Why Us?

We know the law and we know the web.

We help companies safely and securely do business on the web.

HITECH / HIPAA Newsletter July 2011



HITECH Act Compliance is a Team Sport:  Is your team HITECH ready?

 July 2011 Issue No. 19
In This Issue
Products now available in the HSG Store
HIPAA Breach Notification Decision Points: when is notification triggered?
In the News

ONC continues to leverage new media to get the word out:

 

New posts have been added to the Office of the National Coordinator for Health Information Technology's (ONC) Health IT Buzz Blog! The most recent posts focus on the exciting work being accomplished by the Regional Extension Centers (RECs) and the Beacon Community Program. 

_____________________________

 

The Office of Inspector General (OIG) has also been busy of late:

  

Patient Recruiter Sentenced to 77 Months in Prison in Connection with $9 Million Medicare Fraud Scam in Detroit: Yesterday the Departments of Justice and Health and Human Services announced that Miami resident Reynel Betancourt, 51, was sentenced to 77 months in prison for his participation in a $9 million Medicare fraud scheme. http://go.usa.gov/Def

Advisory Opinion 11-07 concerns the expansion of a vaccine reminder program to include entities that insure and treat patients covered by a fee-for-service Federal health care program. http://go.usa.gov/Dev

Audit of Medicare Part A Administrative Costs for the Period November 5, 2007, Through September 30, 2008 at Wisconsin Physicians Service Insurance Corporation  (A-05-09-000101) http://go.usa.gov/DeL

Administrative costs reported by Wisconsin Physicians Service Insurance Corporation (WPS) on its FY 2008 Final Administrative Cost Proposal were generally reasonable, allowable, and allocable and in compliance with the Federal Acquisition Regulation and other applicable criteria.  However, WPS reported unallowable costs totaling $945,000 because it overstated costs for indirect costs ($871,000), outside professional services ($39,000), travel ($26,000), miscellaneous ($7,000), and other ($2,000). 


HITECH Switch OnProducts now available in the HSG Store. 
HIPAA Breach Notification Framework 

Our HIPAA Breach Notification Framework walks you through the process of analyzing security incidents to determine what actions you must take to ensure your response complies with the HITECH Breach Notification requirements. The Framework discusses HITECH breach compliance in simple terms and uses twelve flowchart diagrams to help you navigate the process. It also includes tools and templates that help "jump start" your breach notification compliance initiative.

 

 Buy Now... 

 

Our HIPAA Breach Notification Policy

This policy implements section 13402 of the HITECH Act which requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. The policy was derived from our HIPAA Breach Notification Framework and is included as a FREE gift that product

 

Buy Now... 


Business Associate Agreement: a HITECH Ready Model Contract


Our model Business Associate Agreement includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links to the relevant statutory/regulatory authority that underpins each Contract clause. The Contract package also includes a complete "User's Guide," with a clause-by-clause explanation of the issues addressed in the Contract. 

Buy Now...

The Security Rule Under HITECH:
a Business Associate Perspective
First Edition

The most important step for building a "good SR compliance story" is for the business associate to get started. The approach in The Security Rule Under HITECH is to build the story iteratively over time. Most business associates (large or small) will likely need help in creating the story. The framework discussed throughout this document provides a good road map to follow.

Buy Now...

HIPAA Survival Guide Third Edition

The Third Edition of the HIPAA Survival Guide updates various substantive text of the first two editions and adds completely new material. The HITECH Act has indeed proven to be transformational. In order to deal more effectively with its changing regulatory landscape we have decided to release an updated version available here and on Amazon's Kindle platform.

Buy Now...


Quick Links
HIPAA Lawyer
Join Our Mailing List
Interested in staying current on HITECH / HIPAA compliance issues? Click the "join our list" link above and receive your own copy of the newsletter each month.

Other Resources

HSG Logo 
 
Dear Carlos,

Welcome to the July 2011 HITECH / HIPAA Compliance Newsletter. Given the recent activity occurring in the HITECH / HIPAA regulatory landscape we have decided to revert to a monthly format. 

 

The featured article this month is entitled HIPAA Breach Notification Decision Points: when is notification triggered?

 

This article addresses the kind of analysis required to decide whether breach notification is triggered under the HITECH Act for a given security incident. The bottom line is that not all security incidents trigger notification but the wicked problem remains how to determine the ones that do?

HITECH / HIPAA Newsletter 

 

HSG Announcements
HITECH Survival Guide 





We are now actively promoting what we believe to be the best of breed HIPAA Compliance Software on the market. We performed a significant amount of due diligence over the last couple of years and this is the one solution that is clearly ahead of the pack and economically priced to be within the reach of even the smallest covered entities and business associates. To see a demo of the product click here.

