Why Us?

We know the law and we know the web.

We help companies safely and securely do business on the web.

HIPAA Compliance is a Team Sport:  Is your team HITECH ready?

 January 2010 Issue No. 6
In This Issue
HHS' Interim "Meaningful Use" Regulations
The Compliance Crisis: Top Five Strategies Guaranteed to Fail
Featured Article
This month's featured article is entitled "The Compliance Crisis: Top Five Strategies Guaranteed to Fail." The focus of our newsletter has been primarily on providing a better understanding of the HITECH / HIPAA requirements and on providing insights into strategies that will help providers and facilities meet the objectives of the new regulations.  

However, it is often just as useful to examine the status quo and to analyze why existing strategies will no longer work in this new regulatory environment, perhaps more so. Why? Because given the cultural changes required to implement the new strategies, including an arguably radically different way of thinking about compliance, the status quo will be the default strategy for most organizations.

Last month's featured article discussed analytical frameworks and how they can be used to attack wicked problems. This was "look ahead" discussion. It was premised on the fact that fundamental change will occur and how it can be dealt with. This month's article presents the flip side of the coin. It assumes that organizations will initially resist any change to the status quo and discusses why this approach will fail miserably in the new environment.

The somewhat tongue-in-cheek tone is purposely intended to lightened up an otherwise quite serious topic. The electronic world in which we all now inhabit simply cannot tolerate the antiquated privacy and security practices that were designed for a technological ecosystem that is now over twenty years old. In short, these old practices will implode in the new 24/7 "always on" healthcare environment of the 21st century. The change required is  not unlike the privacy and security transformation that the banking industry was forced to undergo in order to remain competitive.
 HITECH / HIPAA Newsletter  
  HHS' Interim  "Meaningful Use" Regulations
Guest Author: Deborah Leyva, RN, BSN, former IT Director, Informatics RN, and Co-Chair CCHIT Ambulatory Workgroup

About the Guest Author: After 17 years in technology, including various leadership roles, and now as a Registered Nurse, Deborah turns her attention to the use of technology within the healthcare industry.

Deborah says: "Healthcare is, and remains, one of the most pressing challenges facing our nation (and the world) in the 21st century. Almost any discussion related to improving healthcare, whether it implicates reducing costs or improving patient safety and satisfaction, usually has technology as a core component.

Technology, in and of itself, will not solve the problems, but when used appropriately will contribute to the transformation of healthcare, as it has in many other industries. However, in healthcare, the technology options appear even more complex and the number of vendors daunting. The recently published Interim Rules provide guidance on the forthcoming final regulations, although compliance will remain a complex task for healthcare organizations. These are the critical challenges that confront us."  More information on her perspectives and opinions can be found on her blog at

Discussion in this article describes Deborah's personal perspectives on the interim regulatory changes and does not reflect or represent the views and opinions of the Certification Commission for Healthcare Information Technology (CCHIT).

On December 30th, ONC and HHS announced two interim rules related to the HITECH Act and Meaningful Use Criteria for participation in the EHR Incentive Program. The rules relate to:

1)    Medicare and Medicaid Programs; Electronic Health Record Incentive Program,


2)    Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology

The purpose of this article is to provide insight regarding differences between the Meaningful Use Criteria published in 2009 and the interim regulations related to criteria, published December 30th. Since there are over five hundred pages of regulations and commentary, each Policy Priority will be covered in a series of articles spanning several issues of the newsletter. This article begins with a discussion of the changes made by ONC and HHS for the first Policy Priority specified by the HIT Policy Committee and covers specifications for Stage I - 2011 Meaningful Use criteria.

Quick Links
Join Our Mailing List
Interested in staying current on HITECH / HIPAA compliance issues? Click the join our list link above and receive your own copy of the newsletter on the first business day of each month.

Also, if you are interested in "jumpstarting" you compliance efforts then check out our HITECH / HIPAA Risk Management Webinar Series. Also, if you need to compare EHR software offerings click here.
Other Resources

DBLG Logo White
Dear Carlos,

Welcome to the January 2010 HITECH / HIPAA Compliance Newsletter. The featured article this month is entitled: "The Compliance Crisis: Top Five Strategies Guaranteed to Fail." These are intended to be somewhat tongue-in-cheek, but nevertheless address legitimate issues.

The past year brought an extraordinary amount of focus on the healthcare industry, mostly in the form of discussions regarding the changing healthcare landscape, from Health 2.0 to the HITECH Act. Recent issues of the newsletter have focused attention on viable strategies for moving forward under HITECH. This month we focus directly on strategies to avoid, including:


  1. The "Ostrich" Strategy
  2. The "Our Staff's On Top of It" Strategy
  3. The "Members of Our Legal Team are Compliance Experts" Strategy
  4. The "Not Invented Here--Healthcare is So Different" Strategy
  5. The "Docs Know  Best" Strategy

This year promises to deliver actual changes in the "ground game," which will prove exciting for some and frustrating (understatement) for others. Change is never easy. However, change at this scale and scope will be downright daunting. The only constant going forward will be change.

This is simply not your daddy's healthcare industry any longer
. Many providers will resist the changes and choose to hang on to days gone by until they retire, and who can blame them? However, the majority simply will not have that option available to them, and must somehow cope, and thrive, under a new set of rules.

