HIPAA HITETCH Compliance Blog Archive
HIPAA Haggling with Business Associates Hospital CISO Describes Resistance on Omnibus Requirements by Marianne Kolbasuk McGee
HIPAA Haggling with Business Associates, Hospital CISO Describes Resistance on Omnibus Requirements by Marianne Kolbasuk McGee, HealthcareinfoSecurity Business Associates still in denial about meeting the new HIPAA requirements embodied in the Omnibus Rule.
The question of whether an entity is a business associate under HIPAA HITECH has become a hot topic in healthcare. Here is an excellent decision tree to decide, provided by WEDI: http://www.wedi.org/forms/uploadFiles/35FE7000000DC.filename.7.26_BA-Decision-Tree_V2.pdf
Tick, tock: less than 60 days to comply with HIPAA/HITECH updates Poyner Spruill LLP Tara N. Cho and Elizabeth H. Johnson
Tick, tock: less than 60 days to comply with HIPAA/HITECH updates, Poyner Spruill LLP,Tara N. Cho and Elizabeth H. Johnson
Are your HIPAA privacy policies up to date? Ogletree Deakins, Stephanie Smithey "If you provide medical, dental, vision, wellness, employee assistance benefits, or if you sponsor a health reimbursement arrangement or a health flexible spending account plan, your HIPAA privacy compliance is likely out of date and should be reviewed immediately in light of the Omnibus Regulations."
"Sixty days to HIPAA - HITECH: eight actions items to address now. 8, Establish Vendor Management Program"
"Sixty days to HIPAA - HITECH: eight actions items to address now, Nelson Mullins Riley & Scarborough LLP, Barry D. Alexander, Jason I. Epstein , Cynthia Bankhead Hutto, Eli A. Poliakoff, David F. Katz and Alexis Slagle Gilroy. Action Item Number 8, Establish Vendor Management Program..
"Two months until the Omnibus Final Rule deadline: are your business associate agreements compliant?" McGuireWoods LLP, Kimberly J. Kannensohn, Nathan A. Kottkamp and Holly Carnell. My question would be are your business associates HIPAA HITECH compliant?
" Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet." OS OCR PrivacyList, OCR (HHS/OS)
"It is important for covered entities to ensure that their business associate agreements are updated, and that business associates are adhering to the new requirements as the Final Rule makes clear that covered entities may be held liable vicariously for violations by business associates acting as agents." Sherman & Howard LLC
" In order to monitor business associates, post Final Rule, health care industry trend demonstrates that covered entities are adding pre-contract risk/controls assessments, enhancing contractual safeguards and business associate agreements, and adding/enhancing post-contract audits. With liability flowing downstream, covered entities and business associates must complete their due diligence before entering into contracts with vendors who may maintain PHI."
“Under data privacy laws such as HIPAA/HITECH, a company is responsible for how data is handled in the hands of its business associates and vendors,” explain the authors. “An organization must know where all of its data is going and how it is being managed, particularly if it goes to a third party.” 2013 IT Security and Privacy Survey
HIPAA in the cloud: storing PHI may make you a business associate under HIPAA Winston & Strawn LLP Linda Lemel Hoseman and Liisa M. Thomas
HIPAA in the cloud: storing PHI may make you a business associate under HIPAA, Winston & Strawn LLP Linda Lemel Hoseman and Liisa M. Thomas
"Now that HHS and Amazon are working together, covered entities should find CSPs more receptive to entering into business associate agreements."Business associate agreements: more readily accepted by cloud service providers? Maybe Baker & Hostetler LLP, Lynn Sessions and Michael R. Young
Think you’re not covered by HIPAA? Think again. Morrison & Foerster LLP Andrew B. Serwin , Peter F. McLaughlin and Melissa M. Crespo
"This means that the Security Rule, the Breach Notification Rule, and certain provisions of the Privacy Rule now apply directly to Business Associates, with the potential for enforcement by HHS directly against the Business Associate. As a result, Business Associates are now required to conduct a risk analysis to assess the nature and volume of electronic PHI ("ePHI") and the risks of unauthorized use or disclosure of PHI. They must implement administrative, technical, and physical safeguards appropriate to the risks and vulnerabilities identified in the risk analysis."
Are Your Vendors Violating HIPAA? Why Internal HIPAA Compliance May Not Be Enough Written by Holly Carnell, JD, and Meggan Bushee, JD, McGuire Woods | June 04, 2013. Beckers Hospital Review.
"Perform ongoing monitoring of compliance with HIPAA privacy and security policies and take corrective actions if you detect non-compliance or ineffective processes." OCR Scrutiny Continues – Are You Ready For the September Deadline?
“[A] risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program.” HHS OCR Director Leon Rodriguez
More details from Presbyterian Anesthesia Associates breach, Kyle Murphy, PhD | Date May 15, 2013
"As the Security Breach Reporting Form reveals, the breach occurred on a server used by E-Dreamz, Inc., the Charlotte-based company hired by Presbyterian Anesthesia Associates to operate and maintain its e-commerce service. The medical practice has subsequently switched to a new service provider in the wake of the incidence."
Fallout from failing to conduct a HIPAA risk analysis, Epstein Becker Green, Alaap B. Shah
"There are many reasons a healthcare entity dealing with protected health information (“PHI”) should conduct a risk analysis. First and foremost, if conducted properly, a risk analysis should identify PHI-containing systems, assess vulnerabilities of those systems, evaluate and prioritize risks to those systems, and assist in developing mitigation strategies to safeguard the systems. These on-going efforts can help ensure adequate protection of patients’ health information.