:30pm ET / 1:30pm CT / 11:30am PT – (new!)
• The Truth About HIPAA Security, The HITECH Act and Data Backup – Tuesday, 3/23/2010 – 2:30pm ET | 1:30pm CT | 11:30am PT – (new!)
• A Buyer’s Guide – What to Look For in Online Backup and Recovery Services – Thursday, 3/25/2010 – 2:30pm ET | 1:30pm CT | 11:30am PT – (new!)
• How The HITECH Act Raises the Ante on HIPAA Security Rule Compliance -  Tuesday, March 30, 2010 – 2:30pm ET | 1:30pm CT | 11:30am PT – (new!)

If there is a data protection topic you would like us to cover and do not see it listed, please contact us using the information below.

Attend one of our HIPAA-HITECH Data Protection Webinars… Register Today!