In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Physical Safeguard Standard, Facility Access Controls. This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009. What…
Categories HIPAA LawLeave a comment
Facility Access Controls: What This HIPAA Security Rule Physical Safeguard Standard Means
This is the first Physical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has four implementation specifications: contingency operations; facility security plan; access control and validation procedures; and maintenance records. Each of these implementation specifications is addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA,…
Categories HIPAA LawLeave a commentPhysical Safeguard Standards of the HIPAA Administrative Simplification Security Rule
There are four physical safeguard standards: facility access controls, workstation use, workstation security, and device and media controls. Each standard has implementation specifications, which can be required or addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act ARRA, signed by President Obama on February 17, 2009. Physical…
Categories HIPAA LawLeave a commentFTC Posts NPRM on Breach Notification Rule for e-Health Information
On April 17, 2009, the Federal Trade Commission issued a notice of proposed rulemaking that requires vendors of personal health records and related entities such as non-profit organizations that offer PHRs, to notify individuals when the security of their individually identifiable health information is breached. The NPRM seeks to conform with rules from HHS that safeguard protected health information, but the FTC proposed rule applies to non HIPAA-covered entities that are not subject to HIPAA privacy and security requirements. Of the many comments the FTC seeks is to identify entities that would fall under this ruling. We believe this rule will strengthen the trust consumers/patients have in sharing information in their…
Categories American Recovery and Reinvestment ActLeave a commentEvaluation-What This HIPAA Security Rule Administrative Safeguard Standard Means
This is the eighth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. Its implementation specification is embodied in the language of the standard itself, and it is required of covered entities. Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010, as provided for in the HITECH Act provisions of the American Recovery and Reinvestment Act, signed by President Obama on February 17, 2009. What is Required Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of…
Categories HIPAA LawLeave a commentHITECH Guidance & RFI
HITECH GUIDANCE & RFI 45 CFR Parts 160 and 164 AGENCY: Office of the Secretary, Department of Health and Human Services. Download (Requires Acrobat Reader)
Categories Health IT and HITECHLeave a commentPay attention to HITECH Act Definition of Breach: Lost Customers Big Cost Factor
The April 2009 issue of Baseline magazine has an article by Corinne Bernstein entitled: “The Cost of Data Breaches,” which is available online at www.baselinemag.com. We recommended that covered entities and business associates review this article, based on a Ponemon Institute study of incidents and costs incurred at 43 organizations in 17 industry sectors. Here are several highlights: » “Lost business accounted for nearly 70 percent of a data breach in 2008. » “[S]ectors suffering the highest customer losses were health care…and financial services. » “The biggest cause of breaches…is insider negligence…88% of all cases in 2008. » “The number of breaches involving third-party organizations continues to climb.” The article…
Categories Health IT and HITECHLeave a commentWord of the Day: EHR
Electronic health record (EHR): A secure, real-time, interoperable point-of-care, patient-centric information resource for clinicians. The EHR aids clinicians in decision making by providing access to patient health record information where and when they need it and by incorporating evidence-based decision support. The EHR automates and streamlines the clinicians’ workflow, closing loops in communication and response that result in delays or gaps in care. The EHR also supports the collection of data for uses other than direct clinical care, such as billing, quality management, outcomes reporting, resource planning, and public health disease surveillance and reporting.
Categories Health IT and HITECHLeave a commentKudos to DOQ-IT
Praise goes out to the Doctors Office Quality – Information Technology (DOQ-IT) centers that worked tirelessly to assist physicians select and implement electronic health records. Effective April 16, 2009, DOQ-IT will end. Access to all DOQ-IT-related programming and resources on QualityNet (e.g., online registration, data submission, reports) will end April 16, 2009, at 5 p.m. Central Time. We have had the pleasure of working with most of the DOQ-IT program leaders, building substantial friendships. We hope that their work will be a strong impetus to build on as physicians continue to select, implement and thrive in a health IT environment.
Categories Health IT and HITECHLeave a commentContingency Plan: Applications and Data Criticality Analysis-What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, this is the fifth implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Assess the relative criticality of specific applications and data in support of other…
Categories HIPAA LawLeave a comment