HIPAA.com

Contingency Plan: Testing and Revision Procedures-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the fourth implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Implement procedures for periodic testing and revision of contingency plans. How to Do…

Ed JonesHIPAA Law2009, 2010, addressable, Administrative Safeguard Standard, American Recovery and Reinvestment Act of 2009, ARRA, business associate, contingency plan, covered entity, data backup plan, disaster recovery plan, documented in writing, electronic protected health information, emergency mode operation plan, emergency safeguard, February 17, HIPAA Administrative Simplification, implementation specification, periodic testing, plan effectiveness, reasonable and appropriate, Risk Analysis, Security Official, Security Rule, testing and revision procedures, workforce memberLeave a comment

Contingency Plan: Emergency Mode Operation Plan-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in the emergency mode. How to Do It Covered entities are required to develop…

Ed JonesHIPAA Law2009, 2010, Administrative Safeguard Standard, American Recovery and Reinvestment Act of 2009, ARRA, backup site, business associate, contingency plan, covered entity, disaster, documented in writing, electrical power, electronic protected health information, emergency mode operation plan, February 17, HIPAA Administrative Simplification, implementation specification, required, Risk Analysis, risk mitigation, Security Rule, testing, workforce memberLeave a comment

Contingency Plan: Disaster Recovery Plan-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish (and implement as needed) procedures to restore any loss of data. How to Do It The content and procedures of a covered entity’s disaster recovery plan will be » Outcomes of the covered entity’s identification of vulnerabilities and…

Ed JonesHIPAA Law2009, 2010, 800-34, Administrative Safeguard Standard, American Recovery and Reinvestment Act of 2009, ARRA, business associate, contingency plan, Contingency Planning Guide for Information Technology Systems, covered entity, disaster recovery plan, electronic protected health information, emergency mode operation plan, February 17, Federal Register, HIPAA Administrative Simplification, implementation specification, loss of electricity, National Institute of Standards and Technology, NIST, required, Risk Analysis, safeguard, Security Official, Security Rule, threats, vulnerabilities, Wikipedia, workforce, worst-case scenarioLeave a comment

Direct Data Entry-No Change in the 5010 Final Rule

In the August 17, 2000 Final Rule for Standards for Electronic Transactions, direct data entry was defined as “direct entry of data (for example, using dumb terminals or web browsers) that is immediately transmitted into a health plan’s computer.” [65 Federal Register 50367] An exception for direct data entry was articulated in the August 17, 2000, Final Rule: A health care provider electing to use direct data entry offered by a health plan to conduct a transaction for which a standard has been adopted under this part must use the applicable data content and data condition requirements of the standard when conducting the transaction. The health care provider is not…

Ed Jones50102000, 2009, 2012 compliance date, American Recovery and Reinvestment Act, August 17, benefit, CFR Section 162.925(b), direct data entry, dumb terminals, eligibility, FAQ, February 17, Federal Register, Final Rule for Standards for Electronic Transactions, Frequently Asked Question, HHS, HITECH, January 1, January 16, Modifications to HIPAA Transactions standards, preamble, President Obama, transaction standard data content requirements, transaction standard format requirements, version 5010, version D.0, Web, web browser, X12 270/271Leave a comment

Contingency Plan: Data Backup-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. How to Do It Covered entities must backup electronic protected health information on a regular basis. When a computer system fails, it may…

Ed JonesSecurity2009, 2010, Administrative Safeguard Standard, American Recovery and Reinvestment Act of 2009, ARRA, business associate, contingency plan, covered entity, data backup, data safe, electronic media, electronic protected health information, encrypted, exact-copy, February 17, HIPAA Administrative Simplification, implementation specification, President Obama, required, Risk Analysis, secure location, Security Rule, StandardsLeave a comment

Contingency Plan: Sample Policy and Procedures

This is the seventh Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has five implementation specifications: Data backup plan; Disaster recovery plan; Emergency mode operation plan; Testing and revision procedures; and Applications and data criticality analysis. The first three are required; the last two are addressable. Addressable does not mean optional. Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. HIPAA.com will outline What to do and How to do it for each…

