This page contains an archive of 3Lions Publishing Inc.'s monthly HIPAA Compliance Newsletters and important Announcements! Each month's issue will contain a "Quick Link" to this page so that readers can easily find the content they may want to reference. This also allows new subscribers to go back and get caught up on topics previously covered. The current issue of the newsletter is not available here until after the month in which it was issued. To get the current version you can subscribe to our FREE HITECH / HIPAA Compliance Newsletter here.
Our article this month is entitled: Selecting a Compliance Vendor: Why 360 Degree Support Matters
Our article this month is entitled: The Challenge of Dealing with Multiple Compliance Regimes
Our article this month is entitled: HIPAA: A Decade from the HITECH Act
Our article this month is entitled: Information Governance
Information Governance ("IG") will continue to rapidly evolve as a discipline, although admittedly currently an ill-defined one, for the next fifty (50) years or so. We are drowning in our inability to manage information and the signs are everywhere we look; especially in the daily breaches that we all seem to have become jaded to. The regulatory authorities in the U.S. have the resources, at least with respect to HIPAA (i.e. because HIPAA CMPs purportedly end up in HHS' coffers for more enforcement) but appear to lack the will or the know how to dramatically impact the compliance chaos that remains a decade on from the HITECH Act.
Our article this month is entitled: Business in the EU: The 10 Step GDPR Implementation Plan
The objective of this article is to explain GDPR Compliance in simple terms, and provide you with guidelines and tools for implementing, refining and measuring policies and procedures. The GDPR is even more vague and descriptive than HIPAA. Although HIPAA does not provide covered entities and business associates "how to" guidance, it does a good job of describing the "what" at a reasonable level of detail. You're out-of-luck with the GDPR. Lawyers have to extrapolate best practices from reading "between the lines" because of what is there, but at such a high level that it will drive lawyers, consultants, compliance officers and laypersons nuts trying to decipher it.
Our article this month is entitled: You Have Performed a Risk Analysis-That's Nice!
An entire cottage industry and ecosystem has quickly emerged to provide risk analysis ("RA") services to covered entities ("CE") and business associates ("BA"). Sometimes this takes the form of just software, other times it is software plus professional services, and sometimes it is pure professional services. Price points for these services vary widely between approximate $2,500.00 to $30,000.00 USD. RA's are so foundational to a HIPAA Security Rule ("SR") implementation that to not have one likely places a CE or BA in willful neglect. No organization wants to be in willful neglect land because that's where the penalties start at $50K per identical violation. So, the emphasis on RA's are justified. Full stop!
Our article this month is entitled: Breaches Happen: the Tsunami's Largest Waves Await!
We tend not to notice, or are unwilling to notice, threats that rise gradually which result in an inability to react until it's too late. The healthcare frog has been boiling since the HITECH Act was promulgated in 2009. There have been hundreds of high profile breaches and thousands more that don't make frontpage news. Yet it is clear that the industry has failed to take any significant action en masse. The prevailing feeling appears to be "breaches are things that happen somewhere else." Privacy and security are simply not top of mind for clinicians. Nursing schools and medical schools barely teach students enough to allow them to spell HIPAA (mostly) but not much more. The water keeps getting hotter, but the frog remains mostly oblivious. As we all know, this story does not end well for the frog. One day something really bad, but otherwise utterly preventable, happens. This fails to move the needle for the practice next door. In that practice another frog is starting to boil.
Our article this month is entitled: Breach Notification: STILL the 800 LB Gorilla!
This month's article uses the metaphor from the Fifth Discipline, a book written by Professor Peter Senge circa 1990, to describe the system approach required if organizations want to change their compliance DNA. Senge's book contemplates what's required for a "learning organization." This article contemplates what 21st century compliance DNA looks like and why it matters that "systems thinking" underpins all compliance initiatives. First, we address what Senge calls the "learning disabilities."
Our article this month is entitled: Breach Response Plan Key Components (Cont.)
This is Part 2 of a 2-Part Article. Part 1 is located here. In this Part we provide a high-level introduction regarding what each team's responsibilities during a Breach Response. Remember, in any Breach Response you are working with a team of teams. Also, recall why we believe a tech savvy law firm("TSLF") should function as the general manager ("GM") of this team of teams. We will expand on this proposition herein as well. We have inserted the Definitions section below, as it should prove useful once again for the topics covered in this 2-Part Article.
Our article this month is entitled: Breach Response Plan Key Components
This breach response article is designed to help stakeholders (i.e. organizations of all sizes experiencing a breach) understand the requirements of various federal, state and private regulatory regimes. HIPAA is simply one example. After WannaCry and Petya organizations are starting to realize that it's not a question of "if" they will experience an attack that leads to a breach but simply "when."
Our article this month is entitled: Comparing HIPAA and PCIDSS Compliance?
This article compares the HIPAA and PCIDSS compliance regimes. Although as discussed herein there are indeed technical similarities between the two, analogous to the functional similarities between the HIPAA Security Rule controls (i.e. implementation specifications) and the CSC Controls, the two are fundamentally unique and distinct compliance regimes controlled by different kinds of law.
Our article this month is entitled: HIPAA Security is Cybersecurity (sort of)!
This article argues that there has never been any meaningful distinction between CyberSecurity and HIPAA Security from a technical perspective; however, from a legal perspective, each regulatory regime must be treated as a unique and distinctive set of regulations. The WannaCry attack made the technical argument painfully obvious and became a "clarion call."
Our article this month is entitled: WannaCry - PostMortem Lessons Learned
Our article this month is entitled: Culture of Compliance: The Importance of Methodology
Our article this month is entitled: HIPAA OCR Enforcement under Trump?.
The entire premise of this article is that HIPAA and Cybersecurity ("CS") are one and the same. The reason we believe this premise is true will be elaborated upon during the remainder of this article but the foundation rests upon the fact that the HIPAA Privacy Rule ("PR"), Security Rule ("SR"), and Breach Notification Rules ("BNR") (collectively "the Rules" or "Rules") are foundational components of CS. Through force of law only covered entities and business associates are required to comply with the Rules. However, either through new law, or vis-à-vis industry enforced compliance regimes, something akin to the Rules will be required of every significant industry you can think of.
