HIPAA HITETCH Compliance Blog Archive
"Perform ongoing monitoring of compliance with HIPAA privacy and security policies and take corrective actions if you detect non-compliance or ineffective processes." OCR Scrutiny Continues – Are You Ready For the September Deadline?
“[A] risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program.” HHS OCR Director Leon Rodriguez
More details from Presbyterian Anesthesia Associates breach, Kyle Murphy, PhD | Date May 15, 2013
"As the Security Breach Reporting Form reveals, the breach occurred on a server used by E-Dreamz, Inc., the Charlotte-based company hired by Presbyterian Anesthesia Associates to operate and maintain its e-commerce service. The medical practice has subsequently switched to a new service provider in the wake of the incidence."
Fallout from failing to conduct a HIPAA risk analysis, Epstein Becker Green, Alaap B. Shah
"There are many reasons a healthcare entity dealing with protected health information (“PHI”) should conduct a risk analysis. First and foremost, if conducted properly, a risk analysis should identify PHI-containing systems, assess vulnerabilities of those systems, evaluate and prioritize risks to those systems, and assist in developing mitigation strategies to safeguard the systems. These on-going efforts can help ensure adequate protection of patients’ health information.
What your business needs to do about HIPAA—now Venable LLP Thora A. Johnson , Peter P. Parvis, Jennifer Spiegel Berman , Molly E. G. Ferraioli and Jessica E. Kuester
What your business needs to do about HIPAA—now, Venable LLP, Thora A. Johnson , Peter P. Parvis, Jennifer Spiegel Berman , Molly E. G. Ferraioli and Jessica E. Kuester
“Providers should identify all of their vendors with access to personal health records and ensure they are protecting it according to the new HIPAA rule.” Jorge Rey, an associate principal and the director of information security and compliance for Kaufman, Rossin
Business Associate agreements must contain provisions for compliance with the Security Rule and probably the Privacy Rule as well and they must require that the business associate have BAAs with their sub-contractors, says Drinker Biddle & Reath LLP, in an article titled "Business associate provisions under HIPAA Omnibus Rule."
New HIPAA rule will bring more enforcement action, expert says, Diana Manos is Senior Editor for Healthcare IT News, “Providers should identify all of their vendors with access to personal health records and ensure they are protecting it according to the new HIPAA rule.”Jorge Rey, an associate principal and the director of information security and compliance for Kaufman, Rossin,
Plan sponsors should note that the Omnibus Rule expands the definition of business associate and those parties subject to HIPAA’s Privacy and Security Rules and applies HIPAA’s civil and criminal penalties directly to business associates. Under the Omnibus Rule, business associates, including subcontractors of business associates, are directly liable for compliance with the Privacy and Security Rules if they create, receive, maintain or transmit PHI on behalf of the company or the plan. Such business associates for group health plans may include: Brokers; Consultants; Attorneys, Third-party administrators; and Health information organizations, e-prescribing gateways and other entities that transmit protected health information or access PHI.
"Of greatest significance to Business Associates is the requirement to implement administrative, physical, and technical safeguards to comply with the HIPAA Security Regulations as if they were Covered Entities." Business associate HIPAA compliance, Lathrop & Gage LLP, Stacy N. Harper
Covered entities need "satisfactory assurances" that their business associates are HIPAA HITECH compliant and business associate need to be able to provide proof of on-going compliance. BA Tracker helps both.
HIPAA allows the Business Associate to take into account their size and complexity when deciding how to comply with the Security Rule.
"For instance, in deciding which security measures to implement, a BA may take into consideration its size, capabilities, the costs of the specific security measures, and the operational impact. BAs should note that as part of their compliance with the administrative safeguards, BAs must perform their own risk analyses, establish a risk management program, and designate a security officer, as well as have in place written policies and procedures, conduct employee training, and document compliance with the requirements."Changes affecting who is a business associate and new business associate obligations." Polsinelli Shughart PC, Thomas P. O'Donnell, Erin Fleming Dunlap, Rebecca L. Frigy and Matthew J. Murer
The owners of a medical billing practice, a business associate, and four pathology groups, covered entities whose patient information was all improperly disposed, will collectively pay $140,000 to settle the claims. The settlement agreement requires each pathology group to vet all business associates, ensuring they have a written information security plan and the practices described are sufficient to comply with the groups’ obligations to protect personal information and PHI. The groups must also execute business associate agreements before disclosing any PI or PHI to service providers.
HIPAA Business Associates: Waiting Is No Longer An Option, Vorys Sater Seymour and Pease LLP J. Liam Gruzs
HIPAA business associates who have not been paying attention since HITECH need to take notice. The timeframe for compliance is less than nine months. For those business associates who had been hoping for relief in the Final Rule (or simply have had their head in the sand for four years), waiting is no longer an option.HIPAA final rule clarifies business associate obligations Vorys Sater Seymour and Pease LLP, J. Liam Gruzs January 28 2013
"Potential liability concerns and fear of being held responsible for a subcontractor’s mistakes in a breach will be enough to change the BAA decision-making process for healthcare organizations", according to Dianne Bourque, partner at Mintz Levin and HIPAA expert.
Small Firms, Big HIPAA Troubles? Business Associates Need to Get Serious About Security, By Marianne Kolbasuk McGee, January 29, 2013. This is a very forthright and timely call to action for not only business associates, but also their covered entities. Fortunately there are cost effective and efficient solutionss for both With the SaaS model templates of needed policies, procedures, and forms can be accessed and edited in a step by step process overseen by a privacy and security expert. The compliance activities are then measured and delivered through the Compliance Meter(tm), allowing the covered entity to monitor the on-going compliance of their business associates.
Here is the link to the article:
After almost 4 years from the passing of the HITECH Act amending and broadening HIPAA we finally have The Final Rule. I goes into effect on March 25 and all business associates and their subs must be HIPAA HITECH compliant by September 25, 2013. HHS estimates 200,000 to 400,000 business associates must get compiant in this timeframe. It should be interesting.
HIPAA business associate Omnicell causes data breach of over 68,000 patient records. The recurring theme of the theft of an unencrpted laptop from an employees car demostrates the lack of HIPAA compliance at many business associates. Covered entities are being warned that they must monitor the HIPAA compliance levels of their business associates.
The Supremes have spoken, the voters have spoken, and soon HHS and OMB will speak. The message is that Obamacare, HIPAA HITECH, Meaningful Use, and the Omnibus Bill are here to stay and that business associates and sub contractors will have to get HIPAA compliant in 2013.