| Featured Article
| This month's featured article is entitled: HITECH Breach Notification Framework: an Overview. You are going to hear more and more about breach notification as high profile cases are discussed on TV and across the spectrum of Internet media. There will be a significant amount of discussion regarding potential legal liability and regarding "how well the damage control program was run."
There were no breach notification requirements under HIPAA. The HITECH Act changes all of that, for reasons that many in the healthcare industry are only now starting to understand. It is not simply the fact that "big brother" has sent the message that "we are coming after you" but, in addition, patients themselves are becoming quite vocal regarding their privacy rights, especially in an always on electronic universe that we all now inhabit. An environment that the healthcare industry is now finally adopting, although still somewhat reluctantly.
The HITECH Act: 1) Mandates breach notification to patients, HHS and/or NEWS MEDIA under certain scenarios; 2) makes HHS audits mandatory (despite the fact that the exact methodology has yet to be worked out); 3) provides for stiffer non-compliance fines; 4) allows (eventually) individual patients to participate in the proceeds of fines levied on their behalf; 5) returns proceeds from fines into HHS' coffer; and 6) allows state attorney generals to bring suit on behalf of their citizens. In short, it is time to start paying attention to HITECH'S Breach Notification Requirements because a material breach will likely be playing soon at a theater near you.
This article provides an overview of the basic components of a HITECH Breach Notification Framework, one that will need to be part of any HITECH-ized compliance program. This overview obviously does not provide an exhaustive description of what might be included in such a framework. Such a description would amount to a treatise and likely prove completely useless to our readers. Instead we continue to focus our efforts on "news you can use."
HITECH'S Breach Notification Requirements have significant implications vis-a-vis covered entity / business associate relationships. Healthcare providers may have many more BA relationships than what may be apparent. The definition of a business associate is quite broad and may include professional services providers such as attorneys, accountants, technology consultants, and others, depending on whether or not the you share PHI with said partners in order for them to deliver their respective services. That translates into significant more exposure regarding breach, much of which is completely outside of the control of a covered entity.
| HITECH Ready Business Associate Contract & Compliance Roadmaps now available in the HSG Store.
|Business Associate Agreement: a HITECH Ready Model Contract
The HIPAA regulations and the HITECH Act mandate that a CE establish a written contract with a BA in a number of instances, including whenever a BA "manages" PHI on behalf of a CE.
Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause.
The Contract package also includes a complete "User's Guide," with a clause-by-clause explanation of the issues addressed in the Contract. It can be used, with minor modifications, out-of-the-box, or as an educational tool to draft a customized version.
The Security Rule Under HITECH:
a Business Associate Perspective
The most important step for building a "good SR compliance story" is for the business associate to get started. The approach recommended herein is to build the story iteratively over time. Most business associates (large or small) will likely need help in creating the story. Getting started in the wrong direction initially could be far more costly in the long run, since much of the compliance budget may simply be wasted. The framework discussed throughout this document provides a good road map to follow.
HIPAA Survival Guide Third Edition
The Third Edition of the HIPAA Survival Guide updates various substantive text of the first two editions and adds completely new material. The HITECH Act has indeed proven to be transformational. In order to deal more effectively with its changing regulatory landscape we have decided to release an updated version available here and on Amazon's Kindle platform.
| Join Our Mailing List
Interested in staying current on HITECH / HIPAA compliance issues? Click the "join our list" link above and receive your own copy of the newsletter on the first business day of each month.
Also, if you are interested in "jumpstarting" your compliance efforts then check out the HSG Store. Also, If you need to compare EHR software offerings click here and if you need a HITECH compliant data backup checklist click here.
Finally, interested in reducing costs and delivering more value to your patients then check out Info-Surge's patient engagement portal.
| Dear Carlos,
Welcome to the July 2010 HITECH / HIPAA Compliance Newsletter. The featured article this month is entitled: "HITECH Breach Notification Framework: an Overview." This article presents an overview of issues that covered entities("CE") face when confronted with a breach of PHI and its corresponding reporting requirements under HITECH.
To say that the HITECH Act changes everything with respect to breach notification is not hyperbole. There were no equivalent breach notification requirements under HIPAA, and therefore, HITECH introduces and entirely new regulatory regime in this regard.
HITECH's breach notification requirements also have implications with respect to business associates, and with respect to the relationship between a business associate and a covered entity.
As we have often stated, HITECH transforms HIPAA from a paper tiger into a regulatory scheme with real teeth (some might say fangs), and that makes all the difference in the world with respect to breach notification. Not only are covered entities now subject to potentially onerous legal liability, the requisite transparency of the breach notification reporting requirements are likely to lead to significant reputational damage for any organization unfortunate enough to experience a material breach.
Clearly, the best defense is a good offense. However, even under the best of circumstances, the complexity of protecting all electronic PHI, and the quantity of paper based PHI that will remain accessible for years to come, presents both a compliance challenge and a public relations challenge. All covered entities should prepare plans and processes that assume that a material breach will occur.