Our article this month is entitled: Showing HHS Visible, Demonstrable, Evidence to HHS.
This article will address the kinds of visible, demonstrable, evidence ("VDE") that your organization should be prepared to show HHS during an audit. It will also discuss what a business associate ("BA") should be prepared to show a covered entity ("CE") when the former is asked by the latter to show proof of compliance. Of course, as you might expect, there is potentially a significant overlap between what a stakeholder might show HHS or a CE (respectively "Requestor"). However, what is shown to a Requestor could also vary widely as discussed herein.
Our article this month is entitled: Reviewing "Audit Controls" under the Security Rule.
In January 2017 HHS issued guidance regarding "Audit Controls" under the Security Rule ("SR") by stating, among other things, the following: "[c]overed Entities and Business Associates should make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails." HHS specifically references one of the Technical Safeguards, specifically §164.312(b). However, curiously (or maybe not depending on your perspective) the latter is a SR "Standard" that has NO implementation specification associated with it. In short, you are even more on your own than usual when it comes to interpreting how you should comply with this requirement.
Our article this month is entitled: A Compliance Manifesto.
We have educated thousands of stakeholders pursuant to the HIPAA Rules through our monthly webinars and newsletters during the past seven years. We intend to educate many thousands more in the years to come. During that time our own understanding of the Rules has also increased dramatically from our interaction with the marketplace. Through this collaborative effort a great many insights have been added to the HIPAA lexicon. These insights and lessons learned apply not only to HIPAA but to any compliance regime you can think of. Therefore, the Manifesto provided herein should have wide applicability across industries and subject matter domains.
Our article this month is entitled: Exploring HIPAA Phishing Schemes.
You make think that mostly uneducated and unsophisticated users of information technology fall into these traps, but you would be wrong. For example, thousands of lawyers are targeted everyday with emails from Asia purporting to have some contractual business that they require legal assistance with. If you are a hungry lawyer (and given the disruption that is occurring in the legal industry there are LOTS of them) then your own pecuniary interest blind you to the fact that business people generally do not randomly select a lawyer from the Internet (the odds of that being legitimate approximate the odds of winning the lotto).
Our article this month is entitled: Selecting Risk Assessment Software.
Risk Assessment ("RA") software is a type of "process ware" that should encompass an industry standard methodology for conducting RAs. In the healthcare space there is no de jure standard for conducting a Risk Assessment; however, a de facto standard has emerged in the form of NIST SP800-30 Rev.1 ("Standard"). NIST is the federal government agency responsible for providing cybersecurity advice to all U.S. government agencies, and what NIST recommends is the aforementioned Standard. With respect to HIPAA, this Standard is only a recommendation. Covered entities ("CEs") and business associates ("BAs") are free to choose their own methodologies for achieving the same objective. However, it would be both misleading and misguided to suggest that CEs and BAs may select any arbitrary methodology as a substitute for the Standard. In short, if OCR is recommending a particular Standard then any substitute that is as good as or better than the Standard is likely to meet the "reasonable and appropriate" requirement of the Security Rule; all others are likely to fall far short.
Our article this month is entitled: Breach Notification Rule Audit Requirements Phase II Protocol.
In this prior post, we discussed what the Breach Notification Rule's ("Rule") Audit Protocol requirement was with the Phase I protocol. The Phase II protocol ostensibly adds one more requirement to the Rule, which we highlight below, BUT the significant difference is the language that HHS now uses with respect to what they are demanding for each requirement. Their demands are more detailed and onerous. This language, we believe, was intended to send a message to the marketplace that the game has changed. Below we review each requirement and its new language. Unfortunately, in some cases, HHS also changed what it named an individual protocol; however, the statutory reference remained the same. We use the statutory reference as a guide to illustrate the changes. Everything new will be in blue to highlight the differences. The name of the new protocol will be in "blue bold" and underlined. As you will see, there are multiple protocols per statutory reference in several cases.
Our article this month is entitled: Why HIPAA Compliance is a Continuous Improvement Project?
By now you may have realized that HIPAA compliance is not a "one and done" proposition. For a HIPAA compliance initiative to be effective, it must be Agile. Agile describes a set of principles for development wherein requirements and solutions evolve over time. To evolve means to change. Agile started out as a software development methodology. However, it has moved into a host of other disciplines including marketing, business planning, product launches, etc. It is a methodology that has also been embraced in other compliance spaces. For example, the US Sentencing Commission Guidelines on sentencing organizations identifies the requirements of an Effective Compliance and Ethics Program to include, among other things:
Our article this month is entitled: Introducing Expresso®.
What is Expresso®? Expresso® is a software-as-a-service ("SaaS") that embodies the National Institute of Standards and Technology ("NIST") seven (7) step process for performing Risk Assessments. Expresso® comes pre-populated with (T)hreats, (V)ulnerabilities, and potential business (I)mpacts to your organization-making the calculation of (R)isks easier than the tedious process that our competitors offer. In addition to pre-populating Threats, Vulnerabilities and Impacts, Expresso® comes pre-populated with Controls the cover all Security Rule implementation specifications. Expresso® also allows you to modify all pre-populated data in a manner that best fits your organization.
Our article this month is entitled: Dissecting a HIPAA Risk.
This article discusses how HIPAA Security Rule Risks ("Risks") can be categorized and dissected. In previous articles we have focused on Risk Assessments which, generally speaking, require an organization to identify Risks and subsequently identify the controls ("Controls") required to mitigate Risks to levels that are "reasonable and appropriate." This article assumes that you already understand the basic Risk Assessment process and focuses on a more granular examination of the component parts of a Risk.
Our article this month is entitled: Ransomware: Rationalizing Risk Assessments.
A Risk Assessment is a process by which an Organization identifies the following: (1) Threats to the Organization (i.e. to its Operations, Assets, or Individuals); (2) Vulnerabilities internal and external to the Organization; (3) The harm (i.e. adverse Impact) that may occur given the potential for Threats exploiting Vulnerabilities; and (4) The Risk associated with a specific Threat, Vulnerability and Impact combination.
