HIPAA HITETCH Compliance Blog Archive

HIPAA Omnibus Rule and Business Associates

 First there was HIPAA, then HITECH, now Omnibus, what is a business associate supposed to do?  Well since 60% of business associates surveyed had never heard of the Omnibus Rule get educated is critical.

Continue reading…

HIPAA Compliance is an On-going Process

 The reasons an organization can't be "Certified HIPAA Compliant" are two fold; HHS has given no one authority to certify, and HIPAA compliance is an on-going, evolving process.  A recent article from Scott & Scott LLP entitled "The challenges of compliance" encapsulates this nicely.

Continue reading…

Violate HIPAA:Go To Jail

 An employee of a covered entity was sentenced to 37 months in jail for violating HIPAA. regulations.  In this case it was fraud since the employee was selling the patient records but in another famous case at UCLA it was caused by an employee "peeking" at famous patient's records.

Continue reading…

Pay Back MU Money?

OIG has stated that if a CE failed to perform even one measure of Meaningful Use they would have to return the stimulus funds and might be audited to determine if there was fraud.  A Florida firm just had to pay back $31 million for falsely attesting to compliance.

Continue reading…

An ounce of HIPAA Prevention can save a pound of compliance costs

AvMed paid a $3 million dollar class action settlement which is on top of any HIPAA penalties and costs. Penny wise pound foolish is an adage that applies to HIPAA compliance.  Spend thousands to save millions. 

Continue reading…

What Next with HIPAA Omnibus? David Finn of Symantec on Top Compliance Challenges

What Next with HIPAA Omnibus? David Finn of Symantec on Top Compliance Challenges "It's going to be imperative that covered entities monitor and know what the business associates are doing, but they're not going to realistically be able to do that themselves."  

Continue reading…

HIPAA Business Associate Compliance in 8 Days

Getting business associates HIPAA compliant in as little as 8 days requires technology, methodology and sound advice.  Our partner, Rebecca Herold, CISSP, CIPP/US, CIPP/IT, CISM, CISA, FLMI, www.theprivacyprofessor.com was rated the number 3 privacy and security consultant in the world by Computerworld..

Continue reading…

HIPAA Compliance and Disruptive Innovation

 Disruptive innovation can provide low cost and efficient methods for HIPAA HITECH and Omnibus Rule compliance.  The old model involved sending a consultant to the client with a policy and procedure manual under their arm but with SaaS or the cloud model we can send the consultant and the content over the Internet with interactive software.

Continue reading…

HIPAA Compliance Software for Business Associates

 HIPAA compliance software for business associates is different from HIPAA compliance software for covered entities.  The difference is the need for on-going proof of compliance to satisfy their covered entities.

Continue reading…

HIPAA Omnibus: Educating Vendors A CISO Describes Challenges with Smaller Business Associates

 "So the education to help them understand their [new HIPAA] obligations, and to work with them to identity the bigger risk areas, and to create a corrective action plan or a remediation schedule - that's going to be an ongoing conversation for us. That is something that will never go away," Jeff Cobb, CISO at Capella Healthcare.  The Tennessee-based health system, which operates 14 acute care and specialty hospitals in six states, deals with many smaller business associates that lack a mature security program

Continue reading…

Are Your BAs HIPAA Compliant? "Think before you share, part III: is my data secure?" Foley & Lardner LLP Peter I. (Pete) Sanborn

 "The general principle is to ensure the breadth and depth of the vendor’s security obligations are aligned with the sensitivity of the data. Additionally, the agreement should specify the vendor’s obligations in the event of a breach (both in terms of reporting/investigating the breach and in terms of paying for the downstream costs/expenses associated with notifying the impacted individuals), and your rights during the agreement to audit the vendor’s compliance with the security requirements.'

Continue reading…

Time's up! Compliance deadline for HIPAA/HITECH final rules has arrived Blank Rome LLP Nicholas C. Harbist, Jennifer J. Daniels and Angela M. Guarino

Time's up! Compliance deadline for HIPAA/HITECH final rules has arrived, Blank Rome LLP, Nicholas C. Harbist, Jennifer J. Daniels and Angela M. Guarino

 "Relationship Review—Have you reviewed your relationship with vendors to ensure compliance with the Final Rules?'

Continue reading…

Am I a Business Associate under HIPAA HITECH?

Whether it is confusion or denial there are a lot of organizations that don't seem to understand that they are business associates and therefore are required to comply with HIPAA.  The HITECH Act was passed in 2009 and amended HIPAA to include business associates, yet in 2013 we still get calls from people wanting to know if they are a business associate.  Partually this is due to the fact that in 2010 HHS announced that they were delaying enforcement until the rules were published.

Continue reading…

HIPAA Audits of Business Associates; October 1, 2013?

October 1, 2013 will be the beginning date for HIPAA audits of business associates.  This is the beginning of the 2014 fiscal year for HHS and they will start setting up unannounced audits of business associates says Rachel Seeger, a spokesperson for the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA.

Continue reading…

Covered Entities Liable for Their Business Associates under HIPAA Omnibus Rule

 In the past a covered entity was not liable for breaches caused by their business associates if they had a BA agreement in place and did not know of a pattern of non-compliance.  That has changed under the Omnibus Rule if the business associate is deemed an agent of the covered entity.

Continue reading…

Compliance Checklist HIPAA HITECH Omnibus Rule

 Ignorance of the HIPAA HITECH Omnibus Rule is rampant and can cause a lot of pain. We have developed a 10 question checklist to let you evaluate whether you are compliant.

Continue reading…

Majority of Business Associates Unfamiliar with HIPAA Omnibus Rules

 In a recent survey, less than a month before the HIPAA HITECH Omnibus goes into effec,t a majority of business associates are unaware of the new requirements.  Covered entities need to ask some questions, find out who is non-compliant. and ask them to remediate these risks.  If they can't or won't they need to sever the business relationship.

Continue reading…

Tick, tick, tick … time is running out for HIPAA Omnibus Rule compliance Davis Wright Tremaine LLP Rebecca L. Williams, Adam H. Greene and Amy L. Kauppila

 Business associates should consider:

  1. Performing a risk analysis and risk management evaluation;
  2. Developing security policies and procedures consistent with the Security Rule;
  3. Updating breach notification policies;
  4. Establishing processes for verifying the business associate’s compliance with its BAA obligations; and
  5. Developing an approach for negotiating BAAs (for both covered entities and subcontractors) including updating BAA templates. 

Continue reading…

The deadline for compliance with the HIPAA Omnibus Rule is September 23, 2013. Are you ready? Greenberg Traurig LLP Eleanor (Miki) A. Kolton

" Implementation or review of an existing HIPAA Privacy Policy Manual, including policies and procedures and forms such as the NPPs and releases of health information form;  Preparation of a new or revised BAA form (which includes, but is not limited to, addressing downstream contractors);

Implementation or review of an existing HIPAA Security Policy Manual, including guidance for performing a risk assessment and model polices; and
Implementation of workforce training."

Continue reading…

The HIPAA Seal vs The Compliance Meter(tm)

 "Obtaining a seal is a “place in time” controls assessment. Material changes to the environment would trigger another audit, as a 3rd party cannot attest to effective controls if an entity changes them. To compensate, material changes need to coincide with audit review cycles, which may not align with business objectives."  The Compliance Meter displays the current level of HIPAA compliance in four key areas; policies, procedures, and forms up to date, and HIPAA compliance tasks up to date.

Continue reading…