Why Us?

We know the law and we know the web.

We help companies safely and securely do business on the web.

HITECH Act Compliance is a Team Sport:  Is your team HITECH ready?

 February  2010 Issue No. 7
In This Issue
The Truth about HIPAA-HITECH and Data Backup
HHS' Interim "Meaningful Use" Regulations (Part 2)
Featured Article
Venn Diagram Intersection HIPAA HITECH MUThis month's featured article is entitled "HHS' Interim 'Meaningful Use' Regulations (Part 2)." It is a continuation of the guest article by Deborah Leyva, RN, BSN, contained in January's newsletter.

The focus of our newsletter has been primarily on providing a better understanding of the HITECH / HIPAA requirements and on providing insights into strategies that will help providers and facilities meet the objectives of the new regulations.  

January's guest article began with a discussion of the changes made by ONC and HHS for the first Policy Priority specified by the HIT Policy Committee, covering specifications for Stage I - 2011 Meaningful Use criteria, subsequent to the announcement by ONC and HHS, on December 30th.

The two interim rules put forth on December 30th, which are now posted on the Federal Register as of January 13th are: 

45 CFR Part 170: Medicare and Medicaid Programs; Electronic Health Record Incentive Program,


42 CFR Parts 412, 413, 422, and 495: Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology

This month's newsletter will continue with Part 2, providing information and clinical insight into Health Outcome Policy Priorities 2 through 5 and their associated Stage 1 criteria. Why only Stage 1 criteria? Because you must get to first base before you can go any further. As Walter Elliot once said,

"Perseverance is not a long race; it is many short races run one after another."
Data Mountain Logo
  The Truth about HIPAA-HITECH and Data Backup
About the Guest Author: Bob Chaput is president of Data Mountain LLC, a data security, online data backup and recovery, disaster recovery and data protection services firm.  Over the past 30 years, Bob has worked as an educator, an executive and an entrepreneur.  He has assisted businesses and individuals in developing highly secure information technology (IT) strategies that are tightly linked with their business strategies and goals.  His workshops, seminars, writings and consultations reflect his knowledge, humor, enthusiasm and vision.

Executive Summary

As a healthcare executive, business owner and a service provider, few things irritate me more than ill-informed vendors running around making assertions about regulatory or legal requirements that are simply not true and/or making assertions about their products and services being [fill-in-the-blank] law or regulation-compliant when in fact there's not a circumstance that allows such a condition.

Many of these crazy assertions are reappearing around the HIPAA Security Final Rule and what is serving as its "after-burners", The HITECH ACT.  To be clear, there is no such thing as a HIPAA-compliant data center or a HIPAA-compliant server or a HIPAA-compliant data backup product or an EMR software product or a HIPAA-compliant online data backup and recovery service.   Only organizations become HIPAA-compliant through comprehensive processes.  These organizations include Covered Entities (CEs) and Business Associates (BAs).  BAs now fully subject to all aspects of the HIPAA Security Final Rule and The HITECH Act "teeth" put into the HIPAA Security Final Rule.

This article sets the record straight on a very specific aspect of the HIPAA Security Final Rule - the Data Backup and Disaster Recovery Specifications within the Contingency Plan Standard.  We separate myth from reality about what exactly is required of whom by what dates in order to comply with these Specifications.

Quick Links
Join Our Mailing List
Interested in staying current on HITECH / HIPAA compliance issues? Click the "join our list" link above and receive your own copy of the newsletter on the first business day of each month.

Also, if you are interested in "jumpstarting" your compliance efforts then check out our HITECH / HIPAA Risk Management Webinar Series. If you need to compare EHR software offerings click here and if you need a HITECH compliant data backup checklist click here.
Other Resources

DBLG Logo White
Dear Carlos,

Welcome to the February 2010 HITECH / HIPAA Compliance Newsletter. The featured article this month is entitled: "HHS' Interim 'Meaningful Use' Regulations (Part 2)." This article continues our analysis of HHS's recently issued interim final rules ("IFR") posted on the CFR on January 13, 2010, and now available for public comment.

The month we also have of guest article by Bob Chaput, the CEO of Data Mountain, LLC, which discusses the realities regarding a HIPAA-HITECH compliant  data backup and recovery strategy. As in most things related to the HITECH Act, things are not what they seem. If you believe that you are in compliance based on your understanding of the old HIPAA universe then you need to think again.

