Pay attention to HITECH Act Definition of Breach: Lost Customers Big Cost Factor

The April 2009 issue of Baseline  magazine has an article by Corinne Bernstein entitled: “The Cost of Data Breaches,” which is available online at www.baselinemag.com. We recommended that covered entities and business associates review this article, based on a Ponemon Institute study of incidents and costs incurred at 43 organizations in 17 industry sectors. Here are several highlights: » “Lost business accounted for nearly 70 percent of a data breach in 2008. » “[S]ectors suffering the highest customer losses were health care…and financial services. » “The biggest cause of breaches…is insider negligence…88% of all cases in 2008. » “The number of breaches involving third-party organizations continues to climb.” The article…

READ MORE

Direct Data Entry-No Change in the 5010 Final Rule

In the August 17, 2000 Final Rule for Standards for Electronic Transactions, direct data entry was defined as “direct entry of data (for example, using dumb terminals or web browsers) that is immediately transmitted into a health plan’s computer.” [65 Federal Register 50367] An exception for direct data entry was articulated in the August 17, 2000, Final Rule: A health care provider electing to use direct data entry offered by a health plan to conduct a transaction for which a standard has been adopted under this part must use the applicable data content and data condition requirements of the standard when conducting the transaction. The health care provider is not…

READ MORE

One Week from Today: 5010/D.0 Final Rule Effective Date

They’re coming: the Ides of March (the 14th); NCAA Basketball Tournament Announcement (the 15th); St. Patrick’s Day (the 17th); and 5010/D.0 Final Rule Effective Date (the 17th). If you are a covered entity, Level 1 testing begins Tuesday, March 17, 2009. Here are five things you need to do to start. Conduct a Gap Analysis. What do I need to do to become compliant on January 1, 2012? That date sounds far off, but it will be here before you know it. Unlike previous transaction contingency periods for covered entities and their trading partners, HHS has indicated that there will be no tolerance for those not ready. Read the final…

READ MORE

Effective Dates for Modified HIPAA Administrative Simplification Transaction and Code Set Rules Coming in March

In less than three weeks, HIPAA Version 5010/D.0 transaction and ICD-10 code set rules become effective, and the clock starts running on testing in preparation for compliance several years hence. Next Monday, March 2, 2009, HIPAA.com will outline Level 1 testing requirements and opportunities for the 5010/D.0 transaction rule, and on Tuesday, March 3, 2009, outline testing requirements for ICD-10. Sign up for HIPAA.com email reminders for these and other HIPAA Administrative Simplification standards postings, as well as postings relating to the new Health Information Technology for Economic and Clinical Health Act and Medicare and Medicaid Health Information Technology (“HITECH Act”) provisions of the American Recovery and Reinvestment Act (“ARRA”)…

READ MORE

Information Access Management: Isolating Healthcare Clearinghouse Functions-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is required. What to Do If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Remember, a clearinghouse is defined as a covered entity, but also can serve in the role of a business associate to other covered entities, namely a health plan or healthcare provider. How to Do It This implementation specification is required, but is not likely…

READ MORE

Information Access Management-What This HIPAA Security Rule Administrative Safeguard Standard Means

This is the fourth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has three implementation specifications: Isolating Healthcare Clearinghouse Functions; Access Authorization; and Access Establishment and Modification. The first is required; the second and third are addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. The covered entity is…

READ MORE

American Recovery and Reinvestment Act of 2009

ONE HUNDRED ELEVENTH CONGRESS of the UNITED STATES of AMERICA American Recovery and Reinvestment Act of 2009 Making supplemental appropriations for job preservation and creation, infrastructure investment, energy efficiency and science, assistance to the unemployed, and State and local fiscal stabilization, for the fiscal year ending September 30, 2009, and for other purposes. AGENCY: 111th US Congress. ACTION: Act. Download (Requires Acrobat Reader)

President Obama to Sign ARRA’s HITECH provisions Tuesday, February 17, 2009, in Denver, CO

The Senate joined the House on Friday evening, February 13, 2009, in passing the American Recovery and Reinvestment Act, which includes provisions relating to Health Information Technology. Title XIII of Division A and Title IV of Division B together are known as the “Health Information Technology for Economic and Clinical Health Act” or the “HITECH Act.”  We will be highlighting attributes of the HITECH Act through the end of February. Contrary to the political blather, this legislation is a significant step forward in providing funding and incentives to accelerate adoption of standardized and interoperable electronic business and clinical technologies in healthcare and in strengthening privacy safeguards for patients’ protected health…

READ MORE