|In the News
OIG continues to announce enforcement actions:
October 15, 2011; U.S. Attorney; Southern District of Indiana
Hogsett Announces Indianapolis Man Charged With Medicaid Fraud
October 14, 2011; U.S. Department of Justice
Montgomery, Alabama, Woman Pleads Guilty to Two Tax Fraud and Identity Theft Conspiracies - Multi-Million Dollar Fraud Schemes Used Stolen Information of Medicaid Recipients
State Enforcement Actions Updated http://go.usa.gov/0XM
October 5, 2011; U.S. Attorney; Southern District of New York
Manhattan U.S. Attorney Recovers $995,000 in Damages in Health Care Fraud Lawsuit against Columbia University and New York Presbyterian Hospital http://go.usa.gov/8Wf
October 5, 2011; U.S. Attorney; Southern District of Indiana
Terre Haute Pharmacist Sentenced For Healthcare Fraud and Money Laundering http://go.usa.gov/8Wf
Massive Data Breach
Despite the fact that the PHI of 4.9 million patients has potentially been compromised, Tricare is apparently not treating this incident as a breach that requires notification because "the risk of harm to patients was judged to be low..."
| Products now available in the HSG Store.
|We are also pleased to announce our Combo Package which includes:
Save over $100.00 off the retail price.
- Business Associate Agreement: HITECH Ready Model Contract
- Breach Notification Framework
- Breach Notification Policy
- The Security Rule Under HITECH: a Business Associate's Perspective
HIPAA Breach Notification Framework
Our HIPAA Breach Notification Framework walks you through the process of analyzing security incidents to determine what actions you must take to ensure your response complies with the HITECH Breach Notification requirements. The Framework discusses HITECH breach compliance in simple terms and uses twelve flowchart diagrams to help you navigate the process. It also includes tools and templates that help "jump start" your breach notification compliance initiative.
Our HIPAA Breach Notification Policy
This policy implements section 13402 of the HITECH Act which requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. The policy was derived from our HIPAA Breach Notification Framework and is included as a FREE gift that product.
Business Associate Agreement: a HITECH Ready Model Contract
Our model Business Associate Agreement includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links to the relevant statutory/regulatory authority that underpins each Contract clause. The Contract package also includes a complete "User's Guide," with a clause-by-clause explanation of the issues addressed in the Contract.
The Security Rule Under HITECH:
a Business Associate Perspective
The most important step for building a "good SR compliance story" is for the business associate to get started. The approach in The Security Rule Under HITECH is to build the story iteratively over time. Most business associates (large or small) will likely need help in creating the story. The framework discussed throughout this document provides a good road map to follow.
HIPAA Survival Guide Third Edition
The Third Edition of the HIPAA Survival Guide updates various substantive text of the first two editions and adds completely new material. The HITECH Act has indeed proven to be transformational. In order to deal more effectively with its changing regulatory landscape we have decided to release an updated version available here and on Amazon's Kindle platform.
|Join Our Mailing List
Interested in staying current on HITECH / HIPAA compliance issues? Click the "join our list" link above and receive your own copy of the newsletter each month.
Welcome to the October 2011 HITECH / HIPAA Compliance Newsletter.
FREE WEBINAR: BREACH NOTIFICATION SIMPLIFIED
Our HITECH Breach Notification Webinar gets you up to speed regarding the 800 pound gorilla of the HITECH Act. We walk you through a methodology for determining when notification is triggered, and how to notify patients, HHS, and prominent media according to applicable law. We also discuss the processes you need to have in place in order to track security incidents effectively in your organization. Finally, we review the Costs of Non-Compliance to ensure that you understand the potential risks your organization faces should a major breach occur.
Date: November 17, 2011.
Time: 2:00 to 3:30 EST.
To register CLICK HERE.
Additional training products now available on the HSG Store.
The featured article this month is entitled HITECH / HIPAA: The Cost of Non-Compliance?
This article explores the cost of HITECH / HIPAA non-compliance to the healthcare industry. It will examine a number of cost factors and suggest strongly that relatively small investments in compliance could produce significant returns. It will also revisit the reasons why healthcare's compliance status quo is no longer sustainable.
