This page contains an archive of The Digital Business Law Group's monthly HITECH / HIPAA Compliance Newsletters. Each month's issue will contain a "Quick Link" to this page so that readers can easily find content they may want to reference. This also allows new subscribers to go back and get caught up on topics previously covered. The current issue of the newsletter is not available here until after the month in which it was issued. To get the current version you can subscribe to our FREE HITECH / HIPAA Compliance Newsletter here. if you are interested in a FREE EHR Software Checklist click here.
Need a HITECH Business Associate Contract? Check out the HSG Store.
This month's featured article is entitled: Impact of the HIPAA Omnibus Rule: Reading the Tea Leaves?
We have written about the Omnibus Rule ("Rule") on numerous occasions, most recently here and here.However, this month's article will focus less on the specific contents of the Rule and more on the impact it is likely to have on the healthcare industry going forward. The implementation date of the final rule (i.e.September 23, 2013) is fast approaching and yet many within the healthcare industry remain befuddled as to what this implementation date portends.
The featured article this month is entitled: Big Data is the New Oil: Can the healthcare industry leverage it?
Big Data is the latest buzzword sweeping the healthcare industry and like so many others that have recently preceded it (e.g.EHRs, social media, mobile, telemedicine, cloud computing, etc.) promises to be "transformative."
The featured article this month is entitled: HIPAA Cloud Storage: Why Microsoft's Office 365 Announcement is a Big Deal?
The reluctance of "big name" cloud storage vendors (e.g. Amazon, Google, and almost every other market participant that we are aware of) to enter into a Business Associate Agreement ("BAA") with a covered entity ("CE") or a business associate ("BA") certainly has put a damper on the healthcare industry's move to the public cloud. Any PHI stored on any vendor's cloud offering requires a BAA. Without one, the CE or BA would be in "gross violation" of the HIPAA Rules and risk exposure to a significant fine.
The featured article this month is entitled: HITECH/HIPAA: HHS Omnibus Rule Review.
We have argued that the HHS Omnibus Rule ("the Rule") is neither a "Tweak" or "Sweeping Reform." There is far too much substantive law included in the Rule for it to be characterized as the former. It also cannot be characterized as the latter/ However the HITECH Act WAS sweeping and, for the most part, the Rule is simply HITECH-izing the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule.
The featured article this month is entitled: HITECH/HIPAA: Protecting Mobile Devices & Supporting BYOD.
The next few years are going continue to be full of headlines in healthcare journals on the explosion of Mobile Device usage among clinical professionals and the role that these devices continue to play in major PHI data breaches.
The featured article this month is entitled: HITECH/HIPAA: The Rise of the Engaged Patient.
Patients have always had the right to access their PHI (post HIPAA), we wrote about the Privacy Rule sections that provide for this access in our Patient's Bill of Rights post. The HITECH Act expands this access under Section 13405 now allowing for treatment, payment and operations (TPO) usages to be disclosed for the past three years as well (i.e. provided that an EHR is in use).
The featured article this month is entitled: HITECH/HIPAA: Understanding the Public Policy Rationale.
It provides readers with a perspective on the public policy rationale that underpins the HITECH/HIPAA statutes and regulations. Its central argument is that without a well grounded understanding of the policy, many practitioners will remain lost in the weeds and unable to comprehend the essence of what is required to comply.
The featured article this month is entitled: Business Associates: Compliance as a Marketplace Differentiator. .
This article explains why, as a business associate, you have no choice other than to make the best out of the regulatory compliance hand that you have been dealt. You somehow must manage to make lemonade from lemons. If you can't your competitors will. You can either be the the "disruptor" or the "disruptee." The former is preferable.
The featured article this month is entitled: Preparing for the Omnibus Rule: building a strong foundation.
