Facility Access Controls: Facility Security Plan-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009. What…

READ MORE

Facility Access Controls: Contingency Operations-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009. What…

READ MORE

Facility Access Controls: What This HIPAA Security Rule Physical Safeguard Standard Means

This is the first Physical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has four implementation specifications: contingency operations; facility security plan; access control and validation procedures; and maintenance records. Each of these implementation specifications is addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA,…

READ MORE

Physical Safeguard Standards of the HIPAA Administrative Simplification Security Rule

There are four physical safeguard standards: facility access controls, workstation use, workstation security, and device and media controls. Each standard has implementation specifications, which can be required or addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009. Physical…

READ MORE

HITECH Guidance & RFI

HITECH GUIDANCE & RFI 45 CFR Parts 160 and 164 AGENCY: Office of the Secretary, Department of Health and Human Services. Download (Requires Acrobat Reader)

Pay attention to HITECH Act Definition of Breach: Lost Customers Big Cost Factor

The April 2009 issue of Baseline  magazine has an article by Corinne Bernstein entitled: “The Cost of Data Breaches,” which is available online at www.baselinemag.com. We recommended that covered entities and business associates review this article, based on a Ponemon Institute study of incidents and costs incurred at 43 organizations in 17 industry sectors. Here are several highlights: » “Lost business accounted for nearly 70 percent of a data breach in 2008. » “[S]ectors suffering the highest customer losses were health care…and financial services. » “The biggest cause of breaches…is insider negligence…88% of all cases in 2008. » “The number of breaches involving third-party organizations continues to climb.” The article…

READ MORE

One Week from Today: 5010/D.0 Final Rule Effective Date

They’re coming: the Ides of March (the 14th); NCAA Basketball Tournament Announcement (the 15th); St. Patrick’s Day (the 17th); and 5010/D.0 Final Rule Effective Date (the 17th). If you are a covered entity, Level 1 testing begins Tuesday, March 17, 2009. Here are five things you need to do to start. Conduct a Gap Analysis. What do I need to do to become compliant on January 1, 2012? That date sounds far off, but it will be here before you know it. Unlike previous transaction contingency periods for covered entities and their trading partners, HHS has indicated that there will be no tolerance for those not ready. Read the final…

READ MORE

Medicare Incentives for Physicians

Amounts shown are per physician. To participate in the incentives, you must be a meaningful user. Incentive Year Adopted 2011 2012 2013 2014 2015+ 2011 $18,000 — — — — 2012 $12,000 $18,000 — — — 2013 $8,000 $12,000 $15,000 — — 2014 $4,000 $8,000 $12,000 $12,000 __ 2015 $2,000 $4,000 $8,000 $8,000 0 2016 0 $2,000 $4,000 $4,000 0 2017 0 0 0 0 0 Total $44,000 $44,000 $39,000 $24,000 0 Health Shortage Area + 10%$48,400 + 10%$48,400 +10%$42,900 +10%$26,400 As defined by the HITECH Act, a physician meaningful user is one using software that supports computerized provider order entry, uses ePrescribing, submits information to HHS on clinical quality…

READ MORE

What should you expect from your HIPAA Security Official?

HIPAA’s Security Rule requires covered entities to designate one person to be responsible for the development and implementation of policies and procedures that safeguard electronic protected health information. Nearly all organizations implemented measures to manage privacy in oral, written, and electronic media. However, as healthcare organizations and their business associates, inspired by the HITECH Act (stimulus package) respond to forthcoming financial incentives to adopt electronic health record (EHR) software, the need to beef up your security measures. So what should you look for in your Security Official? For starters, you need someone who understands clinical and billing workflows, recognizes that in the past some clinicians have communicated with patients via…

READ MORE