Why Us?

We know the law and we know the web.

We help companies safely and securely do business on the web.

HIPAA Compliance is a Team Sport:  Is your team HITECH ready?

 November 2009 Issue No. 4
In This Issue
World Health Care Congress Summit
Deciphering the Safe Harbor on Breach Notification
HITECH/HIPAA and Meaningful Use Part IV
Featured Article
This month's featured article wraps up our initial coverage of the HIPAA Security Rule ("SR"). A framework approach by which the SR can be "attacked" by providers of all sizes is discussed. Let's be clear, a framework is not a cookbook solution, those do not exist for wicked problems, but rather, its a kind of map of the territory. Going forward, we will be laser focused on developing various frameworks for meeting the challenges of the HITECH Act, and its transformational impact on the HIPAA Regulations. These frameworks are intended to move an organization forward on the compliance continuum.

Additional more in depth coverage of our proposed frameworks will be covered in our HITECH Risk Management Webinar Series.
The World Health Care Congress Leadership Summit on HITECH and HIPAA Compliance Management for Providers

November 9 - 10, 2009
Alexandria, VA
Presenting strategic frameworks for the C-Suite and in-depth, tactical solutions for your IT and operations teams, this must attend Summit will feature industry experts and key association think-tank leaders presenting solutions on how to expose risk, minimize liability and maintain compliance in an environment of continual "HIT change." Save an extra $200.00 off the current rate with code BFX997 (not applicable on gov't rate). To register, contact us at 800-767-9499.

SpiderwebDeciphering the Safe Harbor on Breach Notification
Healthcare organizations planning to protect themselves from breach notification should implement data encryption in their organizations. Data encryption is the only technology recognized by the federal government and many states as a way of making data unusable, unreadable, or indecipherable to unauthorized individuals.

Data encryption is often considered a complex technology that is difficult to implement. However, modern software has made encryption easier to deploy and manage. One of the most important factors that should be used in selecting an encryption solution is the availability of a centralized management console for managing the encryption platform. Encryption platforms take into account many points of data protection such as disk encryption, e-mail, file folder, database, etc. Managing encryption software centrally is the key to a successful deployment and management of the encryption solution. The ability to make changes to settings and policies and view log files from a central location is also very important.

There are two types of encryption methods - symmetric (also called secret key) and public key cryptography (PKI).  Symmetric encryption methods are dependent on a passwords or passphrases to encrypt and decrypt data. PKI methods depend on a key pair - a public key and private key to encrypt and decrypt data. Both symmetric and PKI methods could have a place in your encryption deployment strategy.
Care must be taken to ensure that data can be decrypted by management in case an employee leaves, is terminated, or in case of litigation. It is possible to purchase inexpensive, off the shelf software to encrypt files or even hard drives. However, without a way for management to decrypt data you may be putting your organization's critical data at risk of never being recovered.  Allowing the use of encryption software that does not have encryption recovery features is strongly discouraged.


Quick Links
Join Our Mailing List
Interested in staying current on HITECH / HIPAA compliance issues? Click the join our list link above and receive your own copy of the newsletter on the first business day of each month.
Other Resources

DBLG Logo White
Dear Carlos,

Welcome to the November 2009 HITECH/HIPAA Compliance Newsletter. The featured article this month is entitled: "HITECH/HIPAA and Meaningful Use Part IV: Attacking the HIPAA Security Rule (Hug the Monster: Redux). It is the fourth in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment.

The October Issue started our in depth review of the HIPAA Security Rule. This month's issue completes our Security Rule analysis by reviewing risk management under the Administrative Safeguards and wraps up our review by looking at the Physical Safeguards. This month also features a guest article by Alex Zaltsman, CEO of Experior Data Security and Encryption.

Alex's article discusses (and courageously attempts to clarify) the often confusing topic of "data states" and the varying security approaches that apply to: 1) data at rest; 2) data in motion; 3) data in use; and 4) data disposed. It is entitled "Deciphering the Safe Harbor on Breach Notification."  A robust data encryption strategy and implementation is imperative for organizations that want to prevent (more likely significantly mitigate) security incidents that trigger notification. A breach notification analytical framework will be discussed in a future issue, once we have covered the basics of the HIPAA's Security and Privacy Rules.