Building a solid understanding of the HIPAA Rules, as modified by HITECH, is not an easy task; nor is it a task that can be accomplished simply by reading the "Cliff Notes." The HIPAA Survival Guide contains the full text of the Rules and we encourage readers to peruse them when necessary (and it is often necessary). However, even attorneys don't like reading pure statutory text out of context, so this article will provide a guided tour of how to launch your own education plan based on our suggestions from previous issues.
The featured article this month is entitled: What documents must be tracked for HITECH / HIPAA compliance?The challenges of complying with an OCR HITECH / HIPAA audit are numerous. As such, preparing for a audit can be quite overwhelming. We covered this topic in our June 2012 Newsletter. We also did a number of Blog Talk Radio shows on this topic:
Finally, we did a webinar on this topic and the slides can be found here. What we are covering in this article is another perspective on an audit, specifically the kinds of documents that you may be asked to produce.
The featured article this month is entitled Small Providers: Avoiding a Breach Calamity! This is a guest article written by Tom Warley, CSO ofColorado Hi-Tech Solutions, a firm that specializes in helping small providers meet the challenges of implementing the HIPAA Security Rule.
The challenges of securing PHI for small providers in today's regulatory environment can be significant. There are budget constraints, personnel constraints and, for many, a fog of confusion surrounding the HIPAA Security Rule. Even though providers are familiar with HIPAA privacy few understand the true importance of data security, much less how to attain it. Doctors are still under the illusion that HIPAA is a paper tiger, toothless. Old-school doctors in particular are often unswayable in this regard. Some office managers are aware of the Security Rule but consider it a mere formality believing that policies alone suffice for compliance or that "it's the IT guy's job". Many small providers fail to address data security at all, ignoring basic security safeguards altogether. They do so at their peril. The small provider must make the protection of PHI the single most important thing they do other than patient care itself.
The featured article this month is entitled HIPAA Compliance: what to expect from an OCR audit?.
Under Section 13411 of the HITECH Act, the Secretary "shall provide for periodic audits" to ensure compliance with the Act. It is the Office of Civil Rights ("OCR") that has the actual authority (under the Secretary) for HIPAA audits and enforcement actions. In 2011, OCR contracted with KPMG to develop an audit methodology and to conduct 150 audits. These audits are well underway. This article discusses what you should expect from an OCR audit.
The featured article this month is entitled Healthcare and the Cloud Revisited: it's your data, how do you protect it?.
This article explores how to protect your PHI when moving to the Cloud. It turns out that protecting your PHI on the Cloud is not only fraught with technical complexity, but with a significant amount of legal complexity as well.
We are concerned that many covered entities do not possess either the technical or legal wherewithal to adequately deal with this issue. As always, it's our mission to provide our readers "news you can use." Our objective in this article is to get you "up the curve" so that you can, at a minimum, begin to ask the right questions.
The featured article this month is entitled Dispelling the Top Ten (10) Myths of HIPAA/HITECH Compliance.
This month's article is by guest author John 'J' Trinckes Jr., CISO/EVP/Founding Partner CISSP, CISM, CRISC, C-EH, NSA-IAM/IEM Mulholland Information Security,
Summary: The following are the top ten reasons (or myths) regarding HIPAA/HITECH compliance that we have heard in the healthcare industry over the past couple of years. There is no specific order in which these appear; however, I do attempt to explain the fallacy of these thought processes.
The featured article this month is entitled HIPAA Compliance: Introducing the H2 Compliance Scorecard.
This month's article is a follow-on article to our October 2011 article entitled: HITECH / HIPAA Compliance: a checklist manifesto?
Our October article explored how:
"in a world that is increasingly becoming more complex, where the volume of knowledge often exceeds an individual's ability to assimilate and communicate it, simple tools such as checklists are having a profound and compelling positive impact on dealing with complexity."
In particular, it explored how checklists can be used as HITECH / HIPAA compliance tools. This month's article introduces our H2 Compliance Scorecardsm and how it can be used in combination with a checklist to measure compliance improvement over time.