Our article this month is entitled: Ransomware: The Rising Trend in Computer Scams.
"How much is your data worth to you?" is a question that cyber criminals have been making millions from. Ransomware is a variety of malware that holds your digital information (or assets) hostage and demands payment for release. This activity has seen a rise in popularity in the past few years and made headlines around the globe.
Our article this month is entitled: The Network Perimeter is Kaput!
It is difficult (as in damn near useless) to write an article about reducing the "dwell time" for an industry such as healthcare that, seemingly on a daily basis, continues to let "laptops with ePHI" walk out the door completely unencrypted. I am convinced that it is perfect storm of ignorance, arrogance, chutzpah, and a lack of resources that has kept healthcare in the dark ages with respect to privacy and security. You often hear, "we save lives around here" and we don't have C-Suite time to focus on the agenda of "tree huggers," HIPAA consultants and lawyers, until of course there's a major breach, at which time bandwidth and money materialize out of thin air.
Our article this month is entitled: Revisiting BYOD & Security of Mobile Devices.
It has been about three years since we last wrote about BYOD. During that time all of our predictions have certainly come true and then some. Further, there have been no shortage of lost or stolen devices to confirm our hypothesis that BYOD would wreak havoc in the healthcare workplace (i.e. vis-a-vis potential breaches of PHI). In this article we actually want to be more proactive regarding actually proposing a reasonable, low cost, high value add, (partial) solution to the problem.
Our article this month is entitled: Why Are Risk Assessments so hard?
Risk Assessments ("RAs") are so difficult to do that it is hard knowing where to start. However, let's start with the requirement as it is contained in the HIPAA Security Rule: Risk analysis (Required) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
Our article this month is entitled: HIPAA Documentation: More than you ever wanted to know!
You might think that compliance with HIPAA is mostly about documentation. If so, you would be partly correct, but you would be missing the big picture entirely. There is a significant amount of documentation required to comply with HIPAA because the Rules (Privacy, Security, and Breach Notification) require an organization to perform a significant number of tasks. It is recording the performance of these tasks that drives the majority of HIPAA documentation.
Our article this month is entitled: What Triggers Breach Notification?
You might think that the answer to that question is relatively straightforward but, like most things HIPAA, you would be wrong. To answer that question you need to apply a three step analytical framework contained within the Rules but not presented in a manner readily understood even by most compliance officers. In this article we will "demystify" the framework but don't get lulled into a false sense of "OK I got this" because the real world application of the framework is far more challenging than what it looks like "in the lab."
Our article this month is entitled: What HIPAA Training Does My Staff Require?
Training is a question that often comes up during our webinars or in inquiries to our customer service department. It is not an easy question to answer in the abstract because the answer is highly dependent on the characteristics of an individual organization. Part of the answer however is that your old "feel good" and largely "dumbed down" training is not sufficient post HITECH. The HITECH Act changed the game for everyone and now all your workforce needs to acquire a higher degree of HIPAA literacy if you hope to build HIPAA compliance into your organization's DNA (i.e. into day-to-day workflows and processes). In our view, if you do not succeed in building compliance into your DNA you have little hope of ever establishing a culture of compliance, something the HHS is auditing for, despite the fact that this requirement is not expressly captured in HHS' Audit Protocol.
Our article this month is entitled: Business Associates Everywhere.
We have written about business associates on previous occasions, notably here and here. If you want to get grounded in business associate basics we encourage you to peruse the previous links. This article focuses on the business associates as software vendors and the issues presented by this relationship from the perspective of the business associate.
Our article this month is entitled: Tracking your HIPAA Compliance Initiative.
We often write about the need to track your HIPAA compliance initiative at the granularity level of a requirement. Now with our FREELY available Scorecards you can do exactly that. However, to understand how to use our Scorecards you must first understand that we tie HIPAA compliance requirements to Checklist Items. And so that begs the question(s), from our perspective, what is a checklist generally and what are checklist items?
Our article this month is entitled: Launch your HIPAA Initiative in 10 Steps...
Notice that the title of this article does not say 10 easy steps. Also notice that the title states "Launch" (not "Complete") your initiative. You will certainly have made significant progress at the end of these 10 Steps but in no way do we mean to imply that you will be done. Clearly you won't be. However, if you are a long time reader you know that we assert, every chance we get, that you will never be done with your HIPAA initiative because by definition, it is a ongoing process. Also, for the sake of transparency, we use our Agile Methodology Project Plans to describe the 10 steps. That said, these 10 steps are written generally so as to apply no matter what purchased or "home grown" tool sets you may be using.
Our article this month is entitled: Breach Notification Rule Audit Requirements...
The HHS Audit Protocol for the Breach Notification Rule is kind of a odd bird. First of all, it is very short compared to its importance in the grand scheme of things in the HIPAA universe (only 10 requirements). Second, it is more about "things" that you should be prepared to do rather than "things" you are (or should be) currently doing. If you look at HHS' Audit Protocol for sections 164.404 through 164.414 you will notice that the "protocol" doesn't do much more than repeat what is contained in the regulations AND, in addition, it provides for certain "inquiries." Now to be sure the entire HHS Audit Protocol follows this format but in the case of the Breach Notification Rule the inquiries are about an "eventuality" that may never occur.
Our article this month is entitled: Conducting a Risk Assessment...
Conducting an effective Risk Assessment is a daunting task no matter how often you may have done it. However, if it's your first time then your anxiety level is likely to be an order of magnitude higher. Although what we are going to discuss in the article is not a magic elixir for reducing your anxiety, it may help you to put things in proper perspective. The silver bullet in a nutshell is that there is "no such thing as a perfect Risk Assessment" and there is no compliance requirement for one. The objective is not perfection, but rather the objective is to establish a baseline that you can continue to improve on over time.
Our article this month is entitled: Business Associates Basics.....
Five years out from the promulgation of the HITECH Act business associates are still struggling with what the Act requires of them under the modified HIPAA regulations. Although under the Omnibus Rule it should be clear that a business associate ("BA") must comply with the Privacy Rule, the Security Rule, and the Breach Notification Rule, it is the requirements of the Security Rule ("SR") that bedevils BAs the most.
