HIPAA Final Rule: Security Standards, General Rules & Administrative Safeguard Modifications

February 5, 2013.  Today, we cover the modifications to Security Standards:  General Rules, and Administrative Safeguards in the HIPAA Security Rule, as modified by the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. Security Standards:  General Rules.  The five General Rules govern how the administrative, physical,…

READ MORE

OCR Issues Draft Guidance on Security Risk Analysis

The Office for Civil Rights (OCR) of the Department of Health and Human Services  (HHS) issued on May 7, 2010, Security Rule Draft Guidance on Risk Analysis. This is the first in a “series of guidance documents [that] will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.  The materials will be updated annually, as appropriate.” This eight-page document is available online. The Draft Guidance on Risk makes the following key points: “The Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the…

READ MORE

Today, February 17, Business Associates Must be in Compliance with HIPAA Security Rule

Today, Wednesday, February 17, 2010, Business Associates of Covered Entities must be able to demonstrate that they are in compliance with administrative, physical, and technical safeguards of the HIPAA Security Rule, as required by the HITECH Act, enacted one year ago today as part of the American Recovery and Reinvestment Act of 2009.  In addition, Business Associate Agreements must be rewritten or amended to specifically require a Business Associate’s compliance with the Security Rule as part of its “satisfactory assurances.”  Financial penalties for noncompliance discovered during a compliance audit or complaint investigation could be severe, especially for willful neglect. Here are the appropriate authorities: Section 13401 of Part 1 (Improved…

READ MORE

Clock Running Down on Business Associate Compliance with HIPAA Security Rule Required by HITECH Act

Less than one month to go:  Business Associates must comply with the HIPAA Security Rule no later than Wednesday, February 17, 2010.  Here are relevant provisions from the American Recovery and Reinvestment Act, Public Law 111-5, which included HITECH Act Subtitle D:  Privacy. 42 USC 17931 (PART 1–IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS, Section 13401:  Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions). (a)  APPLICATION OF SECURITY PROVISIONS.–Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered…

READ MORE

Safeguards Key Privacy/Security Principle of Meaningful Use 2011 Objectives

On December 15, 2008, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services (HHS) published its 11 page report: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The eight principles in this report underpin the HIPAA Administrative Simplification Privacy and Security Rule standards, provide a foundation of the Privacy provisions of the HITECH Act in the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009, and are a key objective of proposed 2011 Objective recommendations for Meaningful Use published by HHS’ Health IT Policy Committee on June 16, 2009….

READ MORE

Nationwide Privacy and Security Framework for Electronic Exchange: Key Meaningful Use 2011 Objective Recommendation

On December 15, 2008, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services (HHS) published its 11 page report: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. This report states: “[a] key factor to achieving a high-level of trust among individuals, health care providers, and other health care organizations participating in electronic health information exchange is the development of, and adherence to, a consistent and coordinated approach to privacy and security. Clear, understandable, uniform principles are a first step in developing a consistent and coordinated approach to privacy and security and a key component to…

READ MORE