HIPAA HITETCH Compliance Blog Archive

Majority of Business Associates Unfamiliar with HIPAA Omnibus Rules

 In a recent survey, less than a month before the HIPAA HITECH Omnibus goes into effec,t a majority of business associates are unaware of the new requirements.  Covered entities need to ask some questions, find out who is non-compliant. and ask them to remediate these risks.  If they can't or won't they need to sever the business relationship.

Continue reading…

Tick, tick, tick … time is running out for HIPAA Omnibus Rule compliance Davis Wright Tremaine LLP Rebecca L. Williams, Adam H. Greene and Amy L. Kauppila

 Business associates should consider:

  1. Performing a risk analysis and risk management evaluation;
  2. Developing security policies and procedures consistent with the Security Rule;
  3. Updating breach notification policies;
  4. Establishing processes for verifying the business associate’s compliance with its BAA obligations; and
  5. Developing an approach for negotiating BAAs (for both covered entities and subcontractors) including updating BAA templates. 

Continue reading…

The deadline for compliance with the HIPAA Omnibus Rule is September 23, 2013. Are you ready? Greenberg Traurig LLP Eleanor (Miki) A. Kolton

" Implementation or review of an existing HIPAA Privacy Policy Manual, including policies and procedures and forms such as the NPPs and releases of health information form;  Preparation of a new or revised BAA form (which includes, but is not limited to, addressing downstream contractors);

Implementation or review of an existing HIPAA Security Policy Manual, including guidance for performing a risk assessment and model polices; and
Implementation of workforce training."

Continue reading…

The HIPAA Seal vs The Compliance Meter(tm)

 "Obtaining a seal is a “place in time” controls assessment. Material changes to the environment would trigger another audit, as a 3rd party cannot attest to effective controls if an entity changes them. To compensate, material changes need to coincide with audit review cycles, which may not align with business objectives."  The Compliance Meter displays the current level of HIPAA compliance in four key areas; policies, procedures, and forms up to date, and HIPAA compliance tasks up to date.

Continue reading…

HIPAA Haggling with Business Associates Hospital CISO Describes Resistance on Omnibus Requirements by Marianne Kolbasuk McGee

 HIPAA Haggling with Business Associates, Hospital CISO Describes Resistance on Omnibus Requirements by Marianne Kolbasuk McGee, HealthcareinfoSecurity  Business Associates still in denial about meeting the new HIPAA requirements embodied in the Omnibus Rule.

 

Continue reading…

Are You a Business Associate? Decision Tree

 The question of whether an entity is a business associate under HIPAA HITECH has become a hot topic in healthcare.  Here is an excellent decision tree to decide, provided by WEDI:   http://www.wedi.org/forms/uploadFiles/35FE7000000DC.filename.7.26_BA-Decision-Tree_V2.pdf 

Continue reading…

Tick, tock: less than 60 days to comply with HIPAA/HITECH updates Poyner Spruill LLP Tara N. Cho and Elizabeth H. Johnson

 Tick, tock: less than 60 days to comply with HIPAA/HITECH updates, Poyner Spruill LLP,Tara N. Cho and Elizabeth H. Johnson

Continue reading…

Are your HIPAA privacy policies up to date? Ogletree Deakins Stephanie Smithey

 Are your HIPAA privacy policies up to date?  Ogletree Deakins, Stephanie Smithey  "If you provide medical, dental, vision, wellness, employee assistance benefits, or if you sponsor a health reimbursement arrangement or a health flexible spending account plan, your HIPAA privacy compliance is likely out of date and should be reviewed immediately in light of the Omnibus Regulations."

Continue reading…

"Sixty days to HIPAA - HITECH: eight actions items to address now. 8, Establish Vendor Management Program"

"Sixty days to HIPAA - HITECH: eight actions items to address now, Nelson Mullins Riley & Scarborough LLP, Barry D. Alexander, Jason I. Epstein , Cynthia Bankhead Hutto, Eli A. Poliakoff, David F. Katz and Alexis Slagle Gilroy.  Action Item Number 8,  Establish Vendor Management Program..

Continue reading…

Are Compliant BAAs the Same as Compliant BAs?