The featured article this month is entitled HIPAA Compliance: Preview of the HHS Omnibus Rule?
This article explores the proposed HHS Omnibus Rule. The HHS Omnibus Rule ("OR") mostly concerns sections of the HITECH Act that went into effect on February 18, 2010. There was an NPRM that was issued on July 14, 2010 that contained the changes proposed for the final rule. It is quite evident that HHS has not broken any "land speed records" in finalizing the OR, but all indications are that it will be forthcoming "soon." The full text of the OR can be found here.
The featured article this month is entitled HIPAA Compliance: The Privacy Rule and the Patient's Bill of Rights?
This article explores the Patient's Bill of Rights ("PBR") contained within the HIPAA Privacy Rule. Although the PBR has existed since the Privacy Rule was first promulgated, changing demographics and marketplace trends will force covered entities (and in many cases business associates) to take a new look at the PBR and its implications. Recently, due to the significant movement to EHRs enabled by the HITECH Act, it is the HIPAA Security Rule that has garnered most of the attention, and rightfully so. However, the PBR may (at the end of the day) be the single biggest driver of compliance change within an organization, superseded only by changes brought on by breach notification.
The featured article this month is entitled HIPAA Compliance: The Intersection of Privacy, Security, Mobile and Social Media?
This article explores the use of social media and mobile devices in the healthcare industry and the potential risks associated with such rampant use. It is not a question of whether or not covered entities ("CEs") should engage in this type of use, the fact of the matter is that they are doing so in large numbers. This phenomenon is not about to stop anytime soon, nor should it. Social media and mobile devices provide CEs with a way to engage their patients in a manner that allows CEs to differentiate their offerings in an increasingly more competitive marketplace.
The featured article this month is entitled HITECH / HIPAA: The Cost of Non-Compliance?
This article explores the cost of HITECH / HIPAA non-compliance to the healthcare industry. It will examine a number of cost factors and suggest strongly that relatively small investments in compliance could produce significant returns. It will also revisit the reasons why healthcare's compliance status quo is no longer sustainable.
The featured article this month is entitled HITECH / HIPAA Compliance: a checklist manifesto?
This article explores how, in a world that is increasingly becoming more complex, where the volume of knowledge often exceeds an individual's ability to assimilate and communicate it, simple tools such as checklists are having a profound and compelling positive impact on dealing with complexity. In particular, this article explores how checklists can be used as HITECH / HIPAA compliance tools.
The featured article this month is entitled HITECH / HIPAA and the Cloud: what are the benefits and risks?
This article explores the healthcare industry's emphatic adoption of cloud computing and the benefits and risks of moving to the cloud, including those directly related to HITECH / HIPAA Compliance.
The featured article this month is entitled Meaningful Use: How do you verify that you are meeting the requirements?
This article addresses the kinds of information that must be tracked in order to receive your EHR Incentives under the meaningful use stage 1 requirements. Clearly there is quite a bit of information that needs to be tracked, most of which will be coming from a provider's EHR system. However, the information in an EHR system is not static. Therefore, providers must capture all required information to legally attest to HITECH Act compliance as a snapshot in a point intime, which is not a trivial task given the complexity of the objectives.
The featured article this month is entitled: HIPAA Breach Notification Decision Points: when is notification triggered?.
This article addresses the kind of analysis required to decide whether breach notification is triggered under the HITECH Act for a given security incident. The bottom line is that not all security incidents trigger notification but the wicked problem remains how to determine the ones that do?
The featured article this month is entitled: Tracking Patients Using HITECH / HIPAA Compliance Software.
This article addresses features and functionality required to ensure that your organization can provide visible demonstrable evidence that it is managing patient authorizations, restrictions, incidents, and access requests according to applicable law. This article provides an overview of how our recommended best of breed HIPAA Compliance Software accomplishes these tasks. In subsequent articles we will discuss the other baseline components in greater detail.