Our focus from the outset has been to provide actionable information to our readers. In short, "news you can use." To complement our newsletter and provide more in depth coverage of our compliance frameworks, we are launching a HITECH Risk Management Webinar Series starting in January 2010 (register here for our first webinar January 27, 2010 at 3:00 EST).

Our newsletter will provide an introduction to each framework with more in depth coverage, tools and templates provided via our Webinars.


We are now actively promoting what we believe to be is the best of breed HIPAA compliance tracking system ("CTS") on the market. We performed a significant amount of due diligence over the last couple of years and this is the one solution that is clearly ahead of the pack and economically priced to be within the reach of even the smallest covered entities and business associates. To see a demo of the product click here.

We are also pleased to announce the availability of our Breach Notification Framework. Section 13402 of the HITECH Act requires that HIPAA covered entities and their business associates provide various notifications following a breach of unsecured protected health information. Our Breach Notification Framework offers guidance for complying with HITECH's Breach Notification requirements.

Our EHR Library remains one of our most popular downloads. Here you will find content that will help you select the right EHR package for your practice or facility.
Contract DraftingWe continue to be excited regarding the marketplace feedback of our Business Associate Agreement: a HITECH Ready Model Contract (Buy Now). 

The HIPAA regulations and the HITECH Act mandate that a CE establish a written contract with a BA in a number of instances, including whenever a BA "manages" PHI on behalf of a CE. Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause. 

Our Model Business Associate Contract, Roadmaps, and other offeringsare now available in the HSG Store.

HITECH / HIPAA Newsletter

If you would like to follow the authors' blogs click here and here. Also, if you plan to attend the conference we would enjoy meeting you. Please stop by after our presentation and say hello.
HITECH/HIPAA and Meaningful Use Part IV: Attacking the HIPAA Security Rule (Hug the Monster: Redux)
Compliance Continuum
The HIPAA Security Rule is all about implementing effective risk management to adequately and effectively protect ePHI. The assessment, analysis, and management of risk provides the foundation of a covered entity's Security Rule compliance efforts. A comprehensive risk management approach provides the tools necessary to develop and maintain a covered entity's strategy; one that protects the confidentiality, integrity, and availability of ePHI. One of our guiding principles for an SR implementation is that "you can't manage what you don't measure and account for."

All ePHI created, received, maintained, or transmitted by a covered entity is subject to the Security Rule ("SR"). Covered entities are required to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or vulnerabilities to the security of ePHI. Under the Security Rule, covered entities are required to evaluate risks and vulnerabilities in their environments and to implement security controls to address those risks and vulnerabilities.

HITECH / HIPAA Newsletter

Implementing an effective risk management strategy for the SR requires the development of methodical and repeatable processes. These processes must implement the necessary safeguards and likewise implement a robust set of monitoring mechanisms that measure effectiveness. 

More generally, a risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations (see the following National Institute of Standards and Technology (NIST) document: Implementing the HIPAA Security Rule page 10).

The NIST SR Implementation document recommends the following six step framework for controlling risks to ePHI:

Step 1: Categorize Information Systems (FIPS 199 / SP 800-60)
Step 2: Select Security Controls (FIPS 200 / SP 800-53)
Step 3: Implement Security Controls (SP 800-70)
Step 4: Assess Security Controls (SP 800-53A)
Step 5: Authorize  Information Systems  (SP 800-37)
Step 6: Monitor Security State  (SP 800-37 / SP 800-53A )

The other NIST documents referenced in the framework steps can be found here and here. Arguably, the most important step in the framework, and in any SR risk management strategy, is step 1. You simply cannot make much progress without having an inventory (and a categorization of the inventory) regarding information assets that either contain or access ePHI. The creation and maintenance of said inventory is key, not only to a successful SR implementation, but to ensuring that ePHI is secured over time. Whether or not your organization has a current inventory of its ePHI information assets is likely to be a baseline HHS audit point. Lack of one could readily lead to a finding of "willful neglect."

Read More ...

About Us
We help companies safely and securely do business on the web, in accordance with applicable law. How? By helping them reduce risk. Privacy and security compliance issues are merely a subset of legal issues that online businesses face. This is equally true for eCommerce sites as it is for healthcare providers, facilities, and vendors.

We take a partnering and collaborative approach in our legal practice.
If you would like to see specific topics covered in this newsletter then please let us know.

Contact us today