You don't want to be hauled in front of a Congressional committee only to discover that your emergency breach notification contact has been dead for five years.
We are now actively promoting what we believe to be is the best of breed HIPAA compliance tracking system ("CTS") on the market. We performed a significant amount of due diligence over the last couple of years and this is the one solution that is clearly ahead of the pack and economically priced to be within the reach of even the smallest covered entities and business associates. To see a demo of the product click here.
We are also pleased to announce the availability
of our Breach Notification Framework.
Section 13402 of the HITECH Act
requires that HIPAA covered entities and their business associates provide various notifications following a breach of unsecured protected health information. Our Breach Notification Framework
offers guidance for complying with HITECH's Breach Notification requirements.
Our EHR Library
remains one of our most popular downloads. Here you will find content that will help you select the right EHR package for your practice or facility.
We continue to be excited regarding the marketplace feedback of our Business Associate Agreement: a HITECH Ready Model Contract (Buy Now
The HIPAA regulations
and the HITECH Act
mandate that a CE establish a written contract with a BA in a number of instances, including whenever a BA "manages" PHI
on behalf of a CE. Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause.
Our Model Business Associate Contract, Roadmaps, and other offeringsare now available in the HSG Store
Want to stay updated throughout the month then follow Debbie on Twitter by clicking on the badge below. If you would like to read more regarding the authors' views on HIT and compliance click here and here and subscribe to their blogs.
Become a Fan
Follow us on FaceBook by becoming a fan of the guide and support the HSG by purchasing some HSG Wearables. Also, be sure to check out our HITECH Videos.
HSG is now welcoming advertisersto help support one of the most comprehensive and usable HITECH / HIPAA sites on the Internet. Our audience continues to grow as healthcare providers, both large and small, return to HSG again and again.
| HITECH Breach Notification Framework: an Overview
| HITECH widens the scope of privacy and security protections available under HIPAA, and increases the potential legal liability for non-compliance. The goal of the HITECH Act was to accelerate the adoption of electronic health records Industry wide, and at the same time, establish a national healthcare infrastructure to support the seamless exchange of PHI.
We know that patient privacy is important to you. If it weren't, you wouldn't be reading this. It is likewise clearly important to your patients. The objectives of this framework are to explain the breach notification regulations in simple terms, and provide stakeholders with guidelines and tools for implementing, refining and measuring breach notification policies and procedures.
As we stated in previous articles, there is no one right way to go about this. Further, because the technology and healthcare industries are growing and changing every day, breach notification policies and procedures manuals will never gather dust. If you reconcile yourself to the fact that this is an ongoing process, you'll have an easier ride. The goal is to help you put workable policies and procedures in place that conform to the HITECH regulations, as best as practicable for your organization.
This article provides an overview of what should be contained in a HITECH Breach Notification Framework. Additionally, we cannot ignore the "Wall of Shame." As required by section 13402(e)(4) of the HITECH Act, the Secretary must post on its website a list of breaches of unsecured PHI affecting 500 or more individuals. This framework may help keep you off of that list.
The breach notification requirements applicable to covered entities and business associates, are controlled by Section 13402 of the HITECH Act, and by the recent guidance provided by HHS in the PDF found here. HHS' Interim Final Rule on breach notification went into effect on September 23, 2009. The newly added regulations (45 CFR Subpart D) can be found here.
If you are familiar with the regulations, or you clicked on the preceding links, you know that the breach notification requirements are highly technical, triggered under certain specified conditions, and controlled via stringent timeframes. Accordingly, it is critical to have a plan of action in place before a breach occurs.
Embrace the philosophy that the best defense is a good offense. Assume that a breach of unsecured PHI will occur, and prepare, adjust, and repeat. Why? There is simply too much PHI that will continue to exist in a form (i.e. unencrypted and/or not disposed of properly) to allow the HITECH safe harbor (generally available if PHI is in a form that is unusable, unreadable or indecipherable) to be universally applicable. Additionally, the timeframes for providing notification are short. Immediately after the clock starts ticking, you want to begin implementing your plan of action, not developing one.
This framework will help put in place a set of tools that will allow your organization to be rapid response ready. If you already have a plan in place, this framework will serve as a backstop to ensure that, in addition to being HIPAA compliant, your plan is HITECH ready.
To determine whether you are dealing with a breach that requires notification under HITECH, you will need to be able to answer the following questions, and take appropriate action:
1. Was there an impermissible use or disclosure of unsecured PHI?
2. Was the use or disclosure a violation of the HIPAA Privacy or Security Rules?
3. Was there significant risk of financial, reputational or other harm to the patient?
4. Does an exception to the breach rules apply?
| About Us
We help companies safely and securely do business on the web, in accordance with applicable law. How? By helping them reduce risk. Privacy and security compliance issues are merely a subset of legal issues that online businesses face. This is equally true for eCommerce sites as it is for healthcare providers, facilities, and vendors.
We take a partnering and collaborative approach in our legal practice. If you would like to see specific topics covered in this newsletter then please let us know.
The Digital Business Law Group, P.A.