Our November  2010 HIPAA-HITECH eNewsletter has been published.

We continue to feature HIPAA Security Rule and HITECH Act data security updates, including the link to the US Department of Health and Human Services’ “Wall of Shame” – its Data Breach Notification web page.

Attend our Upcoming Complimentary Live Webinars on:

• Are Your Business Associate Agreements HITECH Ready?
• How To Conduct a HIPAA Security Risk Analysis
• How to Revitalize Your HIPAA-HITECH Compliance Program 

Please enjoy our analysis and links to industry articles and white papers that we’ve researched and assembled for you. I’m confident you’ll find a nugget or two among them!

We would love to hear your thoughts. Please comment below!

A friend recently told me that the Health and Human Services Data Breach Notification web site has moved and has been improved.  I've been so darn busy, I missed it and for some reason Kathleen Sebilius didn't give me a ring to let me know — what's up with that!?  In the past, I had dubbed it the 'Wall of Shame".

Here's what's new:

1. The new location is: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
2. The web site is dynamic and fun!  One can download the contents in CSV or XML format.  One can sort and filter on all the fields.
3. The obscure protection that doctors once enjoyed by being listed as "Private Practice" is now gone — lots of doctors names now appear.

Take a gander!  As of this writing, 166 Covered Entities have breached the Protected Health Information (PHI) of ~4.9 million fellow Americans — according to wikipedia, based on 2000 census data, that's the equivalent of breaching the PHI of the combined populations of Chicago and Houston!  Way to go CEs.  And, don't forget the "fox in the hen house" phenom given the current "harm threshold" in the current interim rule.

If you're trying to figure out where you stand on your HIPAA HITECH regulatory compliance journey or need help getting there, please keep us in mind.

Enjoy!

Our October 2010 HIPAA eNewsletter has been published.

We continue to feature HIPAA Security Rule and HITECH Act data security updates, including the link to the US Department of Health and Human Services’ “Wall of Shame” — its Data Breach Notification web page.

Attend our Upcoming Live Webinar on ”How to Conduct a HIPAA Security Risk Analysis“. Register today!

Please enjoy our analysis and  links to industry articles and white papers that we’ve researched and assembled for you. I’m confident you’ll find a nugget or two among them!

We would love to hear your thoughts. Please comment below!

Implementation specifications are indicated as required or addressable.  As organizations work towards HIPAA-HITECH compliance, it is important to understand the difference.

A covered entity or business associate must comply with a required implementation specification must.  For example, all covered entities and business associates including small providers must conduct a “Risk Analysis” in accordance with Section 164.308(a)(1) of the Security Rule.

For addressable implementation specifications, covered entities must perform an assessment to determine whether the specification is a reasonable and appropriate safeguard in the covered entity’s environment. After performing the assessment, an organization decides if it will:

• Implement the addressable implementation specification as stated;
• Implement an equivalent alternative measure that allows the entity to comply with the standard; or,
• Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.

Covered entities and business associates are required to document these assessments and all decisions. For example, all covered entities including small providers must determine whether “Encryption and Decryption” is reasonable and appropriate for their environment in accordance with Section 164.312(a)(1) of the Security Rule.

Factors that determine what is “reasonable” and “appropriate” include cost, size, technical infrastructure and resources. While cost is one factor entities must consider in determining whether to implement a particular security measure, some appropriate measure must be implemented.

An addressable implementation specification is not optional, and the potential cost of implementing a particular security measure does not free covered entities from meeting the requirements identified in the rule.

Our advice…

• Don’t waste time debating about ‘addressable’ versus ‘required’.
• Just do it! – the vast majority of the standards specifications make good business sense.
• HIPAA Security Standards set a “floor” or “baseline” for security
• Don’t make the mistake of thinking ‘addressable’ means ‘optional’; it does not!
• Check out our HIPAA-HITECH compliance software to jump-start your program

Our August 2010 Data Protection eNewsletter has been published.

1. …Issued Final Guidance on Risk Analysis on July 8, 2010
2. …issued a Notice of Public Rulemaking on July 14, 2010, “ Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act” 
3. …withdrew the breach notification final rule it had submitted on May 14, 2010 from OMB review citing it as a “complex issue”

We continue to feature HIPAA Security Rule and HITECH Act data security updates, including the link to the US Department of Health and Human Services’ “Wall of Shame” — its Data Breach Notification web page.

Please enjoy these links to industry articles and white papers that we’ve researched and assembled for you. I’m confident you’ll find a nugget or two among them!

We would love to hear your thoughts. Please comment below!

More importantly, I hope the NPRM has some effect on the business leaders and managers of organizations (Covered Entities, Business Associates and, newly proposed, Business Associate “subcontractors”) that ought to be doing something about privacy and security!

This NPRM is a good one! “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act”.

Some pundits are proclaiming they’ve studied the 234-page NPRM! No doubt, that will impress you about the blogger’s reading skills and chronic insomnia. I did read the official 58-page version published in the Federal Register, so there!

In announcing the NPRM, HHS Secretary Kathleen Sebelius said, “To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work.”

There’s much to discuss, but my comments in this post focus on HIPAA Security and Business Associates. The HIPAA Security Rule is where the greatest amount of neglect, ignorance and non-compliance exists and from which the continued inexplicable and most egregious data breaches emanate. (As of this writing, since HHS started posting “data breachers” in February 2010 on the HHS data breach “wall of shame”, Covered Entities and their Business Associates have impermissibly disclosed the Protected Health Information of ~3.5 million fellow Americans – equivalent, almost, to the entire population of Los Angeles!)