Broadly speaking, the SR requires that a BA implement three types of safeguards: (1) administrative, (2) physical, and (3) technical. In addition, it imposes other organizational requirements and a need to document processes analogous to the Privacy Rule ("PR"). That said, creating the necessary SR documentation will likely prove significantly more "vexing" than its PR counterpart, especially for a smaller BA.
Our article this month is entitled: The HIPAA Privacy Rule: Ignore it at your own peril...
With the promulgation of the HITECH Act, meaningful use, breach notification, and increased HIPAA violation fines, it appears that the HIPAA Security Rule ("SR") has taken all of the oxygen out of the room, and rightfully so. The SR had largely been neglected for all of those years that the healthcare industry remained on paper. After HITECH and the mass movement to EHRs, it could no longer be ignored. All of a sudden Risk Assessments, encryption, and a host of other SR topics dominated the conversation. In the "rush" to comply with the SR, many organizations have neglected the Privacy Rule ("PR") because after all, most of these organizations felt (or had been told by their compliance officers) that they had long since achieved full compliance with the PR. It was that SR that required all their attention. This article explores various components of the PR and why organizations, despite their protestations to the contrary, are not even close to full compliance with the PR.
Our article this month is entitled: Post Anthem: the more things change...
Unless you have been asleep at the wheel for the last couple of weeks we are certain that you have heard the buzz surrounding the Anthem breach. The sheer magnitude of this breach has made it impossible to ignore. There can be no doubt that the HIPAA (post HITECH) awareness level is now "off the charts." However, what we want to explore in this article are the changes that are likely to occur "on the ground" as a result of Anthem (i.e. increased funding for, and acceleration of, HIPAA compliance initiatives).
Our article this month is entitled: HIPAA Audits: What's All the Fuss About?
The HIPAA audits are on; no they are off; wait they are back on again; repeat and rinse. For most off the healthcare industry this "wringing of hands and gnashing of the teeth" is entirely futile for a number of reasons: (1) your chances of getting audited (i.e. as opposed to experiencing a major breach or having a patient complaint lead to a finding of "willful neglect") are quite small; and (2) most of the industry will be ill-prepared for audits no matter when they come. In any case the best use of your time is to improve the quality of your HIPAA initiative rather than spending time worrying about the machinations of the HHS in Washington, D.C. The latter is an insiders game at best and even then the consensus wisdom of the insiders is often wrong. In short, good luck to trying to predict when a specific government agency will take action.
Our article this month is entitled: HIPAA Lawsuits: A Defacto Right of Individuals to Bring Suit.
This article discusses HIPAA related lawsuits and why we may see an explosion of one particular category of HIPAA lawsuits in the next few years. In general, there are four categories of suits that can be thought of as "HIPAA related:" (1) an action by HHS to enforce sanctions for violations (i.e. in the rare case where a covered entity ("CE") or business associate ("BA") does not settle); (2) an action brought by a state attorney general on behalf of the citizens of a state (i.e. as provided for in HITECH Act Section 13410); (3) a private "class action" suit brought under some a state law theory (usually state breach notification law or negligence); and (4) an action brought by a single individual under state law theory of negligence.
Our article this month is entitled: 2014: The Year Privacy & Security Took Center Stage.
In 1996 when HIPAA was first enacted into law we are quite certain that it was viewed as somewhat of a regulatory oddity. It was the first time that protected health information ("PHI") had been regulated under federal law in any significant way. The Privacy & Security Rules, other than the changes introduced by the HITECH Act, were largely as they exist in current form. Of course back then the healthcare industry was still using 19th century administrative procedures (e.g. electronic health records were not yet a glimmer in a Chief Medical Officer's eye) and so the Security Rule, which dealt exclusively with ePHI, could mostly be ignored.
Our article this month is entitled: The Case for Cyber Liability Insurance.
What is Cyber Liability Insurance? As it turns out, this is not a simple question to answer. It means different things to different organizations. One thing is clear, whatever is covered under cyber-liability insurance is almost certainly not covered under an organization's general liability, errors and omissions, or malpractice policies.
Our article this month is entitled: Healthcare's Evolving Threat Landscape: a New Vocabulary is NOT required!
The hacking of Community Health Systems and the theft of 4.5 million records containing ePHI has sent a shockwave through the HIPAA compliance community. Many high profile executives are now calling for a change from a "compliance strategy" to a "risk management strategy." What these executives mean is that it is not enough to simply comply with the regulations, but rather, that an organizations need to proactively manage (read anticipate) risks in order to effectively reduce the legal liability and other harm that results from a significant breach. However, as discussed in this article, compliance and risk management are not mutually exclusive concepts. In fact, if your organization does not include the latter in the former, then you have been doing it wrong all along. The intent of the HIPAA regulations is not to achieve compliance, but rather to "force" heatlhcare organization to more effectively manage risks.
Our article this month is entitled: HIPAA Audits: Why all the Mystery?
This article discusses what to expect during a HIPAA audit. For the longest time HIPAA compliance professionals have approached a "HIPAA Audit" as if it were some kind of mysterious exercise; where only a few "high priests" were actually in the know. Prior to theHITECH Act (i.e. at a time when HIPAA Audits were not mandatory), there was the now famous article about the forty-two (42) questions that you might be asked during a HIPAA Audit (i.e. that purportedly enlightened the "unwashed masses" of what you should really expect during this secret ritual).
Our article this month is entitled: HIPAA Data Retention: a Common Sense Approach !
This article discusses how a covered entity or business associate can establish a practical HIPAA Data Retention Program ("DRP") that satisfies HIPAA's data retention requirements as well as those requirements based on other "Record Types" (e.g. accounting, tax, corporate, employment etc.). A well defined DRP not only helps your organization comply with applicable law, it has the potential of dramatically reducing litigation costs when the inevitable lawsuit occurs
Our article this month is entitled: HIPAA Business Continuity: a Common Sense Approach.
This article discusses Business Continuity requirements under the HIPAA Security Rule ("SR"), which pertains to all of a covered entity ("CE") or business associate's ("BA") electronic protected health information("ePHI").
