HIPAA HITETCH Compliance Blog Archive
In a recent survey, less than a month before the HIPAA HITECH Omnibus goes into effec,t a majority of business associates are unaware of the new requirements. Covered entities need to ask some questions, find out who is non-compliant. and ask them to remediate these risks. If they can't or won't they need to sever the business relationship.
Tick, tick, tick … time is running out for HIPAA Omnibus Rule compliance Davis Wright Tremaine LLP Rebecca L. Williams, Adam H. Greene and Amy L. Kauppila
Business associates should consider:
- Performing a risk analysis and risk management evaluation;
- Developing security policies and procedures consistent with the Security Rule;
- Updating breach notification policies;
- Establishing processes for verifying the business associate’s compliance with its BAA obligations; and
- Developing an approach for negotiating BAAs (for both covered entities and subcontractors) including updating BAA templates.
The deadline for compliance with the HIPAA Omnibus Rule is September 23, 2013. Are you ready? Greenberg Traurig LLP Eleanor (Miki) A. Kolton
"Obtaining a seal is a “place in time” controls assessment. Material changes to the environment would trigger another audit, as a 3rd party cannot attest to effective controls if an entity changes them. To compensate, material changes need to coincide with audit review cycles, which may not align with business objectives." The Compliance Meter displays the current level of HIPAA compliance in four key areas; policies, procedures, and forms up to date, and HIPAA compliance tasks up to date.
HIPAA Haggling with Business Associates Hospital CISO Describes Resistance on Omnibus Requirements by Marianne Kolbasuk McGee
HIPAA Haggling with Business Associates, Hospital CISO Describes Resistance on Omnibus Requirements by Marianne Kolbasuk McGee, HealthcareinfoSecurity Business Associates still in denial about meeting the new HIPAA requirements embodied in the Omnibus Rule.
The question of whether an entity is a business associate under HIPAA HITECH has become a hot topic in healthcare. Here is an excellent decision tree to decide, provided by WEDI: http://www.wedi.org/forms/uploadFiles/35FE7000000DC.filename.7.26_BA-Decision-Tree_V2.pdf
Tick, tock: less than 60 days to comply with HIPAA/HITECH updates Poyner Spruill LLP Tara N. Cho and Elizabeth H. Johnson
Tick, tock: less than 60 days to comply with HIPAA/HITECH updates, Poyner Spruill LLP,Tara N. Cho and Elizabeth H. Johnson
Are your HIPAA privacy policies up to date? Ogletree Deakins, Stephanie Smithey "If you provide medical, dental, vision, wellness, employee assistance benefits, or if you sponsor a health reimbursement arrangement or a health flexible spending account plan, your HIPAA privacy compliance is likely out of date and should be reviewed immediately in light of the Omnibus Regulations."
"Sixty days to HIPAA - HITECH: eight actions items to address now. 8, Establish Vendor Management Program"
"Sixty days to HIPAA - HITECH: eight actions items to address now, Nelson Mullins Riley & Scarborough LLP, Barry D. Alexander, Jason I. Epstein , Cynthia Bankhead Hutto, Eli A. Poliakoff, David F. Katz and Alexis Slagle Gilroy. Action Item Number 8, Establish Vendor Management Program..
"Two months until the Omnibus Final Rule deadline: are your business associate agreements compliant?" McGuireWoods LLP, Kimberly J. Kannensohn, Nathan A. Kottkamp and Holly Carnell. My question would be are your business associates HIPAA HITECH compliant?
" Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet." OS OCR PrivacyList, OCR (HHS/OS)
"It is important for covered entities to ensure that their business associate agreements are updated, and that business associates are adhering to the new requirements as the Final Rule makes clear that covered entities may be held liable vicariously for violations by business associates acting as agents." Sherman & Howard LLC
" In order to monitor business associates, post Final Rule, health care industry trend demonstrates that covered entities are adding pre-contract risk/controls assessments, enhancing contractual safeguards and business associate agreements, and adding/enhancing post-contract audits. With liability flowing downstream, covered entities and business associates must complete their due diligence before entering into contracts with vendors who may maintain PHI."
“Under data privacy laws such as HIPAA/HITECH, a company is responsible for how data is handled in the hands of its business associates and vendors,” explain the authors. “An organization must know where all of its data is going and how it is being managed, particularly if it goes to a third party.” 2013 IT Security and Privacy Survey
HIPAA in the cloud: storing PHI may make you a business associate under HIPAA Winston & Strawn LLP Linda Lemel Hoseman and Liisa M. Thomas
HIPAA in the cloud: storing PHI may make you a business associate under HIPAA, Winston & Strawn LLP Linda Lemel Hoseman and Liisa M. Thomas
"Now that HHS and Amazon are working together, covered entities should find CSPs more receptive to entering into business associate agreements."Business associate agreements: more readily accepted by cloud service providers? Maybe Baker & Hostetler LLP, Lynn Sessions and Michael R. Young
Think you’re not covered by HIPAA? Think again. Morrison & Foerster LLP Andrew B. Serwin , Peter F. McLaughlin and Melissa M. Crespo
"This means that the Security Rule, the Breach Notification Rule, and certain provisions of the Privacy Rule now apply directly to Business Associates, with the potential for enforcement by HHS directly against the Business Associate. As a result, Business Associates are now required to conduct a risk analysis to assess the nature and volume of electronic PHI ("ePHI") and the risks of unauthorized use or disclosure of PHI. They must implement administrative, technical, and physical safeguards appropriate to the risks and vulnerabilities identified in the risk analysis."