Why Us?

We know the law and we know the web.

We help companies safely and securely do business on the web.

HITECH Act Compliance is a Team Sport:  Is your team HITECH ready?

 Second Quarter 2011 Issue No. 17
In This Issue
Products now available in the HSG Store
Must Have Features in a Compliance Tracking System
In the News

HITECH / HIPAA Final Rules on the Horizon: Bob Coffield provides a summary of the pending final rules that are due to come out "soon."  These rules, based on the NPRM that came out in July 2010 and the Interim Final Rule on Breach Notification, are long overdue. 


Although HHS appeared to be aggressively meeting its dates after the initial enactment of the HITECH Act, progress of late has been SLOW. This caused some speculation as to how serious HHS would be in its enforcement efforts, despite some high profile fines levied against some big names. 


With all the privacy activity going on of late, including the introduction of a new privacy bill and the grilling of Apple and Google on the Hill, it appears that privacy is alive and well in the USA and is one of those consumer issues that refuses to go away. Our expectation all along was that the HITECH Act would be a game changer. We will soon see to what degree HHS lives up to this promise.


In other privacy news, the FTC has recently gone after Google for botching its Buzz release and has imposed an onerous settlement agreement. This follows not long after the FTC reached a settlement agreement with Twitter for failure to safeguard personal information.


Our reading of these "tea leaves" taken as a whole is that covered entities and business associates should expect and prepare for agressive HITECH / HIPAA enforcement. It is likely that the healthcare free pass on privacy and security is largely a thing of the past.

HITECH Switch OnProducts now available in the HSG Store. 
HITECH Breach Notification Framework 

Our Framework walks you through the process of analyzing security incidents to determine what actions you must take to ensure your response complies with the HITECH Breach Notification requirements. The Framework discusses HITECH breach compliance in simple terms and uses twelve flowchart diagrams to help you navigate the process.


 Buy Now... 


Business Associate Agreement: a HITECH Ready Model Contract

Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause.

The Contract package also includes a complete "User's Guide," with a clause-by-clause explanation of the issues addressed in the Contract. It can be used, with minor modifications, out-of-the-box, or as an educational tool to draft a customized version.

Buy Now...

The Security Rule Under HITECH:
a Business Associate Perspective
First Edition

The most important step for building a "good SR compliance story" is for the business associate to get started. The approach recommended herein is to build the story iteratively over time. Most business associates (large or small) will likely need help in creating the story. The framework discussed throughout this document provides a good road map to follow.

Buy Now...

HIPAA Survival Guide Third Edition

The Third Edition of the HIPAA Survival Guide updates various substantive text of the first two editions and adds completely new material. The HITECH Act has indeed proven to be transformational. In order to deal more effectively with its changing regulatory landscape we have decided to release an updated version available here and on Amazon's Kindle platform.

Buy Now...

Quick Links
Join Our Mailing List
Interested in staying current on HITECH / HIPAA compliance issues? Click the "join our list" link above and receive your own copy of the newsletter each month.

Other Resources

HSG Logo 
Dear Carlos,

Welcome to the Second Quarter 2011 HITECH / HIPAA Compliance Newsletter. The featured article this quarter is entitled Must Have Features in a HITECH / HIPAA Compliance Tracking System. This article addresses baseline features and functionality required to ensure that your organization can provide visible demonstrable evidence that it is committed to meeting its compliance obligations. This article provides an overview of our recommended best of breed HIPAA compliance tracking system. In subsequent articles we will discuss the baseline components in greater detail.

HITECH / HIPAA Newsletter 


HSG Announcements
HITECH Survival Guide 

We are now actively promoting what we believe to be the best of breed HIPAA compliance tracking system ("CTS") on the market. We performed a significant amount of due diligence over the last couple of years and this is the one solution that is clearly ahead of the pack and economically priced to be within the reach of even the smallest covered entities and business associates. To see a demo of the product click here.