The featured article this quarter is entitled: "Must Have Features in a HITECH / HIPAA Compliance Tracking System."
This article describes the kinds of features and functionality that an organization should seek in a HIPAA compliance software in order to be able to show visible demonstrable evidence that it is serious about meeting its HITECH / HIPAA compliance obligations.We have often written about the concept that compliance is a process and that simply having policies and procedures in place, although necessary, is woefully insufficient with respect to demonstrating process due diligence over time. In short, in addition to providing assistance in the creation and management of policies and procedures, HIPAA compliance software should also allow an organization to manage its compliance processes and to demonstrate evidence that it is doing so.
The featured article this quarter is entitled: "Disruption in Compliance Governance: Why the old governance model is DOA."
If any reader still believes that the healthcare industry has not already been disrupted more in the last year then it has in the past fifty, with more disruption on the way in 2011, then you have simply been asleep at the wheel for all of 2010. Further, we have a news flash for you, it is no longer the government that is the most active agent in the disruption business, it's that scary (or holy, depending on your point of view) thing we call "the free market" that is driving the disruption.
The featured article this month is entitled: "Ten Steps to Selecting the Right EHR Software."
First of all, if you have been following along with this newsletter you understand that there are no ten steps (or five, pick a number) to "solving" any wicked problem (for new readers see here and here). Software selection is clearly a wicked problem and therefore does not lend itself to a linear process. The software selection problem is much more chaotic than what may be apparent on its face. Second, although an EHR implementation and your HITECH compliance initiative are closely intertwined, for reasons to be discussed in this article, we feel compelled to (once again) remind our readers that they are NOT one and the same thing.
The featured article this month is entitled: "Healthcare for the 21st Century, it's the architecture stupid."
What is healthcare architecture? My "elevator pitch" answer to this question goes something like this: "architecture concerns itself with making sure that the various parts of a complex system (e.g. healthcare interoperability) work well together." Huh? In short, the question is not an easy, or straightforward, one to answer. We have a 2000-year history of architecture as it relates to the built world, and still the general public has only a vague understanding of its first principles. In the healthcare universe, at least with respect to anything that could be called healthcare interoperability, we have, at most, a very short history indeed (especially in the U.S.) Therefore, it should come as no surprise that even practitioners within the healthcare information technology industry are confused when the word is used.
The featured article this month is entitled: "Compliance with HITECH / HIPAA Privacy and Security: Biomedical Device Integration (BMDI)."
This article, by Deborah Leyva, RN, Clinical Solutions Executive, at Nuvon, Inc., presents an overview of the importance of medical device integration vis-a-vis EHR ROI, and the corresponding privacy and security challenges under HITECH.
The featured article this month is entitled: "HITECH Breach Notification Framework: an Overview."
This article presents an overview of issues that covered entities ("CE") face when confronted with a breach of PHI and its corresponding reporting requirements under HITECH. To say that the HITECH Act changes everything with respect to breach notification is not hyperbole. There were no equivalent breach notification requirements under HIPAA, and therefore, HITECH introduces and entirely new regulatory regime in this regard. HITECH's breach notification requirements also have implications with respect to business associates, and with respect to the relationship between a business associate and a covered entity.
This month's featured article is entitled: "Business Associate Contracts: HITECH Implications."
Until the HITECH Act was enacted into law on February 17, 2009, as part of ARRA, a business associate's ("BA") compliance with HIPAA's Regulations was mandated only as part of the contract (see 164.504(e)(1) ) with its respective Covered Entity ("CE"). Under HITECH a BA is "directly on the hook" (i.e. via statutory authority) for complying with the0 sections of the HIPAA Security Rule("SR").
This month's featured article is entitled: "Business Associates: That was then, this is now."
All business associate contracts will have certain key sections as required by the regulations. This article walks you through each key section from our perspective, highlighting issues that you should consider before entering into a binding agreement. It should be noted that these issues will obviously vary with the individual party using the agreement, and whether or not your organization is a Covered Entity ("CE") or a Business Associate ("BA").