Ed JonesSecurity2010, addressable, Administrative Safeguard Standard, applications and data criticality analysis, business associates, contingency plan, contingency planning group, covered entity, data backup plan, disaster recovery plan, electronic protected health information, emergency mode operation plan, February 17, HIPAA Administrative Simplification, How to do it, implementation specifications, required, Risk Analysis, Sample policies and procedures, Security Official, Security Rule, testing and revision procedures, What to do, workforce membersLeave a comment

Contingency Plan-What This HIPAA Security Rule Administrative Safeguard Standard Means

This is the seventh Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has five implementation specifications: Data backup plan; Disaster recovery plan; Emergency mode operation plan; Testing and revision procedures; and Applications and data criticality analysis. The first three are required; the last two are addressable. Addressable does not mean optional. Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. If a fire swept through a covered entity’s facility, the covered entity would…

Ed JonesSecurity2009, 2010, addressable, Administrative Safeguard Standard, American Recovery and Reinvestment Act (ARRA), business associate, chemical spill, contingency plan, covered entity, data backup, data criticality, disaster recovery, disk crash, earthquake, electronic business systems, electronic protected health information, emergency mode operation, February 17, fire, flood, HIPAA Security Rule, HITECH, hurricane, implementation specification, natural disasters, planning group, policies and procedures, power outage, President Obama, required, Risk Analysis, Security Official, system failure, testing and revision, theft, threats and vulnerabilities, tornado, vandalismLeave a comment

Business Associate To-Do List

What are Business Associates Required to Do to Meet HIPAA Requirements? With passage of the American Recovery and Reinvestment Act (ARRA), privacy and security compliance increased significantly with business associates immediately required to comply directly with many of HIPAA’s rules. It also dramatically expanded other remedial actions (such as increasing federal government audits; granting attorneys fees in some HIPAA lawsuits; and allowing a method for individuals to recover penalties under HIPAA). Business associates also are subject to civil and criminal penalties , including a provision that allows individuals to receive financial compensation for the violation. If you are a business associate, your “To-Do” list looks similar to the list the…

Carolyn HartleyAmerican Recovery and Reinvestment ActHIPAA Business Associate, penalties, TrainingLeave a comment

5010/D.0 Effective Date Tuesday, March 17, 2009; Compliance Date January 1, 2012

The version modification to the HIPAA Administrative Simplification transaction standards becomes effective Tuesday, March 17, 2009. Here are several critical things to know, drawn directly from the final rule published in the Federal Register on January 16, 2009. The final rule is available for download on the HIPAA.com site. Effective Date: The effective date [March 17, 2009] is the date that the policies set forth in this final rule take effect, and new policies are considered to be officially adopted. [74 Federal Register 3302] Compliance Date: On January 1, 2012, all covered entities will have reached Level 2 compliance, and must be fully compliant in using Versions 5010 and D.0…

Ed Jones50102009, 2009; January 1, 2012, 2013, 5010/D.0, civil money penalties, compliance date, contingency plan, covered entities, effective date, Federal Register, HHS, HIPAA Administrative Simplification, ICD-10, January 16, March 17, October 1, transaction standardLeave a comment

New Director of Office of Recovery Act Coordination

Dennis Williams has been selected to be HHS’ Deputy Assistant Secretary for Recovery Act Coordination. Mr. Williams most recently served as Health Resources and Services Administration’s (HRSA) Deputy Administrator, a post he held from 2002-2009. Prior to joining HRSA, Williams served as acting Assistant Secretary in HHS’ Office of the Assistant Secretary for Management and Budget (OASMB, currently ASRT) from 2001 to 2002. From 1985-2001 he served as Deputy Assistant Secretary for Budget in OASMB. The Office of Recovery Act Coordination, which reports to the Assistant Secretary for Resources and Technology (ASRT), will ensure that the Act’s requirements and OMB’s guidance are followed, including: » Making sure that reporting due…

Carolyn HartleyHealth IT and HITECHLeave a comment