Our EHR Library remains one of our most popular downloads. Here you will find content that will help you select the right EHR package for your practice or facility and other useful EHR collateral.
Join the Conversation
The HIPAA Survival Group on LinkedIn continues to be the go to place for meaningful discussion of HITECH / HIPAA issues. You will find many industry thought leaders and insiders sharing their views on the evolving compliance landscape.
Want to stay updated throughout the month? Follow Carlos on Twitter by clicking on the badge below. If you would like to read more regarding the authors' views on HIT and compliance click here and here and subscribe to their blogs. Become a FanFollow us on FaceBook by becoming a fan of the guide. Also, be sure to check out our HITECH Videos.Advertising OpportunitiesHSG is now welcoming advertisers to help support one of the most comprehensive and usable HITECH / HIPAA sites on the Internet. Our audience continues to grow as healthcare providers and business associates, both large and small, return to HSG again and again.
HITECH / HIPAA: The Cost of Non-Compliance?
|This article explores the cost of HITECH / HIPAA non-compliance to the healthcare industry. It will examine a number of cost factors and suggest strongly that relatively small investments in compliance could produce significant returns. It will also revisit the reasons why healthcare's compliance status quo is no longer sustainable.
What is the cost of a data breach?
According to the Ponemon Institute's fifth annual survey on the cost of data breaches the following salient points emerged (2009 versus 2008):
- Legal defense spending up
- Breaches related to third party organizations most costly
- Cost per customer record breached increased from $202 per record (2008) to $204 per record (2009)
- Average per incident cost $6.7M (2009) as compared to $6.65M (2008)
- Use of encryption increased to 58% from 44%
- Most expensive incident = $31M and least expensive = $750K
Now granted this study did not just focus on healthcare; here are some background facts:
- Forty-five (45) data breach cases reviewed
- Records breached (per incident) ranged from 5K to > 100K (obvious correlation between number of records and costs)
- Study included data from fifteen (15) different industries: financial, retail, healthcare, services, technology, manufacturing, transportation and others...
What are the implications for healthcare?
The real question is what are the implications for the healthcare industry? I am afraid that the answer to this question is "not very good" for a number of reasons including, but not limited to, the following:
- Not clear whether the Ponemon study included costs of fines levied
- As of 8/2011, there have been almost 11.6 million individuals impacted by300 breaches affecting a minimum of 500 individuals per breach (estimated cost at $204 per record = $23B)
- OCR has acknowledged that from inception of public disclosure in 9/2009 through 5/2011, there have been 31K breaches affecting fewer than 500 individuals per breach (reported to HHS annually)
- The "alleged" TRICare breach impacted 4.9M individuals
The bottom line is that the healthcare industry (taken as a whole with a few exceptions) is simply in denial when it comes to HITECH / HIPAA compliance. Part of the reason that this is the case is that HIPAA (prior to HITECH) was apaper tiger (i.e. "feel good" legislation without teeth).
In theory,HITECH changed all that, but the reality on the ground is that HHS has yet to enforce HITECH in a serious way. That will change. TRICare is not the last multi-million patient breach that we are going to see; far from it. Given the industry status quo, these types of breaches will become routine as more and more providers move to EHRs.
Clearly there are some large covered entities and business associates that are doing an outstanding job of protecting PHI and will no doubt continue to improve their compliance initiatives going forward. They have realized, among other things, that their investment protects their reputation, as well as providing evidence of compliance with applicable law. However, anecdotal evidence suggests that the vast majority of covered entities are not nearly as committed and risk being found in willful neglect if that status quo doesn't change.
| 3Lions Publishing, Inc. is now the owner/operator of the HIPAA Survival Guide website and the official sponsor of this newsletter. Our mission is to bring you HITECH / HIPAA statutes and regulations in an easy to read and digestible format, products that help reduce the burden of compliance, and "news you can use" via our newsletter.
We take a partnering and collaborative approach to the marketplace. If you would like to see specific topics covered in this newsletter, or additional products, then please let us know.
Carlos Leyva, CEO
3Lions Publishing, Inc.