HIPAA HITETCH Compliance Blog Archive

HIPAA Haggling with Business Associates Hospital CISO Describes Resistance on Omnibus Requirements by Marianne Kolbasuk McGee

 HIPAA Haggling with Business Associates, Hospital CISO Describes Resistance on Omnibus Requirements by Marianne Kolbasuk McGee, HealthcareinfoSecurity  Business Associates still in denial about meeting the new HIPAA requirements embodied in the Omnibus Rule.

 

Continue reading…

Are You a Business Associate? Decision Tree

 The question of whether an entity is a business associate under HIPAA HITECH has become a hot topic in healthcare.  Here is an excellent decision tree to decide, provided by WEDI:   http://www.wedi.org/forms/uploadFiles/35FE7000000DC.filename.7.26_BA-Decision-Tree_V2.pdf 

Continue reading…

Tick, tock: less than 60 days to comply with HIPAA/HITECH updates Poyner Spruill LLP Tara N. Cho and Elizabeth H. Johnson

 Tick, tock: less than 60 days to comply with HIPAA/HITECH updates, Poyner Spruill LLP,Tara N. Cho and Elizabeth H. Johnson

Continue reading…

Are your HIPAA privacy policies up to date? Ogletree Deakins Stephanie Smithey

 Are your HIPAA privacy policies up to date?  Ogletree Deakins, Stephanie Smithey  "If you provide medical, dental, vision, wellness, employee assistance benefits, or if you sponsor a health reimbursement arrangement or a health flexible spending account plan, your HIPAA privacy compliance is likely out of date and should be reviewed immediately in light of the Omnibus Regulations."

Continue reading…

"Sixty days to HIPAA - HITECH: eight actions items to address now. 8, Establish Vendor Management Program"

"Sixty days to HIPAA - HITECH: eight actions items to address now, Nelson Mullins Riley & Scarborough LLP, Barry D. Alexander, Jason I. Epstein , Cynthia Bankhead Hutto, Eli A. Poliakoff, David F. Katz and Alexis Slagle Gilroy.  Action Item Number 8,  Establish Vendor Management Program..

Continue reading…

Are Compliant BAAs the Same as Compliant BAs?

 "Two months until the Omnibus Final Rule deadline: are your business associate agreements compliant?"  McGuireWoods LLP, Kimberly J. Kannensohn, Nathan A. Kottkamp and Holly Carnell.  My question would be are your business associates HIPAA HITECH compliant?

Continue reading…

Business Associate (BA) HIPAA Breach gets Wellpoint $1.4 Million Fine

" Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet."   OS OCR PrivacyList, OCR (HHS/OS)

Continue reading…

Covered Entities Responsible Vicariously for HIPAA Violations by Their Business Associates

"It is important for covered entities to ensure that their business associate agreements are updated, and that business associates are adhering to the new requirements as the Final Rule makes clear that covered entities may be held liable vicariously for violations by business associates acting as agents."  Sherman & Howard LLC

Continue reading…

Business Associate (BA) Causes 188,000 HIPAA Patient Data Breach

"Officials announced July 1 that the HIPAA breach, which resulted in clients receiving personal and private documents belonging to other clients, occurred after FSSA contractor RCR Technology Corporation made a computer programming error to a document management system the company supports for FSSA. This error caused documents being sent to clients to be duplicated and also inserted with documents sent to other client

Continue reading…

Business Associate (BA) Causes 188,000 HIPAA Patient Data Breach

"Officials announced July 1 that the HIPAA breach, which resulted in clients receiving personal and private documents belonging to other clients, occurred after FSSA contractor RCR Technology Corporation made a computer programming error to a document management system the company supports for FSSA. This error caused documents being sent to clients to be duplicated and also inserted with documents sent to other client

Continue reading…

HIPAA, business associates, and the cloud Baker & Hostetler LLP Kimberly M. Wong

" In order to monitor business associates, post Final Rule, health care industry trend demonstrates that covered entities are adding pre-contract risk/controls assessments, enhancing contractual safeguards and business associate agreements, and adding/enhancing post-contract audits.  With liability flowing downstream, covered entities and business associates must complete their due diligence before entering into contracts with vendors who may maintain PHI."