We are also pleased to announce the availability of our Breach Notification Framework. Section 13402 of the HITECH Act requires that HIPAA covered entities and their business associates provide various notifications following a breach of unsecured protected health information. Our Breach Notification Framework offers guidance for complying with HITECH's Breach Notification requirements.

Our EHR Library remains one of our most popular downloads. Here you will find content that will help you select the right EHR package for your practice or facility.
Contract Drafting
We continue to be excited about the marketplace feedback of our Business Associate Agreement: a HITECH Ready Model Contract (Buy Now).

The HIPAA regulations and the HITECH Act mandate that a covered entity establish a written contract with a business associate in a number of instances, including whenever a business associate "manages" PHI on behalf of a covered entity. Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause.

Our Model Business Associate Contract, Roadmaps, and other offerings are now available in the HSG Store.

Stay Connected
Want to stay updated throughout the month? Follow Debbie on Twitter by clicking on the badge below.  If you would like to read more regarding the authors' views on HIT and compliance click here and here and subscribe to their blogs.  

Become a Fan
Follow us on FaceBook by becoming a fan of the guide and support the HSG by purchasing some HSG Wearables. Also, be sure to check out our HITECH Videos.

Advertising Opportunities
HSG is now welcoming advertisers to help support one of the most comprehensive and usable HITECH / HIPAA sites on the Internet. Our audience continues to grow as healthcare providers, both large and small, return to HSG again and again.

HITECH Survival Guide Wordle  
Must Have Features in a HITECH / HIPAA Compliance Tracking System
Webtones PointerThis article describes the kinds of features and functionality that an organization should seek in a HIPAA compliance tracking system ("CTS") in order to be able to show visible demonstrable evidence that it is serious about meeting its HITECH / HIPAA compliance obligations.

We have often written about the concept that compliance is a process and that simply having policies and procedures in place, although necessary, is woefully insufficient with respect to demonstrating process due diligence over time. In short, in addition to providing assistance in the creation and management of policies and procedures, a CTS should also allow an organization to manage its compliance processes and to demonstrate evidence that it is doing so. 


Historically, the kind of system that we describe in this article has either been home grown or purchased and implemented at a cost only affordable to large covered entities and business associates. Mid-size organizations have, out of economic necessity, simply done without. In a world prior to the enactment of the HITECH Act, where HIPAA enforcement was lax to non-existent, lack of a CTS did not pose the kind of potential risks that it does today (i.e. given HITECH's enhanced enforcement tools and corresponding penalties). 

Further, the evolution and maturation of software-as-a-service ("SaaS") has made it possible for software vendors to offer feature rich applications at a price point accessible to all. The following are what we believe to be the must have features of any CTS by category:


A CTS should allow you to manage and track all the compliance information for a given patient in a centralized and readily accessible manner, including: restrictions, authorizations, disclosures, incidents, legal representative and other documentation necessary to comply with HITECH / HIPAA. The move to electronic health records, and the momentum gathering around the empowered patient, will make it far more likely that patients and other stakeholders will request access to such information. Covered entities and business associates must be positioned to respond accordingly.

Business Associates

HITECH has dramatically increased the number of "cooks in the compliance kitchen" by making business associates ("BA") directly liable for compliance with HIPAA's Privacy and Security Rules either by statute or contractually, in addition to  HITECH's breach notification rule. A CTS should allow a covered entity ("CE") to perform due diligence on a BA's compliance initiative via questionnaires and other tools, as well as manage and track the contractual arrangement between the parties. Further, a CTS should allow a CE to manage and track security incidents that have occurred wherein a CE's protected health information ("PHI") is under BA control. 



About Us
HITECH Puzzles3Lions Publishing, Inc. is now the owner/operator of the HIPAA Survival Guide website and the official sponsor of this newsletter. Our mission is to bring you HITECH / HIPAA statutes and regulations in an easy to read and digestible format, products that help reduce the burden of compliance, and "news you can use" via our newsletter.

We take a partnering and collaborative approach to the marketplace. If you would like to see specific topics covered in this newsletter, or additional products, then please let us know.

Carlos Leyva, CEO
3Lions Publishing, Inc.


Contact us today