This article does an excellent job of summarizing the new and/or modified access rights that patients now have under HITECH as finalized by the Omnibus Rule.
As the articles suggests, almost universally CEs and BAs will need to retrain staff and implement processes that were "minimalist" or did not exist at all heretofor. For many reasons, but primarily because HIPAA was an unenforced paper tiger before HITECH, CEs and BAs that believed they were "mostly compliant" are in for a rude awakening.
Hopefully for these organizations it is not an HHS Audit or a lawsuit that awakens their slumber.
We are pleased to announce Release 1.0 of our Subscription Service which is available for purchase in our NewHIPAA Survival Guide Store along with our suite of Omnibus Rule Ready™ products. Our product suite has been updated to reflect Omnibus Rule modifications.
Our Subscription Service and products ("Products") provide policies, processes, and tracking mechanisms to help covered entities and business associates deliver visible, demonstrable evidence of HIPAA compliance. The HIPAA Rules tell you what is required in order to comply; our Products provide best practice step-by-step guidance that helps you meet your compliance objectives.
This five minute vide is more than worth the price of admission. It gives you a succinct picture of where Big Data is taking us, including the healthcare industry. Of course Privacy and Security are going to be an important part of this story.
The video can be found on the BBC's website here.
The most important step for building a “good Security Rule compliance story” is for the business associate to get started. The approach recommended herein is to build the story iteratively over time. Most business associates (large or small) will likely need help in creating the story. Getting started in the wrong direction initially could be far more costly in the long run, since much of the compliance budget may simply be wasted. The framework discussed throughout this document provides a good road map to follow.
Our HIPAA Privacy Rule Checklist under HITECH ("Checklist") is intended to deliver guidance, including suggested policies, processes, and tracking mechanisms that will allow you to make sense out of this new terrain. It is intended as a knowledge transfer vehicle that allows you to derive the HIPAA Privacy Rule compliance solution that works best within your organization. Our Checklist will “walk you through” the relevant statutory/regulatory sections of the HIPAA Privacy Rule, highlighting the policies, processes and tracking mechanisms required at a granular level.
Our Checklist is comprised of Checklist Items that have the following components:
1) a policy statement that reflects an organization's intentions: the what;
2) a definition of a process by which the policy is implemented: the how; and
3) suggested tracking mechanism(s) for capturing process results: the measurement.
What is a Policy?
The word “policy” can be used in so many ways that it bears some exploration, especially for our purposes (i.e. as it pertains to HIPAA regulatory compliance). We often talk of “developing a policy,” or of “implementing a policy” or of “carrying out a policy.” For example, 45 CFR §164.530 (i) states as follows:
Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part.
Notice that a distinction is made between policies versus procedures. In general, we can think of a “policy” as a purposeful set of decisions or actions usually in response to a problem that has arisen. From a compliance perspective, a policy is a set of statements, including decisions and actions, regarding what an organization intends to do with respect to meeting its regulatory requirements (e.g. see our Breach Notification Policy). A policy indicates what an organization intends to do and is often also used as a communications vehicle of said intent.
Our Checklist contains a HITECH compliant Privacy Policy that can be used out-of-the-box or customized to meet your organization's specific requirements. However, ourChecklist contains much more than mere policy statements. A policy is a necessary, but insufficient, component of a compliance initiative.
What is a Process?
A process is a repeatable series of steps that must be accomplished over time. From a HIPAA regulatory compliance perspective, processes are how policies get implemented. Policies without processes are nothing more than empty promises and will not prevent serious compliance liability. HHS is going to want to see evidence not only of policies but of processes as well. Every Checklist Item contains process suggestions that will enable you to quickly "stand-up" your Privacy Rule Compliance initiative.
What is a Tracking Mechanism?
A tracking mechanism is a way to keep track of process results. For example, QuickBooks is a tracking mechanism for accounting data and processes. You must be able to track the results of your compliance processes if you hope to provide visible demonstrable evidence that you are meeting your regulatory requirements.
Other components included in our Checklist?
Component
Description
Model HIPAA Privacy Policy
Comprised of the policy statements included in the individual Checklist Items with some global clauses added.
Model Notice of Privacy Practices
This document contains a Model Notice of Privacy Practices (“NOPP”) that is referenced from the Checklist.
Model Restriction Request Form
This document contains a Model Restriction Request Form to be used by patients when they submit PHI restriction requests.
Model Patient Request Log
This document contains a Model Patient Request Log to be used by workforce members for logging patient requests for: 1) restrictions; 2) authorization; 3) PHI Access; etc.
H2 Compliance Scorecard
H2 Compliance Scorecard for the Checklist. The Scorecard can be used as an internal tracking system to log an organization’s Privacy Rule compliance improvement initiative over time.
Customize It!
Our HIPAA Privacy Rule Checklist under HITECH was developed in a manner that lends itself readily to customization in order to meet the unique requirements of Your Organization.