1. Let’s stick with data and facts for those seeking real information, not opinions:
   The official HHS Press Release on this NPRM: http://www.hhs.gov/news/press/2010pres/07/20100708c.html
2. The official NPRM was issued on July 14, 2010: http://hipaasecurityassessment.com/wp-content/uploads/2010/07/Modifications-to-the-HIPAA-Privacy-Security-and-Enforcement-Rules-under-HITECH.pdf
   A Notice of Public Rule Making is not the final regulation. It is a notice and an invitation for public comment.
3. Public comments are due in roughly 60-days; therefore, September 13, 2010.
4. Comments received will be considered and possibly incorporated into the Final Rule over a time period that could extend through the end of the year, December 2010.
5. While it’s important to get started (I’m a strong advocate), as stated in the NPRM, there is some time: “In addition, we recognize that covered entities and business associates will need some time beyond the effective date of the final rule to come into compliance with the final rule’s provisions. In light of these considerations, we intend to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s provisions.”
6. Fundamentally, the standards and the specifications in the HIPAA Security Final Rule stand as written – there are no sweeping, dramatic changes that make compliance any more or less difficult. Compliance is still a (large, non-trivial) business risk management project (not an IT project) and is still a journey, not a destination.
7. As it relates to the Security Rule and as we knew from the HITECH Act statutes, the single biggest changes for Security Rule compliance come in the form of a much, much larger net that is cast to now include not only Business Associates but also Business Associates Subcontractors. “Therefore, consistent with Congress’ intent in sections 13401 and 13404 of the Act, as well as its overall concern that the HIPAA Rules extent beyond covered entities to those entities that create or receive protected health information, we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance.”

What Actions You Should Take Now:

1. Familiarize yourself with the proposed changes; discuss with your attorney and/or HIPAA Consultant
2. Don’t set your hair on fire yet!
3. If you’ve not already done so, start your HIPAA Security Compliance work by completing an honest self-assessment of where you stand (we may be able to assist you).
4. Sink your teeth into this Business Associate and subcontractor matter, whether you are a Covered Entity, Business Associate or Business Associate subcontractor. I predict that all parties in the “chain of trust” or “chain of custody” will be statutorily obligated to comply with the law AND be subject to the new Civil Monetary Penalty system:
   1. Document your “ePHI data life cycle” for all ePHI that you create, receive, maintain or transmit to understand your “chain of custody”
   2. Complete an exhaustive inventory of your upstream and downstream “chain of custody” relationships
   3. Hold a Business Associate conference or webinar or workshop to take a more active role to ensure your Business Associates become compliant with the Privacy and Security requirements
   4. Update your standard Business Associate Agreement to reflect the requirements of the HITECH Act
   5. Start re-executing or executing Business Associate Agreements to get this critical area under control

If we may be of any assistance, please do not hesitate to call or write.

Our July 2010 Data Protection eNewsletter has been published.

We continue to feature HIPAA Security Rule and HITECH Act data security updates, including the link to the US Department of Health and Human Services’ “Wall of Shame” — its Data Breach Notification web page.

Please enjoy these links to industry articles and white papers that we’ve researched and assembled for you. I’m confident you’ll find a nugget or two among them!

We would love to hear your thoughts. Please comment below!

Our colleagues at HIPAASurvivalGuide.com recently published their June 2010 “HITECH / HIPAA Newsletter June 2010″ centered around Business Associate Agreements.  In fact, they have developed a terrific tool/product aimed at helping Covered Entities and Business Associates reshape these now more-critical-than-ever agreements.

You may wish to check out “Business Associate Agreement – A HITECH Ready Model Contract” to get a jump on this important element of compliance.

We would love to hear your thoughts.  Please comment below!

Our June 2010 Data Protection eNewsletter has been published.

Also, we continue to feature HIPAA Security Rule and HITECH Act data security updates, including the link to the US Department of Health and Human Services’ “Wall of Shame” — its Data Breach Notification web page.

Please enjoy these links to industry articles and white papers that we’ve researched and assembled for you.  I’m confident you’ll find a nugget or two among them!

We would love to hear your thoughts.  Please comment below!

Our February 2010 Data Protection eNewsletter has been published.

Our Focus is the HIPAA Security Rule and The HITECH Act …since big changes take effect this month amidst a perfect storm that’s brewing in healthcare in general and in the provider world, in particular, becuase:

• There’s a near-frantic EMR adoption pace
• The Federal Government’s redoubled efforts to rigorously enforce the HIPAA Security Rule
• There are new Federal and state level enforcement and penalty “teeth” delivered via The HITECH Act
• There are general and growing national concerns over the protection of personal information\
• There’s a huge gap in appropriate skills to get the EMR/EHR implementation job done well
• The lack of skills in and understanding of information security and data protection is scary
• The above are all combined with historical behavior of ignoring the HIPAA Security Final… as if, with national healthcare reform, there weren’t enough clouds on the horizon!
• The “black hats” continue to out-maneuver the “white hats” – viruses, worms, attacks, etc.

Link to our February 2010 eNewsletter to learn more … data protection and security updates, alerts and tips of importance to everyone striving to protect their valuable business, client and patient data. Please enjoy these links to industry articles and white papers that we’ve researched and assembled for you. I’m confident you’ll find a nugget or two among them!

We would love to hear your thoughts. Please comment below!
Benefit from our expertise… DOWNLOAD FREE WHITE PAPER: “Buyer’s Guide to Online Data Backup and Recovery Services” Attend our Complimentary Webinars on data protection, online data backup and recovery and data security. Register today!