We are also pleased to announce (see press release) the availability of our HIPAA Breach Notification Framework . Section 13402 of the HITECH Act requires that HIPAA covered entities and their business associates provide various notifications following a breach of unsecured protected health information. Our HIPAA Breach Notification Framework  offers guidance for complying with HITECH's Breach Notification requirements as well as tools and templates that help "jump start" your breach notification compliance initiative.

Our EHR Library remains one of our most popular downloads. Here you will find content that will help you select the right EHR package for your practice or facility.
Contract Drafting
We continue to be excited about the marketplace feedback of our Business Associate Agreement: a HITECH Ready Model Contract (Buy Now).

The HIPAA regulations and the HITECH Act mandate that a covered entity establish a written contract with a business associate in a number of instances, including whenever a business associate "manages" PHI on behalf of a covered entity. Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause.

Our Model Business Associate Contract, Roadmaps, and other offerings are now available in the HSG Store.


Stay Connected
Want to stay updated throughout the month? Follow Debbie on Twitter by clicking on the badge below.  If you would like to read more regarding the authors' views on HIT and compliance click here and here and subscribe to their blogs.  
Twitter

Become a Fan
Follow us on FaceBook by becoming a fan of the guide and support the HSG by purchasing some HSG Wearables. Also, be sure to check out our HITECH Videos.




Advertising Opportunities
HSG is now welcoming advertisers to help support one of the most comprehensive and usable HITECH / HIPAA sites on the Internet. Our audience continues to grow as healthcare providers, both large and small, return to HSG again and again.

HITECH Survival Guide Wordle  
Main_Article
HIPAA Breach Notification Decision Points: when is notification triggered?
Webtones PointerThis article addresses the kind of analysis required to decide whether breach notification is triggered under the HITECH Act for a given security incident. The bottom line is that not all security incidents trigger notification but the wicked problem remains how to determine the ones that do?     

Section 13402 of the HITECH Act by requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
The regulations pertaining to breach notification have been codified in 45 CFR 164 Subpart D and went into effect on September 23, 2009. The final breach notification rule is still pending but it was announced "soon" in March 2011.  

 

HITECH / HIPAA NewsletterTo determine whether you are dealing with a breach that requires notification under HITECH, you will need to be able to answer the following questions, and take appropriate action: 

  1. Was there an impermissible use or disclosure of unsecured PHI?
  2. Does an exception to the breach rules apply?
  3. Was there significant risk of financial, reputational or other harm to the individual? 

 

It turns out that these questions are not as readily answered as they may appear. This article will explore some of the reasons why this is the case.

 

Key Contract SectionsAs required by section 13402(e)(4) of the HITECH Act, the HHS Secretary must post on its website a list of breaches of unsecured PHI affecting 500 or more individuals. The analysis described in this article may help keep you off of that list. That is certainly one of its key objectives, as well as preventing and/or minimizing the reputational harm that often results as a consequence of a serious breach.

 

Because the breach notification requirements are highly technical, triggered under certain specified conditions, and controlled via stringent timeframes, it is critical to have a plan of action in place before a breach occurs.  Embrace the philosophy that the best defense is a good offense.  Assume that a breach of unsecured PHI will occur and prepare accordingly.  Why?  Because there is simply too much PHI that will continue to exist in a form (e.g. unencrypted) that allows the HITECH safe harbor to be universally applicable. 

 

Additionally, the timeframes for providing notification are short.  Immediately after the clock starts ticking, you want to begin implementing your plan of action, not developing one. We recommend that organizations adopt a philosophy of privacy by design as a guiding principle in their compliance efforts.  

 

What this means in practice is that organizations should build a privacy protection mindset into their everyday business processes.  By adopting this approach, an organization sends a clear message to internal and external stakeholders that privacy is important.  This represents an important first step in meeting the compliance challenge in a systematic manner.  For most healthcare organizations, this change in mindset will require a transformation of the existing culture over time. 

 

Read more...


About Us
HITECH Puzzles3Lions Publishing, Inc. is now the owner/operator of the HIPAA Survival Guide website and the official sponsor of this newsletter. Our mission is to bring you HITECH / HIPAA statutes and regulations in an easy to read and digestible format, products that help reduce the burden of compliance, and "news you can use" via our newsletter.

We take a partnering and collaborative approach to the marketplace. If you would like to see specific topics covered in this newsletter, or additional products, then please let us know.


Carlos Leyva, CEO
3Lions Publishing, Inc.


Contact us today

CLICK HERE!