HITECH / HIPAA Newsletter

The recent historic law suit by Connecticut's State Attorney General should serve as a "wake up call" to healthcare industry stakeholders that there is a new sheriff in town. Now that we have your attention it may be useful to peruse some of the archived copies of the newsletter to better understand why we have been stating all along that the HITECH Act is a game changer.

This is simply not your daddy's healthcare industry any longer
. Many providers will resist the changes and choose to hang on to days gone by until they retire, and who can blame them? However, the majority simply will not have that option available to them, and must somehow cope, and thrive, under a new set of rules.

Our focus from the outset has been to provide actionable information to our readers. In short, "news you can use." We call 'em like we see 'em in order to provide value and so you find a semblance of order in the ensuing tsunami of change. The first real wave of significant change has yet to hit the beach, although there has been plenty of warning signs that this wave is approaching shore.

HSG Announcements
HITECH Survival Guide

We are now actively promoting what we believe to be is the best of breed HIPAA compliance tracking system ("CTS") on the market. We performed a significant amount of due diligence over the last couple of years and this is the one solution that is clearly ahead of the pack and economically priced to be within the reach of even the smallest covered entities and business associates. To see a demo of the product click here.

We are also pleased to announce the availability of our Breach Notification Framework. Section 13402 of the HITECH Act requires that HIPAA covered entities and their business associates provide various notifications following a breach of unsecured protected health information. Our Breach Notification Framework offers guidance for complying with HITECH's Breach Notification requirements.

Our EHR Library remains one of our most popular downloads. Here you will find content that will help you select the right EHR package for your practice or facility.
Contract DraftingWe continue to be excited regarding the marketplace feedback of our Business Associate Agreement: a HITECH Ready Model Contract (Buy Now). 

The HIPAA regulations and the HITECH Act mandate that a CE establish a written contract with a BA in a number of instances, including whenever a BA "manages" PHI on behalf of a CE. Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause. 

Our Model Business Associate Contract, Roadmaps, and other offeringsare now available in the HSG Store.

Finally, HSG is now welcoming advertisers to help support one of the most comprehensive and usable HITECH / HIPAA sites on the Internet. Our audience continues to grow as healthcare providers, both large and small, return to HSG again and again. HSG provides HITECH / HIPAA commentary and the ability to read the full text of the statute and regulations online. For more information regarding advertising with us click here or send an email to info@digitalbusinesslawgroup.com with the subject line of "HSG Advertising Inquiry."

HITECH Survival Guide Wordle 
HHS' Interim "Meaningful Use" Regulations (Part 2)
HITECH / HIPAA Newsletter
Guest Author: Deborah Leyva, RN, BSN, former IT Director, Informatics RN, and Co-Chair CCHIT Ambulatory Workgroup

About the Guest Author: After 17 years in technology, including various leadership roles, and now as a Registered Nurse, Deborah turns her attention to the use of technology within the healthcare industry. Discussion in this article describes perspectives on the new regulatory changes and does not reflect or represent the views and opinions of the Certification Commission for Health Information Technology (CCHIT). More information on her perspectives and opinions can be found on her blog at www.myhealthtechblog.com

File Folder

Last month's newsletter covered Health Outcome Policy Priority #1: Improve quality, safety, efficiency, and reduce health disparities and discussed some of the Stage 1 (beginning in 2011) criteria included in IFR 42 CFR Parts 412, 413, 422, and 495 with commentary.

This month's newsletter will continue that theme providing information and clinical insight into Health Outcome Policy Priorities 2 through 5 and their associated Stage 1 criteria.

Why only Stage 1 criteria? Because you must get to first base before you can go any further. As Walter Elliot once said, "Perseverance is not a long race; it is many short races run one after another."

Most likely, recognition by ONC/HHS and creation of "Adoption/Staging Years" for criteria beginning in 2011 and through 2015 reflects the magnitude of the challenges that lie ahead.  There will be many questions left unanswered before a solution emerges.

As promised, the new rules were posted to the Federal Register on January 13th. The 60 day public comment period begins now. Healthcare is indeed changing and migration from paper to electronic records is a non-trivial and non-linear endeavor.

EHR Implementation

Read more..
About Us
We help companies safely and securely do business on the web, in accordance with applicable law. How? By helping them reduce risk. Privacy and security compliance issues are merely a subset of legal issues that online businesses face. This is equally true for eCommerce sites as it is for healthcare providers, facilities, and vendors.

We take a partnering and collaborative approach in our legal practice.
If you would like to see specific topics covered in this newsletter then please let us know.

Contact us today