Products now available in the HSG Store. |
HIPAA Breach Notification Framework
Our HIPAA Breach Notification Framework walks you through the process of analyzing security incidents to determine what actions you must take to ensure your response complies with the HITECH Breach Notification requirements. The Framework discusses HITECH breach compliance in simple terms and uses twelve flowchart diagrams to help you navigate the process. It also includes tools and templates that help "jump start" your breach notification compliance initiative.
Buy Now...
Business Associate Agreement: a HITECH Ready Model Contract
Our model Business Associate Agreement includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links to the relevant statutory/regulatory authority that underpins each Contract clause. The Contract package also includes a complete "User's Guide," with a clause-by-clause explanation of the issues addressed in the Contract.
Buy Now...
The Security Rule Checklist
Our HIPAA Security Rule Checklist ("Checklist") is intended to deliver step-by-step guidance, including suggested policies, processes, and tracking mechanisms that will allow you to make sense out of this complex terrain. It is intended as a knowledge transfer vehicle that allows you to derive the HIPAA Security Rule compliance solution that works best within your organization. Our Checklist will "walk you through" the relevant statutory / regulatory sections of the HIPAA Security Rule, highlighting the policies, processes and tracking mechanisms required at a granular level.
Buy Now...
HIPAA Core Training Combo
This package includes the Breach Notification Simplified Training Module, the HIPAA Privacy Rule under HITECH Training Module, the HIPAA Security Rule Under HITECH Training Module and the HITECH and HIPAA Compliant Training Module all in one Combo Package. Buy all 4 for a little more than than the price of 3
Buy Now... |
Join Our Mailing List |
Interested in staying current on HITECH / HIPAA compliance issues? Click the "join our list" link above and receive your own copy of the newsletter each month.
|
 |
HIPAA Survival Guide Subscription Plan |
 |
Cloud, Social Media, and Mobile Checklist Product Overview |
 |
Business Associate Agreement Product Overview |
 |
HIPAA / HITECH Core Training Product Overview |
 |
Privacy Rule Checklist Product Overview |
 |
Breach Notification Framework Product Overview |
|
|
Dear Carlos,
Welcome to our August 2014 HIPAA Compliance Newsletter.
Our article this month is entitled: HIPAA Data Retention: a Common Sense Approach !
This article discusses how a covered entity or business associate can establish a practical HIPAA Data Retention Program ("DRP") that satisfies HIPAA's data retention requirements as well as those requirements based on other "Record Types" (e.g. accounting, tax, corporate, employment etc.). A well defined DRP not only helps your organization comply with applicable law, it has the potential of dramatically reducing litigation costs when the inevitable lawsuit occurs.
 |
HIPAA Survival Guide Subscription Plan |
Title: Launching a HIPAA Data Retention Program
Description: This webinar explores HIPAA's data retention requirements and suggests a practical strategy for implementing a data retention program across the wide array of "Record Types" that exists within your organization (e.g. accounting, tax, corporate, employment etc.).
Date/Time
Thursday August 21, 2014 2:00 PM - 3:30 PM EDT
Get this event on your calendar!
|
Registration
|
HSG Announcements |
Join the Conversation
The HIPAA Survival Group on LinkedIn continues to be the go to place for meaningful discussion of HITECH / HIPAA issues. You will find many industry thought leaders and insiders sharing their views on the evolving compliance landscape.
Stay Connected
Want to stay updated throughout the month? Follow Carlos on Twitter by clicking on the badge below. If you would like to read more regarding the authors' views on HIT and compliance click here and here and subscribe to their blogs. Become a FanFollow us on FaceBook by becoming a fan of the HIPAA Survival Guide. Also, be sure to check out our HITECH Videos.
|
HIPAA Data Retention: a Common Sense Approach!
|
This article discusses how a covered entity or business associate can establish a practical HIPAA Data Retention Program ("DRP") that satisfies HIPAA's data retention requirements as well as those requirements based on other "Record Types" (e.g. accounting, tax, corporate, employment etc.). A well defined DRP not only helps your organization comply with applicable law, it has the potential of dramatically reducing litigation costs when the inevitable lawsuit occurs.
What's a DRP?
A DRP is a data retention compliance initiative that imposes policies, processes, tracking mechanisms, and a governance model, on how long electronic data, including ePHI, is kept before being permanently "purged" from all electronic media. From our perspective a DRP has two primary objectives: (1) a DRP rationalizes your "data space" in order to improve information access times and enhance communications effectiveness; and (2) a DRP helps make your organization litigation ready. Both objectives have a potentially HUGE return on investment as we will discuss in this article.
HIPAA Data Retention Requirements?
As surprising as this may seem, HIPAA is silent on the subject of how long ePHI must be kept before it is purged. It's true that section §164.530 (j)(2) of the Privacy Rule imposes a six year retention period on HIPAA Privacy Rule documentation. However this section does NOT speak to how long ePHI must be retained. Further, section 164.316(b)(1) of the Security Rule requires that Security Rule documentation (e.g."audit logs") be maintained for a period of six years but again, that is NOT the same thing as an ePHI mandated retention period.
Now, to be clear, HIPAA has a LOT to say about how ePHI should be disposed once you make the "purge" decision regarding any electronic media. You can review this HHS FAQ for a good summary of these requirements. In "Question 6" HHS addresses the retention question directly.
Although HIPAA is silent, many states, as discussed next, do weigh in on the ePHI retention question, and therefore there are state laws that are directly applicable. Finally, to make matters still more confusing, federal law is NOT completely silent on this subject. For example:
- CMS requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report. This requirement is available at 42 CFR 482.24[b][1].
- CMS requires Medicare managed care program providers to retain records for 10 years. This requirement is available at 42 CFR 422.504 [d][2][iii].
|
About Us |
3Lions Publishing, Inc. is now the owner/operator of the HIPAA Survival Guide website and the official sponsor of this newsletter. Our mission is to bring you HITECH / HIPAA statutes and regulations in an easy to read and digestible format, products that help reduce the burden of compliance, and "news you can use" via our newsletter.
We take a partnering and collaborative approach to the marketplace. If you would like to see specific topics covered in this newsletter, or additional products, then please let us know.
Carlos Leyva, CEO 3Lions Publishing, Inc.
(800) 516-7903
|
|
|