Our article this month is entitled: Measuring HIPAA Compliance?
Let's assume, for the purposes of this article, that you are the compliance officer for your organization. Further, let's assume that for the good of the organization (and your own job) you have decided that it is high time you have that dreaded conversation with your boss regarding HITECH / HIPAA compliance, and how the organization could be found in "willful neglect" if it doesn't update its long since outdated HIPAA compliance initiative.
Our article this month is entitled: Exploding HIPAA Myths!
This article discusses a number of HIPAA misconceptions that keep coming back like the proverbial "bad penny." Compliance with the regulations is far from trivial, however it is not nearly as complex or expensive as some in healthcare would have you believe. There are too many healthcare stakeholders that would rather delay, defer, or refuse to comply altogether. The industry as a whole would be far better off embracing the fact that privacy and security are now a cost of doing business, and simply get on with it.
Our article this month is entitled: Who is enforcing PHI laws?
Recent enforcement actions by the FTC and Secret Service have called into question which government agencies, including state agencies, are responsible for enforcing laws related to protected health information("PHI"). Certainly, from a federal government perspective, the Department of Health and Human Services ("HHS") has long been recognized as the enforcer of the HIPAA Regulations. The FTC, on the other hand, has long had the responsibility for enforcing laws related to personally identifiable information ("PII") under the Federal Trade Commission Act of 1914, and its corresponding regulations, which are focused on protection of consumer data.
Our article this month is entitled: HIPAA Accounting 4 Disclosures: Reading the Tea Leaves
This article discusses a HITECH Act compliance ticking time bomb known as "Accounting of Disclosures" of PHI and that we prefer to call "Accounting for Disclosures" of PHI or "A4D" for short. Specifically, this article focuses on the "As Is" state of A4D as embodied in Privacy Rule section 164.528 and the implications of HITECH Act section 13405(c) on HHS' proposed A4D rule. HHS' proposed rule has been hotly debated and is long past due in its final form.
Our article this month is entitled: The Case for Near Real-Time Risk Analysis?
This article explores why more and more covered entities ("CEs") and business associates ("BAs") may be forced to do a greater number of Risk Assessments per year than first anticipated. The Security Rule generally indicates that a Risk Assessment ("RA") must be done "as required" (e.g. when your operational environment changes OR if, as a practical matter, your organization has never actually done an RA and it is trying to comply with Meaningful Use objectives).
This month's featured article is entitled: Why 2014 will be the Year of Agile Compliance?
This article defines Agile Compliance and provides the rationale behind why this approach will likely become the dominant compliance methodology in 2014 and beyond. The article also discusses the problems that Agile Compliance solves more effectively than linear methodologies and why your existing HIPAA compliance methodology may be DOA.
This month's featured article is entitled: Launching a HIPAA Risk Management Compliance Program.
This article discusses the Security Rule's ("SR") requirement for establishing a Risk Management compliance program. Risk Management is the process used to identify and implement security measures to reduce risk to reasonable and appropriate levels within your organization. It is based on your organization's unique operational environment.
This month's featured article is entitled: Risk Assessments: A Foundational Methodology.
This article will provide an illustration of a foundational methodology that can be used to perform a Risk Assessment that complies with a critical Implementation Specification of the HIPAA Security Rule. It is also the topic of our next Webinar.
This month's featured article is entitled: HIPAA 2.0: No More Fill in the Blanks Compliance!
The September 23, 2013 Omnibus Rule deadline has come and gone, but no worries because many of you have filled in the blanks of your new set of templates and are good to go. Right? Wrong!
First, it is likely that many of you don't understand the templates that you have carefully modified with your organization's "name, rank, and serial number." Second, the vast majority of you probably don't have any organizational processes in place to under pin your policies (i.e. your templates). And finally, almost no one has effective tracking mechanisms in place to track process results. In short, your organization may be a long ways from being able to show visible, demonstrable, evidence of compliance.
This month's featured article is entitled: Impact of the HIPAA Omnibus Rule: Reading the Tea Leaves?
We have written about the Omnibus Rule ("Rule") on numerous occasions, most recently here and here.However, this month's article will focus less on the specific contents of the Rule and more on the impact it is likely to have on the healthcare industry going forward. The implementation date of the final rule (i.e.September 23, 2013) is fast approaching and yet many within the healthcare industry remain befuddled as to what this implementation date portends.
Our article this month is entitled: HIPAA Security: What's the essence of the Rule?
The Security Rule ("SR") is a set of regulations which requires that your Organization identify Risks, mitigate Risks, and monitor Risks over time in order to ensure the Confidentiality, Integrity, and Availability of your Organization's ePHI. That's it. This article is intended to provide you the basic concepts that help you understand, engage, and ultimately master the details.
Our article this month is entitled: Cyberwar: The Real Reason This is Not Your Daddy's HIPAA.
This article provides insight as to why HIPAA has grown in importance for a host of reasons that are not directly linked to the HITECH Act. Yes, the HITECH Act was (and is) a transformative piece of legislation, and four years out the healthcare industry is still struggling to comply. The latter condition has more to do with compliance budgets lacking the wherewithal to get the job done than any inherent complexity in the new statute and regulations. Although, to be sure, there is no shortage of complexity.
Our article this month is entitled: The HHS Omnibus Rule: HIPAA Myth Making Continues.
This article provides insight as to why HIPAA myths continue to perpetuate and what you can do ensure that you are getting quality guidance. It is somewhat surprising that a law, and a corresponding set of regulations, that have been around for so long remain so widely misunderstood. To an outsider looking in for the first time it is likely far from obvious why the healthcare industry lags in privacy and security compliance (e.g. vis-a-vis other industries such as financial services) despite the fact that privacy and security are now "front and center" national security issues. Why such an enormous disconnect in best practices across industries?
Our article this month is entitled: A Business Associate Just Notified You of a Serious Breach: What now?
This article provides guidance regarding on what to expect, and what you should do, once a Business Associate has notified you of a breach. By now, you should already have a plan in place that helps you respond to this dreaded predicament. However, we know from experience that many of you don't, and even if you do, read on, you may learn something new.
