Why Us?

We know the law and we know the web.

We help companies safely and securely do business on the web.

HIPAA Compliance is a Team Sport:
   Is your team HITECH ready?

  September 2009 Issue No. 2
In This Issue
World Health Care Congress Summit
Compliance Tools and Resources
HITECH/HIPAA and Meaningful Use: Part II
Featured Article
This month's featured article discusses how to build a good compliance story. It will focus on the compliance continuum and describe an iterative road map for moving from no HITECH Act compliance story, to a point on the continuum that allows a provider or facility to make a reasonable good faith argument (i.e. to a government agency and/or a court of law) that they are either in compliance, or have a strong plan in place for meeting the legal requirements of the Act.

It will also discuss in more detail, as an extension of Part I of the series, the key components that underpin why HITECH/HIPAA compliance is a wicked problem, and then shifts focus to offering practical guidance for achieving compliance going forward, using meaningful use as an organizing principle.
The World Health Care Congress Leadership Summit on HITECH and HIPAA Compliance Management for Providers

November 9 - 10, 2009
Alexandria, VA
Presenting strategic frameworks for the C-Suite and in-depth, tactical solutions for your IT and operations teams, this must attend Summit will feature industry experts and key association think-tank leaders presenting solutions on how to expose risk, minimize liability and maintain compliance in an environment of continual "HIT change." Save an extra $200.00 off the current rate with code BFX997 (not applicable on gov't rate). To register, contact us at 800-767-9499.

Why a HIPAA Survival Guide?
The following is a paraphrased version of the introduction to the HIPAA Survival Guide (HSG):

This Survival Guide attempts a "forest from the trees" overview of the HIPAA Privacy and Security rules. The genesis of these rules is covered in the Background section of this document. The HSG only targets a subset of covered entities, namely providers.

Furthermore, the guide focuses mostly on small providers, since this group will clearly be the most challenged by new laws and regulations, especially if their baseline understanding of HIPAA is lacking

After writing the guide, we (see author bios) decided to launch an online version to make it more accessible to the wider community. The online version has indeed received a fair amount of traction as a reference tool, and we continue to use it ourselves for this very reason.

Quick Links
Join Our Mailing List
Interested in staying current on HITECH / HIPAA compliance issues? Click the join our list link above and receive your own copy of the newsletter on the first business day of each month.

Please feel free to share the newsletter with colleagues that might find the information of use.
Other Resources

DBLG Logo White
Dear Carlos,

Welcome to the September 2009 HITECH/HIPAA Compliance Newsletter. The featured article this month is entitled: "HITECH/HIPAA and Meaningful Use: Part II." It is the second in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment.
Compliance with HIPAA's Privacy and Security Rules is now part of HHS's "meaningful use" definition, which as a practical matter means that providers or facilities found to be non-HIPAA compliant may not get paid their electronic health record (EHR) incentives under the HITECH Act.

That, coupled with HITECH's "improved HIPAA enforcement" regime, is likely to transform HIPAA from a paper tiger to legislation that is actively enforced.
HSG Logo


We are now actively promoting what we believe to be is the best of breed HIPAA compliance tracking system ("CTS") on the market. We performed a significant amount of due diligence over the last couple of years and this is the one solution that is clearly ahead of the pack and economically priced to be within the reach of even the smallest covered entities and business associates. To see a demo of the product click here.

We are also pleased to announce the availability of our Breach Notification Framework. Section 13402 of the HITECH Act requires that HIPAA covered entities and their business associates provide various notifications following a breach of unsecured protected health information. Our Breach Notification Framework offers guidance for complying with HITECH's Breach Notification requirements.

Our EHR Library remains one of our most popular downloads. Here you will find content that will help you select the right EHR package for your practice or facility.
Contract DraftingWe continue to be excited regarding the marketplace feedback of our Business Associate Agreement: a HITECH Ready Model Contract (Buy Now). 

The HIPAA regulations and the HITECH Act mandate that a CE establish a written contract with a BA in a number of instances, including whenever a BA "manages" PHI on behalf of a CE. Our Model Contract includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links, where appropriate, to the relevant statutory/regulatory authority that underpins each Contract clause. 

Our Model Business Associate Contract, Roadmaps, and other offeringsare now available in the HSG Store.
HITECH/HIPAA and Meaningful Use: Part II
Compliance Continuum
As a practical matter (i.e. as opposed to a question of law), compliance exists along a continuum; this is the tension that almost always exists between rule and reality. A simple but effective way to illustrate this continuum is shown above. Obviously, the further along you are on the continuum, the better your "good faith" legal argument becomes, if/when you may be required to articulate one.

The diagrams that follow (click on Read More... below) illustrate some of the key concepts that must be incorporated into any HITECH/HIPAA compliance strategy, and moreover, these concepts apply in general to an EHR implementation as well, since under HITECH policy, law and technology are all converging.

EHR & HITECH/HIPAA: Mother of Wicked Problems?

OK, it is not quite like solving world hunger, but for the reasons discussed here, the implementation of an EHR that meets the meaningful use requirements (including full compliance with HITECH/HIPAA) is a non-trivial problem. Old waterfall methodologies are not going to get the job done. Therefore, the healthcare industry will be forced to become agile; a challenge that it may not be quite prepared for.

In essence, the key concepts mostly represent the "soft" aspects of an EHR/compliance strategy, that is, those that have nothing directly to do with law or technology per se, but everything to do with enabling success. As Tom Peters has consistently said: the soft stuff is the hard stuff. In short, while consultants, software vendors, and other gurus come in with grand visions, things often get messy real quick on the ground.

Providers and facilities will gravitate toward legacy methodologies that no longer apply. Solving wicked problems is a different kind of endeavor. The healthcare industry will need to look outside of itself and borrow knowledge and lessons learned from other industries in order to succeed. It took the software industry decades to understand that software development was a wicked problem and therefore, unlike bridge building, a different set of methodologies were required.

As you review these concepts, keep in mind that they are not presented as light reading, but rather as reference material that you can review as required. These concepts may not seem obvious at first; in fact they are likely to appear quite the opposite. However, the intent is to get readers thinking with an expanded view in mind, in order to more effectively ask relevant questions later. 

There are no "silver bullet" solutions, only some methods that work better than others. No two implementations across providers or facilities will be the same. Why? Because the problem is mostly people and process centric, and by definition these differ across organizations.

Practical HITECH/HIPAA Compliance Guidance Going Forward?

Once you have a minimum basic understanding of the complexity involved, the article then shifts focus to offering practical compliance guidance going forward. In short, a methodology will be suggested that hopefully allows organizations to bring order to the chaos, instead of being consumed by it.

By now most of the healthcare industry has heard of EHR disasters, soon there will be stories of HITECH/HIPAA compliance disasters. Technology/compliance disasters occur in all complex initiatives (e.g. eDiscovery, SAP, CRM, etc.) and across all industries. These failures often occur for similar reasons: people and process issues are ignored or poorly managed.

Read More ...

About Us
We help companies safely and securely do business on the web, in accordance with applicable law. How? By helping them reduce risk. Privacy and security compliance issues are merely a subset of legal issues that online businesses face. This is equally true for eCommerce sites as it is for healthcare providers, facilities, and vendors.

We take a partnering and collaborative approach in our legal practice.
If you would like to see specific topics covered in this newsletter then please let us know.

Contact us today