HIPAA Blog Posts: Health Information Privacy


The HIMSS Survey indicated that hospitals are going to take a more proactive role in managing their business associates.

Continue reading…

HIPAA HITECH Breach Notification

“Breaches on average cost an organization $4.1 million or $197 per record breached.”
-- Source: Javelin Research
“Data Breach Defense 2009”
January 2009

Despite your best efforts the chance of a breach is relatively high.  So you should have a breach notification plan which should include outsourcing to a company focused on that service.

Continue reading…

Rebecca Herold Amoung Top 5 Privacy Writers on HIPAA HITECH

Top 5 Intriguing Risk Articles of 2009
by Karen Coburn, President & CEO, Cutter Consortium
This week, we're taking a look back at the five most intriguing articles published in Cutter's Enterprise Risk Management & Governance practice over this past year.

Continue reading…

HIPAA HITECH Compliance and Blind Men

Seven different groups describing HIPAA HITECH is like Seven Blind men describing an elephant.

Continue reading…


What are the responsibilities of a covered entity for their business associates' compliance?  Differences of opinion abound.

Continue reading…


Denial is the first stage for many small covered entities and business associates when confronted with the HITECH Act.  Finding first small steps towards compliance are important.  Getting started is crucial.

Continue reading…

Business Associate Agreements

Business Associate Agreements are not enough!  Covered entities must have an active program for ensuring that their business associates are compliant.

Continue reading…

Covered Entities Responsible for Business Associates

Continue reading…

HITECH and Business Associates

By applying the same rules to business associates that formerly only applied to covered entities HITECH has dramatically changed the  playing field.  First, a lot of business associates are unaware of these new requirements.  I tried an experiment at a recent trade show by asking everyone I encountered what they knew about the HITECH Act and got a universal "blank stare" response.  Secondly, many ot the business associates do not have trained compliance, privacy, or security staff.  And finally because the covered entities have responsibility for their business associates they need to demand a way of confirming that their business associates are in compliance on an ongoing basis.

All of this requires a rethinking of the compliance process.  As experts at helping small healthcare entities attain and maintain accreditation we see many similarities.  The business associates need tools, and trained experts to assist them in attaining and maintaining compliance and then they need an ability to report this to their covered entities.  Take a look at the demo at www.compliancehelper.com  to see how this can be accomplished.

Continue reading…

Stimulus Bill: Some Strings Attached

ARRA or the Stimulus Bill allocates $20 billion for expansion of the use of electronic medical records (EMR) but there are some new strings attached, namely The HITECH Act.  This stands for Health Information Technology Economic and Clinical Health Act which we will all gratefully call the HITECH Act.  Essentially it raises the bar for protection of patient healthcare informatio (PHI) particularly for what are termed, business associates.

Business associates are all the companies that do business with covered entities which posess PHI.  Technically it is only those who might have access to PHI but you can be sure that the covered entities will error on the side of caution because they are now responsilbe for their business associates.  In the past all the covered entity needed was an agreement signed by the business assoicate essentially promising to "be careful".  Now if there is a breach by the business associate the covered entity is responsible also. A breach is any exposure of PHI to unauthorized entities. 

"Willfull Neglect" a somewhat ambiguous term that will make the covered entities even more paranoid is included in the law.  It means that passive won't cut the mustard, the covered entity must have an active program to ensure that their business associates are in compliance with the new HIPAA HITECH Act.

Next we will discuss what compliance entails for both the covered entity and business associate.

Our privacy and security expert and partner Rebecca Herold (The Privacy Professor) has many erudite and scholarly articles, books, webinars, tv programs blogs, and tweets on these subjects at www.privacyguidance.com/ but I will try to add the layman's voice to the subject in my blog.



Continue reading…