The featured article this month is entitled: Big Data is the New Oil: Can the healthcare industry leverage it?
Big Data is the latest buzzword sweeping the healthcare industry and like so many others that have recently preceded it (e.g.EHRs, social media, mobile, telemedicine, cloud computing, etc.) promises to be "transformative."
The featured article this month is entitled: HIPAA Cloud Storage: Why Microsoft's Office 365 Announcement is a Big Deal?
The reluctance of "big name" cloud storage vendors (e.g. Amazon, Google, and almost every other market participant that we are aware of) to enter into a Business Associate Agreement ("BAA") with a covered entity ("CE") or a business associate ("BA") certainly has put a damper on the healthcare industry's move to the public cloud. Any PHI stored on any vendor's cloud offering requires a BAA. Without one, the CE or BA would be in "gross violation" of the HIPAA Rules and risk exposure to a significant fine.
The featured article this month is entitled: HITECH/HIPAA: HHS Omnibus Rule Review.
We have argued that the HHS Omnibus Rule ("the Rule") is neither a "Tweak" or "Sweeping Reform." There is far too much substantive law included in the Rule for it to be characterized as the former. It also cannot be characterized as the latter/ However the HITECH Act WAS sweeping and, for the most part, the Rule is simply HITECH-izing the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule.
The featured article this month is entitled: HITECH/HIPAA: Protecting Mobile Devices & Supporting BYOD.
The next few years are going continue to be full of headlines in healthcare journals on the explosion of Mobile Device usage among clinical professionals and the role that these devices continue to play in major PHI data breaches.
The featured article this month is entitled: HITECH/HIPAA: The Rise of the Engaged Patient.
Patients have always had the right to access their PHI (post HIPAA), we wrote about the Privacy Rule sections that provide for this access in our Patient's Bill of Rights post. The HITECH Act expands this access under Section 13405 now allowing for treatment, payment and operations (TPO) usages to be disclosed for the past three years as well (i.e. provided that an EHR is in use).
The featured article this month is entitled: HITECH/HIPAA: Understanding the Public Policy Rationale.
It provides readers with a perspective on the public policy rationale that underpins the HITECH/HIPAA statutes and regulations. Its central argument is that without a well grounded understanding of the policy, many practitioners will remain lost in the weeds and unable to comprehend the essence of what is required to comply.
The featured article this month is entitled: Business Associates: Compliance as a Marketplace Differentiator. .
This article explains why, as a business associate, you have no choice other than to make the best out of the regulatory compliance hand that you have been dealt. You somehow must manage to make lemonade from lemons. If you can't your competitors will. You can either be the the "disruptor" or the "disruptee." The former is preferable.
The featured article this month is entitled: Preparing for the Omnibus Rule: building a strong foundation.
Building a solid understanding of the HIPAA Rules, as modified by HITECH, is not an easy task; nor is it a task that can be accomplished simply by reading the "Cliff Notes." The HIPAA Survival Guide contains the full text of the Rules and we encourage readers to peruse them when necessary (and it is often necessary). However, even attorneys don't like reading pure statutory text out of context, so this article will provide a guided tour of how to launch your own education plan based on our suggestions from previous issues.
The featured article this month is entitled: What documents must be tracked for HITECH / HIPAA compliance?
The challenges of complying with an OCR HITECH / HIPAA audit are numerous. As such, preparing for a audit can be quite overwhelming. We covered this topic in our June 2012 Newsletter. We also did a number of Blog Talk Radio shows on this topic:
Finally, we did a webinar on this topic and the slides can be found here. What we are covering in this article is another perspective on an audit, specifically the kinds of documents that you may be asked to produce.
The featured article this month is entitled Small Providers: Avoiding a Breach Calamity! This is a guest article written by Tom Warley, CSO ofColorado Hi-Tech Solutions, a firm that specializes in helping small providers meet the challenges of implementing the HIPAA Security Rule.
The challenges of securing PHI for small providers in today's regulatory environment can be significant. There are budget constraints, personnel constraints and, for many, a fog of confusion surrounding the HIPAA Security Rule. Even though providers are familiar with HIPAA privacy few understand the true importance of data security, much less how to attain it. Doctors are still under the illusion that HIPAA is a paper tiger, toothless. Old-school doctors in particular are often unswayable in this regard. Some office managers are aware of the Security Rule but consider it a mere formality believing that policies alone suffice for compliance or that "it's the IT guy's job". Many small providers fail to address data security at all, ignoring basic security safeguards altogether. They do so at their peril. The small provider must make the protection of PHI the single most important thing they do other than patient care itself.
The featured article this month is entitled HIPAA Compliance: what to expect from an OCR audit?.
Under Section 13411 of the HITECH Act, the Secretary "shall provide for periodic audits" to ensure compliance with the Act. It is the Office of Civil Rights ("OCR") that has the actual authority (under the Secretary) for HIPAA audits and enforcement actions. In 2011, OCR contracted with KPMG to develop an audit methodology and to conduct 150 audits. These audits are well underway. This article discusses what you should expect from an OCR audit.
The featured article this month is entitled Healthcare and the Cloud Revisited: it's your data, how do you protect it?.
This article explores how to protect your PHI when moving to the Cloud. It turns out that protecting your PHI on the Cloud is not only fraught with technical complexity, but with a significant amount of legal complexity as well.
We are concerned that many covered entities do not possess either the technical or legal wherewithal to adequately deal with this issue. As always, it's our mission to provide our readers "news you can use." Our objective in this article is to get you "up the curve" so that you can, at a minimum, begin to ask the right questions.
The featured article this month is entitled Dispelling the Top Ten (10) Myths of HIPAA/HITECH Compliance.
This month's article is by guest author John 'J' Trinckes Jr., CISO/EVP/Founding Partner CISSP, CISM, CRISC, C-EH, NSA-IAM/IEM Mulholland Information Security,
Summary: The following are the top ten reasons (or myths) regarding HIPAA/HITECH compliance that we have heard in the healthcare industry over the past couple of years. There is no specific order in which these appear; however, I do attempt to explain the fallacy of these thought processes.