 "Two months until the Omnibus Final Rule deadline: are your business associate agreements compliant?"  McGuireWoods LLP, Kimberly J. Kannensohn, Nathan A. Kottkamp and Holly Carnell.  My question would be are your business associates HIPAA HITECH compliant?

Continue reading…

Business Associate (BA) HIPAA Breach gets Wellpoint $1.4 Million Fine

" Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet."   OS OCR PrivacyList, OCR (HHS/OS)

Continue reading…

Covered Entities Responsible Vicariously for HIPAA Violations by Their Business Associates

"It is important for covered entities to ensure that their business associate agreements are updated, and that business associates are adhering to the new requirements as the Final Rule makes clear that covered entities may be held liable vicariously for violations by business associates acting as agents."  Sherman & Howard LLC

Continue reading…

Business Associate (BA) Causes 188,000 HIPAA Patient Data Breach

"Officials announced July 1 that the HIPAA breach, which resulted in clients receiving personal and private documents belonging to other clients, occurred after FSSA contractor RCR Technology Corporation made a computer programming error to a document management system the company supports for FSSA. This error caused documents being sent to clients to be duplicated and also inserted with documents sent to other client

Continue reading…

Business Associate (BA) Causes 188,000 HIPAA Patient Data Breach

"Officials announced July 1 that the HIPAA breach, which resulted in clients receiving personal and private documents belonging to other clients, occurred after FSSA contractor RCR Technology Corporation made a computer programming error to a document management system the company supports for FSSA. This error caused documents being sent to clients to be duplicated and also inserted with documents sent to other client

Continue reading…

HIPAA, business associates, and the cloud Baker & Hostetler LLP Kimberly M. Wong

" In order to monitor business associates, post Final Rule, health care industry trend demonstrates that covered entities are adding pre-contract risk/controls assessments, enhancing contractual safeguards and business associate agreements, and adding/enhancing post-contract audits.  With liability flowing downstream, covered entities and business associates must complete their due diligence before entering into contracts with vendors who may maintain PHI."

Continue reading…

HIPAA HITECH: Know how your PHI is Handled

 “Under data privacy laws such as HIPAA/HITECH, a company is responsible for how data is handled in the hands of its business associates and vendors,” explain the authors. “An organization must know where all of its data is going and how it is being managed, particularly if it goes to a third party.”  2013 IT Security and Privacy Survey

Knowing How – and Where – Your Confidential Data Is Classified and Managed: A Survey on the Current State of IT Security and Privacy Policies and Practices.  http://www.protiviti.com/ITsecuritysurvey

Continue reading…

HIPAA in the cloud: storing PHI may make you a business associate under HIPAA Winston & Strawn LLP Linda Lemel Hoseman and Liisa M. Thomas

 HIPAA in the cloud: storing PHI may make you a business associate under HIPAA, Winston & Strawn LLP Linda Lemel Hoseman and Liisa M. Thomas

Continue reading…

Certified HIPAA Business Associate? Maybe

 "Now that HHS and Amazon are working together, covered entities should find CSPs more receptive to entering into business associate agreements."Business associate agreements: more readily accepted by cloud service providers? Maybe  Baker & Hostetler LLP, Lynn Sessions and Michael R. Young

Continue reading…

Think you’re not covered by HIPAA? Think again. Morrison & Foerster LLP Andrew B. Serwin , Peter F. McLaughlin and Melissa M. Crespo

 "This means that the Security Rule, the Breach Notification Rule, and certain provisions of the Privacy Rule now apply directly to Business Associates, with the potential for enforcement by HHS directly against the Business Associate. As a result, Business Associates are now required to conduct a risk analysis to assess the nature and volume of electronic PHI ("ePHI") and the risks of unauthorized use or disclosure of PHI. They must implement administrative, technical, and physical safeguards appropriate to the risks and vulnerabilities identified in the risk analysis." 

Continue reading…

Are Your Vendors Violating HIPAA?

 Are Your Vendors Violating HIPAA? Why Internal HIPAA Compliance May Not Be Enough  Written by Holly Carnell, JD, and Meggan Bushee, JD, McGuire Woods | June 04, 2013. Beckers Hospital Review.

 

 

Continue reading…