HIPAA Blog Posts: HIPAA Covered Entity
Regulators are focusing more and more on how responsible organizations are when engaging third-party vendors. The Health Insurance Portability and Accountability Act (HIPAA) has in place requirements for engaging business associates. The Connecticut Department of Insurance has requirements for reporting breaches caused by vendors. And the Massachusetts Attorney General, through the Data Security Regulations, requires oversight of third party service providers. This is no surprise since many studies suggest that over a third of breaches are caused by vendors.
A California health system is notifying about 30,000 patients that their personal health information was accessible via search engines for about a year.
St. Joseph Health System in Orange, Calif., says the records for patients treated at five of its hospitals were stored on the organization's internal computer network with incorrect security settings that allowed for the potential for inappropriate access. The information was available to search engines from early 2011 until this month, when the glitch was discovered.
With the new class action suit against UCLA for a HIPAA HITECH data breach it seems that the standard has been set at $1,000 per patient. Yet Another Class-Action Filed After Breaches of Patient Data
Compliance Helper is pleased to announce a new service called BA Tracker(tm) that helps a CE track the current compliance level of all of their BAs and display it through the Compliance Meter (tm). This is a free service to the CE. If the BAs are not compliant Compliance Helper can help them set up a comprehensive privacy and information security program including customized policies, procedures, and forms. They are supported by a privacy and security expert we call a Helper.
Continuing the series of Webinars presented by Compliance Helper and Rebecca Herold & Associates, June 22 is for Business Associates and June 29th is for Small Covered Entities. The emphasis is on how cloud computing can enhance compliance by delivering the equivalent of on-site consulting for a fraction of the cost.
If you do a risk assessment and do not remediate the risks identified, you have achieved a state of willful neglect, which subjects you to the highest penalties under the HITECH Act.
A 60 Minutes story about PHI left on a leased copier revealed a breach by Affinity Health Plan in New York. Here is their report on the aftermath. http://www.hcca-info.org/regional/2011/NYC/Cullencolor.pdf
A HIPAA HITECH breach caused by an office burglary resulted in a letter from OCR demanding a large amount of information in a very short time frame. We will show you actual quotes from the letter that are as scary as an IRS audit letter
How should a Covered Entity manage their Business Associates? HIPAA requires "satisfactory assurances" that business associates are compliant (§ 164.308 ). Under NIST guidelines for HIPAA Security Rule Compliance, Covered Entities "May consider asking the business associate to conduct a risk assessment that addresses administrative, technical, and physical risks, if reasonable and appropriate." (NIST 800-66, rev 1, p48)
A Free Webinar on May 11 at 8:00 am PDT will demonstrate a unique method that is "reasonable and appropriate". https://www1.gotomeeting.com/register/226455856