The featured article this month is entitled HIPAA Compliance: Introducing the H2 Compliance Scorecard.
This month's article is a follow-on article to our October 2011 article entitled: HITECH / HIPAA Compliance: a checklist manifesto?
Our October article explored how:
"in a world that is increasingly becoming more complex, where the volume of knowledge often exceeds an individual's ability to assimilate and communicate it, simple tools such as checklists are having a profound and compelling positive impact on dealing with complexity."
In particular, it explored how checklists can be used as HITECH / HIPAA compliance tools. This month's article introduces our H2 Compliance Scorecardsm and how it can be used in combination with a checklist to measure compliance improvement over time.
The featured article this month is entitled HIPAA Compliance: Preview of the HHS Omnibus Rule?
This article explores the proposed HHS Omnibus Rule. The HHS Omnibus Rule ("OR") mostly concerns sections of the HITECH Act that went into effect on February 18, 2010. There was an NPRM that was issued on July 14, 2010 that contained the changes proposed for the final rule. It is quite evident that HHS has not broken any "land speed records" in finalizing the OR, but all indications are that it will be forthcoming "soon." The full text of the OR can be found here.
The featured article this month is entitled HIPAA Compliance: The Privacy Rule and the Patient's Bill of Rights?
This article explores the Patient's Bill of Rights ("PBR") contained within the HIPAA Privacy Rule. Although the PBR has existed since the Privacy Rule was first promulgated, changing demographics and marketplace trends will force covered entities (and in many cases business associates) to take a new look at the PBR and its implications. Recently, due to the significant movement to EHRs enabled by the HITECH Act, it is the HIPAA Security Rule that has garnered most of the attention, and rightfully so. However, the PBR may (at the end of the day) be the single biggest driver of compliance change within an organization, superseded only by changes brought on by breach notification.
The featured article this month is entitled HIPAA Compliance: The Intersection of Privacy, Security, Mobile and Social Media?
This article explores the use of social media and mobile devices in the healthcare industry and the potential risks associated with such rampant use. It is not a question of whether or not covered entities ("CEs") should engage in this type of use, the fact of the matter is that they are doing so in large numbers. This phenomenon is not about to stop anytime soon, nor should it. Social media and mobile devices provide CEs with a way to engage their patients in a manner that allows CEs to differentiate their offerings in an increasingly more competitive marketplace.
The featured article this month is entitled HITECH / HIPAA: The Cost of Non-Compliance?
This article explores the cost of HITECH / HIPAA non-compliance to the healthcare industry. It will examine a number of cost factors and suggest strongly that relatively small investments in compliance could produce significant returns. It will also revisit the reasons why healthcare's compliance status quo is no longer sustainable.
The featured article this month is entitled HITECH / HIPAA Compliance: a checklist manifesto?
This article explores how, in a world that is increasingly becoming more complex, where the volume of knowledge often exceeds an individual's ability to assimilate and communicate it, simple tools such as checklists are having a profound and compelling positive impact on dealing with complexity. In particular, this article explores how checklists can be used as HITECH / HIPAA compliance tools.
The featured article this month is entitled HITECH / HIPAA and the Cloud: what are the benefits and risks?
This article explores the healthcare industry's emphatic adoption of cloud computing and the benefits and risks of moving to the cloud, including those directly related to HITECH / HIPAA Compliance.
The featured article this month is entitled Meaningful Use: How do you verify that you are meeting the requirements?
This article addresses the kinds of information that must be tracked in order to receive your EHR Incentives under the meaningful use stage 1 requirements. Clearly there is quite a bit of information that needs to be tracked, most of which will be coming from a provider's EHR system. However, the information in an EHR system is not static. Therefore, providers must capture all required information to legally attest to HITECH Act compliance as a snapshot in a point intime, which is not a trivial task given the complexity of the objectives.
The featured article this month is entitled: HIPAA Breach Notification Decision Points: when is notification triggered?.
This article addresses the kind of analysis required to decide whether breach notification is triggered under the HITECH Act for a given security incident. The bottom line is that not all security incidents trigger notification but the wicked problem remains how to determine the ones that do?
The featured article this month is entitled: Tracking Patients Using HITECH / HIPAA Compliance Software.
This article addresses features and functionality required to ensure that your organization can provide visible demonstrable evidence that it is managing patient authorizations, restrictions, incidents, and access requests according to applicable law. This article provides an overview of how our recommended best of breed HIPAA Compliance Software accomplishes these tasks. In subsequent articles we will discuss the other baseline components in greater detail.
The featured article this quarter is entitled: "Must Have Features in a HITECH / HIPAA Compliance Tracking System."
This article describes the kinds of features and functionality that an organization should seek in a HIPAA compliance software in order to be able to show visible demonstrable evidence that it is serious about meeting its HITECH / HIPAA compliance obligations.We have often written about the concept that compliance is a process and that simply having policies and procedures in place, although necessary, is woefully insufficient with respect to demonstrating process due diligence over time. In short, in addition to providing assistance in the creation and management of policies and procedures, HIPAA compliance software should also allow an organization to manage its compliance processes and to demonstrate evidence that it is doing so.
The featured article this quarter is entitled: "Disruption in Compliance Governance: Why the old governance model is DOA."
If any reader still believes that the healthcare industry has not already been disrupted more in the last year then it has in the past fifty, with more disruption on the way in 2011, then you have simply been asleep at the wheel for all of 2010. Further, we have a news flash for you, it is no longer the government that is the most active agent in the disruption business, it's that scary (or holy, depending on your point of view) thing we call "the free market" that is driving the disruption.
The featured article this month is entitled: "Ten Steps to Selecting the Right EHR Software."
First of all, if you have been following along with this newsletter you understand that there are no ten steps (or five, pick a number) to "solving" any wicked problem (for new readers see here and here). Software selection is clearly a wicked problem and therefore does not lend itself to a linear process. The software selection problem is much more chaotic than what may be apparent on its face. Second, although an EHR implementation and your HITECH compliance initiative are closely intertwined, for reasons to be discussed in this article, we feel compelled to (once again) remind our readers that they are NOT one and the same thing.
