Why Us?

We know the law and we know the web.

We help companies safely and securely do business on the web.

HIPAA Compliance is a Team Sport:  Is your team HITECH ready?

 December 2009 Issue No. 5
In This Issue
Fast Track to HITECH Compliance
Understanding HITECH / HIPAA Risk Management Frameworks
Featured Article
This month's featured article is entitled "Understanding HITECH / HIPAA Risk Management Frameworks." This begs the question, what is a framework, and more specifically in this context, a legal / compliance analytical framework?

The short answer is that it is a way to "attack" a particular problem or issue. Analytical frameworks have been widely adopted across industries, ranging from legal to technology, and almost any domain you can think of in between. For good background information on analytical frameworks click here (ignore the jargon and read between the lines for the essence).

Analytical frameworks, from our perspective, are most useful when an individual (or organization) is confronting a difficult problem that is either entirely new or for some reason has taken on additional complexity. Frameworks provide guidance regarding how to think through and solve a problem, based upon the experience of others. An analytical framework is not a cookbook methodology or solution, there are no cookbook solutions to wicked problems, but rather a kind of roadmap from a fellow traveler that has previously crossed the same (or similar) territory.

Our HITECH / HIPAA Risk Management Frameworks are intended to deliver guidance, including tools, techniques, templates, and other reusable components that help you navigate, and make sense out of, this new terrain. They are intended as knowledge transfer vehicles that allow you to derive the HITECH / HIPAA compliance solution that works within your organizational context.

Additional more in depth coverage of our frameworks will be provided in our HITECH Risk Management Webinar Series. For an introduction to HITECH / HIPAA frameworks listen to this podcast.
TVG LogoFAST Track to HITECH Act Compliance: A Roadmap

The Health Information Technology and Clinical Health Act (HITECH) has a profound impact on health care payers and providers. The regulation was enacted on February 18, 2009.  Although the regulation does not fundamentally change the Health Information Portability and Accountability Act (HIPAA) requirements for safeguarding protected health information (PHI), it extends the jurisdiction of the original HIPAA statute from "covered entities" to "business associates."  It also offers strong penalties and enforcement procedures which require immediate attention since various provisions of the act are already in effect and are enforceable.  The Health and Human Services Department effective enforcement dates for various provisions and other significant deadlines are regularly updated on their website.  Appendix A provides the original timeline for expected release dates.

The HITECH Act also stipulates specific breach notification requirements should an unauthorized disclosure of "unsecured" protected health information take place.  Further, it stipulates specific fines and other penalties based on the nature and gravity of the breach.

The focus of this paper is to identify what we need to do to secure and to protect "protected health information" so even if there is a loss of data or an unauthorized access, the data is protected and not subject to the act's penalties.  To facilitate compliance with the act's new requirements, we need to identify relevant provisions and compliance requirements, understand the act's jurisdiction and application, and identify the consequences of an unsecured PHI breach, including breach disclosure requirements and potential penalties.   We also need to identify processes and methods that properly protect PHI.   This will be the foundation of our strategy and roadmap to get on the fast track to HITECH Act compliance.  First, let's review the current state of HIPAA and the enforcement of its provisions.


Quick Links
Join Our Mailing List
Interested in staying current on HITECH / HIPAA compliance issues? Click the join our list link above and receive your own copy of the newsletter on the first business day of each month.

Also, if you are interested in "jumpstarting" you compliance efforts then check out our HITECH / HIPAA Risk Management Webinar Series. Also, if you need to compare EHR software offerings click here.
Other Resources

DBLG Logo White
Dear Carlos,

 Welcome to the December 2009 HITECH/HIPAA Compliance Newsletter. The featured article this month is entitled: "Understanding HITECH / HIPAA Risk Management Frameworks." These frameworks are targeted to executives and others who require strategic guidance during these uncertain times.

Now that the healthcare marketplace is starting to recognize the scope and magnitude of the HITECH Act, we felt it was necessary to take a step back and provide executive management teams (and other mission critical management staff) our perspective on how to move forward in a responsible and rigorous manner, especially in this highly competitive economic environment that mandates effective cost control. In short, how can an organization achieve HITECH / HIPAA compliance without breaking the bank?

The November Issue completed our in depth review of the HIPAA Security Rule. The previous two issues are foundational with respect to development of a "Security Rule framework." A framework that will be covered (and distributed) in an upcoming HITECH Risk Management Webinar (date TBD). This month's issue focuses on defining our framework approach; one that targets significant movement along the compliance continuum within well defined roadmaps.This month also features a guest article by Lester E. Flammer, Managing Partner of the Vantage Group, LLC.