Our focus from the outset has been to provide actionable information to our readers. In short, "news you can use." We call 'em like we see 'em in order to provide you value and so that you can find a semblance of order in the ensuing tsunami of change. The first real wave of significant change has yet to hit the beach, although there has been plenty of warning signs that this wave is approaching shore.

The featured articles in the next few issues will focus on dissecting HHS' recently issued Rules regarding health information technology standards and meaningful use, both of which are now available for public comment over the next sixty days.

HSG Announcements
HSG Logo

We are now actively promoting what we believe to be is the best of breed HIPAA compliance tracking system ("CTS") on the market. We performed a significant amount of due diligence over the last couple of years and this is the one solution that is clearly ahead of the pack and economically priced to be within the reach of even the smallest covered entities and business associates. To see a demo of the product click here.

We are also pleased to announce the availability of our Breach Notification Framework. Section 13402 of the HITECH Act requires that HIPAA covered entities and their business associates provide various notifications following a breach of unsecured protected health information. Our Breach Notification Framework offers guidance for complying with HITECH's Breach Notification requirements.

Our EHR Library remains one of our most popular downloads. Here you will find content that will help you select the right EHR package for your practice or facility.
Contract DraftingWe continue to be excited regarding the marketplace feedback of our Business Associate Agreement: a HITECH Ready Model Contract (Buy Now). 

The HIPAA regulations and the HITECH Act mandate that a CE establish a written contract with a BA in a number of instances, including whenever a BA "manages" PHI on behalf of a CE. Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause. 

Our Model Business Associate Contract, Roadmaps, and other offeringsare now available in the HSG Store.

Finally, HSG is now welcoming advertisers to help support one of the most comprehensive and usable HITECH / HIPAA sites on the Internet. Our audience continues to grow as healthcare providers, both large and small, return to HSG again and again. HSG provides HITECH / HIPAA commentary and the ability to read the full text of the statute and regulations online. For more information regarding advertising with us click here or send an email to info@digitalbusinesslawgroup.com with the subject line of "HSG Advertising Inquiry."

HITECH / HIPAA Newsletter
The Compliance Crisis: Top Five Strategies Guaranteed to Fail
Compliance Continuum

This article will look at five compliance strategies that are guaranteed to fail going forward: (1) ostrich; (2) our staff's on top of it; (3) members of our legal team are compliance experts; (4) not invented here--healthcare is so different; and (5) the docs know best . Why are these the "Top Five?" Because it's the five that we hear most when we interact with the marketplace. They are indicative of why the healthcare industry, from the inside, has woefully failed to grasp the forces that are shaping it from the outside.

There is good reason for this. First of all, the healthcare industry, as a whole, is the most insular industry in the U.S. economy; even the legal industry is no match for it with respect to insularity. Second of all, there are powerful forces within the healthcare industry that have invested hundreds of millions, if not billions, of dollars to ensure that the status quo remains undisturbed.

Why? The answer to this is obvious even to lay students of economics, the incumbents are protecting the last of the U.S. monopolies (OK the more precise economic term of art may be oligopoly, but for certain parts of the country monopoly is a better approximation of the ground game). This is not a question of what politics you choose to favor, simply what we believe to be an accurate reading of the economic circumstances as they exist in fact.

So what? The so what is that the long called for change to the industry is coming like a freight train in the night, and the U.S. government is an important, but ultimately not the most significant player, in this drama. The freight train is globalization. The momentum for change already has so much traction that it will not be denied. Sure, no one's crystal ball is good enough to predict, with any degree of certainty, who will be the winners and losers, but the fact that disruptive change is coming simply cannot be ignored. If you want proof then just follow the money. Some of the biggest technology and consulting companies are gearing up to benefit from, and in many cases actually drive, the disruption.

Venn Diagram Intersection HIPAA HITECH MUWhat does any of this have to do with compliance? To get our view on that you will have to explore the rest of this article.

1. Ostrich: Strategy
Back in the good 'ole days when HIPAA was a paper tiger this was actually a viable, if not recommended, approach. I know well respected consultants in the healthcare space who publicly advocated this strategy. The strategy was essentially as follows: do the bare minimum possible by drafting some documents (e.g. privacy notification), posting the necessary and/or recommended notices in clear site, getting patients to sign on the dotted line, provide minimalist staff training, and not much else.

This strategy made business sense at the time because everyone knew that HIPAA, by and large, was one of those "feel good" pieces of legislation that was much talked about, but almost never enforced, at least not with respect to a large and statistically significantly (understatement) number of providers. Sure, there were some ANSI Standard administrative transactions to comply with, but there were relatively inexpensive solutions that met the need. This was the HIPAA everyone came to "know and love," despite the hue and outcry that big government was imposing itself on an industry that did not need (or want) this kind of regulatory oversight.


About Us
We help companies safely and securely do business on the web, in accordance with applicable law. How? By helping them reduce risk. Privacy and security compliance issues are merely a subset of legal issues that online businesses face. This is equally true for eCommerce sites as it is for healthcare providers, facilities, and vendors.

We take a partnering and collaborative approach in our legal practice.
If you would like to see specific topics covered in this newsletter then please let us know.

Contact us today