The featured article this month is entitled: "Healthcare for the 21st Century, it's the architecture stupid."
What is healthcare architecture? My "elevator pitch" answer to this question goes something like this: "architecture concerns itself with making sure that the various parts of a complex system (e.g. healthcare interoperability) work well together." Huh? In short, the question is not an easy, or straightforward, one to answer. We have a 2000-year history of architecture as it relates to the built world, and still the general public has only a vague understanding of its first principles. In the healthcare universe, at least with respect to anything that could be called healthcare interoperability, we have, at most, a very short history indeed (especially in the U.S.) Therefore, it should come as no surprise that even practitioners within the healthcare information technology industry are confused when the word is used.
The featured article this month is entitled: "Compliance with HITECH / HIPAA Privacy and Security: Biomedical Device Integration (BMDI)."
This article, by Deborah Leyva, RN, Clinical Solutions Executive, at Nuvon, Inc., presents an overview of the importance of medical device integration vis-a-vis EHR ROI, and the corresponding privacy and security challenges under HITECH.
The featured article this month is entitled: "HITECH Breach Notification Framework: an Overview."
This article presents an overview of issues that covered entities ("CE") face when confronted with a breach of PHI and its corresponding reporting requirements under HITECH. To say that theHITECH Act changes everything with respect tobreach notification is not hyperbole. There were no equivalent breach notification requirements underHIPAA, and therefore,HITECH introduces and entirely new regulatory regime in this regard. HITECH's breach notification requirements also have implications with respect tobusiness associates, and with respect to the relationship between a business associate and acovered entity.
This month's featured article is entitled: "Business Associate Contracts: HITECH Implications."
Until the HITECH Act was enacted into law on February 17, 2009, as part of ARRA, a business associate's ("BA") compliance with HIPAA's Regulations was mandated only as part of the contract (see 164.504(e)(1) ) with its respective Covered Entity ("CE"). Under HITECH a BA is "directly on the hook" (i.e. via statutory authority) for complying with the0 sections of the HIPAA Security Rule("SR").
This month's featured article is entitled: "Business Associates: That was then, this is now."
All business associate contracts will have certain key sections as required by the regulations. This article walks you through each key section from our perspective, highlighting issues that you should consider before entering into a binding agreement. It should be noted that these issues will obviously vary with the individual party using the agreement, and whether or not your organization is a Covered Entity ("CE") or a Business Associate ("BA").
This month's featured article is entitled: "Change is Hard: EHR Implementations, Compliance Touch Points & Chaos Theory."
It is a "concept article' with the following introduction
We understand that this newsletter has introduced concepts (e.g. wicked problems and agile methodologies) that may be foreign to healthcare providers. There are several reasons why we have felt compelled to do so: 1) we are bona fide geeks and can't help ourselves; and 2) more importantly, we believe that maybe (just maybe) some of our readers might benefit from our lessons learned (the hard way) in other industries.
This month's featured article is entitled: "The HITECH Act One Year Out: Real Healthcare Reform?"
It explores where we have been under HITECH and where we are likely headed. It attempts to provide a big picture view of more than just the regulatory impact, but rather discusses the convergence of law, policy and technology as the real foundation for change. All three combined will produce unprecedented change in the healthcare industry. Why? Because these three meta-concepts are inextricably linked. Trying to understand any one of them without considering the other two is an exercise in futility.
This month's featured article is entitled: "HHS' Interim 'Meaningful Use' Regulations (Part 2)."
It is a continuation of the guest article by Deborah Leyva, RN, BSN, contained in January's newsletter. The focus of our newsletter has been primarily on providing a better understanding of the HITECH / HIPAA requirements and on providing insights into strategies that will help providers and facilities meet the objectives of the new regulations. January's guest article began with a discussion of the changes made by ONC and HHS for the first Policy Priority specified by the HIT Policy Committee, covering specifications for Stage I - 2011 Meaningful Use criteria, subsequent to the announcement by ONC and HHS, on December 30th.
This month's featured article is entitled: "The Compliance Crisis: Top Five Strategies Guaranteed to Fail."
The focus of our newsletter has been primarily on providing a better understanding of the HITECH / HIPAA requirements and on providing insights into strategies that will help providers and facilities meet the objectives of the new regulations. However, it is often just as useful to examine the status quo and to analyze why existing strategies will no longer work in this new regulatory environment, perhaps more so.The article five compliance strategies guaranteed to fail are as follows: (1) ostrich; (2) our staff's on top of it; (3) members of our legal team are compliance experts; (4) not invented here--healthcare is so different; and (5) the docs know best .
The featured article this month is entitled: Understanding HITECH / HIPAA Risk Management Frameworks.
These frameworks are targeted to executives and others who require strategic guidance during these uncertain times. Now that the healthcare marketplace is starting to recognize the scope and magnitude of the HITECH Act, we felt it was necessary to take a step back and provide executive management teams (and other mission critical management staff) our perspective on how to move forward in a responsible and rigorous manner, especially in this highly competitive economic environment that mandates effective cost control. In short, how can an organization achieve HITECH / HIPAA compliance without breaking the bank?
The featured article this month is entitled: "The Intersection of HITECH/HIPAA and Meaningful Use: Part IV: HITECH/HIPAA and Meaningful Use Part IV: Attacking the HIPAA Security Rule (Hug the Monster: Redux)."
It is the fourth in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment. This featured article explores the HIPAA Security Rule in the second of two parts that discusses "the monster."
The featured article this month is entitled: "The Intersection of HITECH/HIPAA and Meaningful Use: Part III: Attacking the HIPAA Security Rule (Hug the Monster)."
It is the third in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment. This featured article explores the HIPAA Security Rule in the first of two parts that discusses "the monster."
The featured article this month is entitled: "The Intersection of HITECH/HIPAA and Meaningful Use: Part II."
It is the second in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment. This featured article explores why an EHR/HITECH/HIPAA implementation is a "wicked problem."
The featured article this month is entitled: "The Intersection of HITECH/HIPAA and Meaningful Use: Part I."
It is the first in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment. This featured article introduces key aspects of the HITECH Act and why they collectively constitute a game changer.