Lester's article is appropriately titled "Fast Track to HITECH Compliance: A Roadmap." It covers both an overview of the HITECH Act as well as substantive details regarding best practices for securing PHI.   A robust data encryption strategy and implementation is imperative for organizations that want to prevent (more likely significantly mitigate) security incidents that trigger notification. A breach notification analytical framework will be discussed in a future issue this newsletter.

Our focus from the outset has been to provide actionable information to our readers. In short, "news you can use." We received positive feedback regarding this approach at the recent World Health Care Congress Leadership Summit on HITECH and HIPAA Compliance. Our presentation slides of "Meaningful Use Under HITECH" can be found here. A summary of President Bill Clinton's keynote can be found here and here.

HSG Announcements
HSG Logo

We are now actively promoting what we believe to be is the best of breed HIPAA compliance tracking system ("CTS") on the market. We performed a significant amount of due diligence over the last couple of years and this is the one solution that is clearly ahead of the pack and economically priced to be within the reach of even the smallest covered entities and business associates. To see a demo of the product click here.

We are also pleased to announce the availability of our Breach Notification Framework. Section 13402 of the HITECH Act requires that HIPAA covered entities and their business associates provide various notifications following a breach of unsecured protected health information. Our Breach Notification Framework offers guidance for complying with HITECH's Breach Notification requirements.

Our EHR Library remains one of our most popular downloads. Here you will find content that will help you select the right EHR package for your practice or facility.
Contract DraftingWe continue to be excited regarding the marketplace feedback of our Business Associate Agreement: a HITECH Ready Model Contract (Buy Now). 

The HIPAA regulations and the HITECH Act mandate that a CE establish a written contract with a BA in a number of instances, including whenever a BA "manages" PHI on behalf of a CE. Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause. 

Our Model Business Associate Contract, Roadmaps, and other offeringsare now available in the HSG Store.

Finally, HSG is now welcoming advertisers to help support one of the most comprehensive and usable HITECH / HIPAA sites on the Internet. Our audience continues to grow as healthcare providers, both large and small, return to HSG again and again. HSG provides HITECH / HIPAA commentary and the ability to read the full text of the statute and regulations online. For more information regarding advertising with us click here or send an email to info@digitalbusinesslawgroup.com with the subject line of "HSG Advertising Inquiry."

HITECH / HIPAA Newsletter
Understanding HITECH / HIPAA Risk Management Frameworks
Compliance Continuum

The HITECH Act is a transformative piece of legislation. The challenges that it presents to the health care industry are daunting, because it anticipates a massive expansion in the exchange of electronic protected health information (ePHI). The HITECH Act also widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for an enhanced enforcement regime. Essentially, it dramatically alters health care's regulatory compliance landscape in a manner few in the industry are prepared to deal with.

Many (if not most) industry players are in a state of denial. When reality finally hits it will likely lead to analysis / paralysis, as the industry falls back to its default mode of studying the problem into oblivion. However, the policy goals of the Obama administration and forces at work in the marketplace render the default approach unacceptable and unwarranted. A significant number of the technical challenges now facing the industry have already been solved in other domains and many best practices from these experiences can be imported and adapted. That said, due to a number of factors, including health care's lagging adoption of enabling technologies and its inherent complexity, the challenges the industry faces are quite unique, both in number and in kind.

The compliance continuum depicted above is our metaphor for the iterative process required to achieve the aspirational goal of full compliance. The reality is that almost universally, organizations will have to settle for building a good compliance story, since the economic reality of budgetary and resource constraints will make even this objective a challenging one, regardless of an organization's size. Our analytical frameworks (see the introduction to this article in the left sidebar) are intended to move an organization along the compliance continuum in a practical and effective manner, keeping in mind that compliance risk is only one of many that the industry now confronts.

Depicted below are the HITECH / HIPAA analytical frameworks that we will discuss in this issue. This is not an exhaustive list of possible frameworks, although that said, it does cover significant ground. Each framework will be discussed at a high level, with subsequent issues of the newsletter providing more detail on each.

Analytical Frameworks

As discussed in the sidebar, our HITECH / HIPAA Risk Management Webinar Series will explore each framework in even more detail. Each webinar will cover a specific framework and provide additional tools and techniques that will allow an organization to "jumpstart" its HITECH / HIPAA compliance efforts. For reasons previously discussed in this article, it is a given that not all frameworks will be fully implemented during the first iterative cycle. Therefore, the webinar series will also "drill down" on how to get the most bang for your compliance dollar, and how to avoid a finding of "willful neglect."

Read More ...

About Us
We help companies safely and securely do business on the web, in accordance with applicable law. How? By helping them reduce risk. Privacy and security compliance issues are merely a subset of legal issues that online businesses face. This is equally true for eCommerce sites as it is for healthcare providers, facilities, and vendors.

We take a partnering and collaborative approach in our legal practice.
If you would like to see specific topics covered in this newsletter then please let us know.

Contact us today