Continue reading…

HIPAA HITECH: Know how your PHI is Handled

 “Under data privacy laws such as HIPAA/HITECH, a company is responsible for how data is handled in the hands of its business associates and vendors,” explain the authors. “An organization must know where all of its data is going and how it is being managed, particularly if it goes to a third party.”  2013 IT Security and Privacy Survey

Knowing How – and Where – Your Confidential Data Is Classified and Managed: A Survey on the Current State of IT Security and Privacy Policies and Practices.  http://www.protiviti.com/ITsecuritysurvey

Continue reading…

HIPAA in the cloud: storing PHI may make you a business associate under HIPAA Winston & Strawn LLP Linda Lemel Hoseman and Liisa M. Thomas

 HIPAA in the cloud: storing PHI may make you a business associate under HIPAA, Winston & Strawn LLP Linda Lemel Hoseman and Liisa M. Thomas

Continue reading…

Certified HIPAA Business Associate? Maybe

 "Now that HHS and Amazon are working together, covered entities should find CSPs more receptive to entering into business associate agreements."Business associate agreements: more readily accepted by cloud service providers? Maybe  Baker & Hostetler LLP, Lynn Sessions and Michael R. Young

Continue reading…

Think you’re not covered by HIPAA? Think again. Morrison & Foerster LLP Andrew B. Serwin , Peter F. McLaughlin and Melissa M. Crespo

 "This means that the Security Rule, the Breach Notification Rule, and certain provisions of the Privacy Rule now apply directly to Business Associates, with the potential for enforcement by HHS directly against the Business Associate. As a result, Business Associates are now required to conduct a risk analysis to assess the nature and volume of electronic PHI ("ePHI") and the risks of unauthorized use or disclosure of PHI. They must implement administrative, technical, and physical safeguards appropriate to the risks and vulnerabilities identified in the risk analysis." 

Continue reading…

Are Your Vendors Violating HIPAA?

 Are Your Vendors Violating HIPAA? Why Internal HIPAA Compliance May Not Be Enough  Written by Holly Carnell, JD, and Meggan Bushee, JD, McGuire Woods | June 04, 2013. Beckers Hospital Review.

 

 

Continue reading…

HIPAA Checklist From Healthcare Law Firm

 "Perform ongoing monitoring of compliance with HIPAA privacy and security policies and take corrective actions if you detect non-compliance or ineffective processes."  OCR Scrutiny Continues – Are You Ready For the September Deadline?

Continue reading…

HIPAA Risk Analysis and Ongoing Risk Management Essential

   “[A] risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program.” HHS OCR Director Leon Rodriguez

Continue reading…

BA Causes HIPAA Data Breach for Presbyterian Anesthesia Associates

 More details from Presbyterian Anesthesia Associates breach, Kyle Murphy, PhD   |   Date May 15, 2013

"As the Security Breach Reporting Form reveals, the breach occurred on a server used by E-Dreamz, Inc., the Charlotte-based company hired by Presbyterian Anesthesia Associates to operate and maintain its e-commerce service. The medical practice has subsequently switched to a new service provider in the wake of the incidence."

Continue reading…

Fallout from failing to conduct a HIPAA risk analysis, Epstein Becker Green, Alaap B. Shah

 Fallout from failing to conduct a HIPAA risk analysis, Epstein Becker Green, Alaap B. Shah

"There are many reasons a healthcare entity dealing with protected health information (“PHI”) should conduct a risk analysis. First and foremost, if conducted properly, a risk analysis should identify PHI-containing systems, assess vulnerabilities of those systems, evaluate and prioritize risks to those systems, and assist in developing mitigation strategies to safeguard the systems. These on-going efforts can help ensure adequate protection of patients’ health information.

Continue reading…