This month's featured article is entitled: "Change is Hard: EHR Implementations, Compliance Touch Points & Chaos Theory."
It is a "concept article' with the following introduction
We understand that this newsletter has introduced concepts (e.g. wicked problems and agile methodologies) that may be foreign to healthcare providers. There are several reasons why we have felt compelled to do so: 1) we are bona fide geeks and can't help ourselves; and 2) more importantly, we believe that maybe (just maybe) some of our readers might benefit from our lessons learned (the hard way) in other industries.
This month's featured article is entitled: "The HITECH Act One Year Out: Real Healthcare Reform?"
It explores where we have been under HITECH and where we are likely headed. It attempts to provide a big picture view of more than just the regulatory impact, but rather discusses the convergence of law, policy and technology as the real foundation for change. All three combined will produce unprecedented change in the healthcare industry. Why? Because these three meta-concepts are inextricably linked. Trying to understand any one of them without considering the other two is an exercise in futility.
This month's featured article is entitled: "HHS' Interim 'Meaningful Use' Regulations (Part 2)."
It is a continuation of the guest article by Deborah Leyva, RN, BSN, contained in January's newsletter. The focus of our newsletter has been primarily on providing a better understanding of the HITECH / HIPAA requirements and on providing insights into strategies that will help providers and facilities meet the objectives of the new regulations. January's guest article began with a discussion of the changes made by ONC and HHS for the first Policy Priority specified by the HIT Policy Committee, covering specifications for Stage I - 2011 Meaningful Use criteria, subsequent to the announcement by ONC and HHS, on December 30th.
This month's featured article is entitled: "The Compliance Crisis: Top Five Strategies Guaranteed to Fail."
The focus of our newsletter has been primarily on providing a better understanding of the HITECH / HIPAA requirements and on providing insights into strategies that will help providers and facilities meet the objectives of the new regulations. However, it is often just as useful to examine the status quo and to analyze why existing strategies will no longer work in this new regulatory environment, perhaps more so.The article five compliance strategies guaranteed to fail are as follows: (1) ostrich; (2) our staff's on top of it; (3) members of our legal team are compliance experts; (4) not invented here--healthcare is so different; and (5) the docs know best .
The featured article this month is entitled: Understanding HITECH / HIPAA Risk Management Frameworks.
These frameworks are targeted to executives and others who require strategic guidance during these uncertain times. Now that the healthcare marketplace is starting to recognize the scope and magnitude of the HITECH Act, we felt it was necessary to take a step back and provide executive management teams (and other mission critical management staff) our perspective on how to move forward in a responsible and rigorous manner, especially in this highly competitive economic environment that mandates effective cost control. In short, how can an organization achieve HITECH / HIPAA compliance without breaking the bank?
The featured article this month is entitled: "The Intersection of HITECH/HIPAA and Meaningful Use: Part IV: HITECH/HIPAA and Meaningful Use Part IV: Attacking the HIPAA Security Rule (Hug the Monster: Redux)."
It is the fourth in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment. This featured article explores the HIPAA Security Rule in the second of two parts that discusses "the monster."
The featured article this month is entitled: "The Intersection of HITECH/HIPAA and Meaningful Use: Part III: Attacking the HIPAA Security Rule (Hug the Monster)."
It is the third in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment. This featured article explores the HIPAA Security Rule in the first of two parts that discusses "the monster."
The featured article this month is entitled: "The Intersection of HITECH/HIPAA and Meaningful Use: Part II."
It is the second in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment. This featured article explores why an EHR/HITECH/HIPAA implementation is a "wicked problem."
The featured article this month is entitled: "The Intersection of HITECH/HIPAA and Meaningful Use: Part I."
It is the first in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment. This featured article introduces key aspects of the HITECH Act and why they collectively constitute a game changer.