View The Contentof our Business Associate Contract and realize the full value it contains
Why should you buy our Business Associate Agreement Model Contract?
HITECH, HIPAA, & Omnibus Rule Compliant – The provisions in our model Business Associate Agreement meet the requirements of the HIPAA, including the Omnibus Rule, and the HITECH Act.
QUICK and EASY – For most small practices/businesses this agreement is a “right out of the box” solution. You can literally just fill in the blanks on the Business Associate Agreement Template, print it out and you’re ready to go.
REUSE IT – Your business entity/practice can reuse the Business Associate Agreement Template for each and every Business Associate/Covered Entity relationship requiring a Business Associate Agreement.
CUSTOMIZABLE – Even though the Business Associate Agreement Template was developed to be an “out of the box” solution for small practices and businesses, the supporting annotated documents and user’s guide walk you through the contract, identifying potential issues and making suggestions for suitable modifications to the agreement.
KNOW What You’re SIGNING - Sooner or later, someone from another practice or business is going to put their version of a Business Associate Agreement in front of you. Our annotated agreement and user’s guide helps you fully understand what you are committing your organization to when you sign on their dotted line. Moreover, you will be able to better identify any pitfalls or omissions the “other guys” may have in their agreement.
Download it NOW! - As soon as you complete your purchase you will receive an e-mail with instructions for downloading your copy of the Business Associate Agreement and supporting documentation.
Here’s what get when you purchase our Business Associate Agreement Model Contract:
Business Associate Agreement Template – You’ll receive a HIPAA/HITECH compliant Business Associate Agreement in both Microsoft Word (.doc) and Adobe (.pdf) formats. The MS Word version is fully editable and is ready for you to simply fill in the appropriate blanks. The extra .pdf version serves as a handy reference.
Annotated Version of the Business Associate Agreement – A fully annotated PDF version of the Agreement containing embedded commentary and references/citations to the HITECH Act and related regulations (.pdf file).
Business Associate Agreement User’s Guide – Contains a step by step analysis of each clause in the Business Associate Agreement Template, with commentary and links to additional information. It provides insight into relevant legal issues and will keep you informed with regard to the essential terms of the agreement.
The Relevant Sections from the HITECH Act – Copies of Sections 13401, 13402, 13404 and 13408 of the HITECH Act for your reference (.pdf files).
Supporting Links – The Business Associate Agreement and supporting documents link to the relevant statutory/regulatory authority that underpins each clause in the agreement.
Anecdotally, those of us who interact with the healthcare industry on a daily basis from a privacy and security perspective have known for a long time that the industry was woefully behind other industries (e.g. online banking). Therefore, it doesn't come as much of a surprise to learn from experts that the healthcare industry is the most easily hacked (e.g. according to this expert the retail industry is in better shape).
Privacy and security are simply NOT top priorities for most providers. Granted the industry has its "hair on fire" at the moment with a 150 years of changed rolled into 10, but that's not the real issue. The real issue is that the industry, en masse, fails to understand that what is required is a culture of compliance (i.e. compliance built into the day-to-day operations of existing and future business models). Until top executives realize the import of culture nothing of significance will change. The industry will simply roll from breach-to-breach, blind and oblivious, continously whining about being over regulated.
Our HIPAA Cloud, Social Media, and Mobile Checklist ("CSMM") under HITECH ("Checklist") is intended to deliver guidance, including suggested policies, processes, and tracking mechanisms that allow you to make sense out of this new and quickly evolving terrain. The healthcare industry is adopting Cloud, Social Media, and Mobile technologies at an unprecedented rate. Although these enabling technologies collectively help drive the point of care anywhere vision and productivity, they also present unique and unanticipated compliance challenges. Our Checklist is intended as a knowledge transfer vehicle that allows you to derive the CSMM compliance solution that works best within your organization. Our Checklist will “walk you through” the relevant sections of the CSMM, highlighting the policies, processes and tracking mechanisms required at a granular level.
Our Checklist is comprised of Checklist Items that have the following components:
1) a policy statement that reflects an organization's intentions: the what;
2) a definition of a process by which the policy is implemented: the how; and
3) suggested tracking mechanism(s) for capturing process results: the measurement.
What is a Policy?
The word “policy” can be used in so many ways that it bears some exploration, especially for our purposes (i.e. as it pertains to HIPAA regulatory compliance). We often talk of “developing a policy,” or of “implementing a policy” or of “carrying out a policy.” For example, 45 CFR §164.530 (i) states as follows:
Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part.
Notice that a distinction is made between policies versus procedures. In general, we can think of a “policy” as a purposeful set of decisions or actions usually in response to a problem that has arisen. From a compliance perspective, a policy is a set of statements, including decisions and actions, regarding what an organization intends to do with respect to meeting its regulatory requirements (e.g. see our Breach Notification Policy). A policy indicates what an organization intends to do and is often also used as a communications vehicle of said intent.
Our Checklist contains a the following policies: Cloud, Social Media and Mobile; each of which can be used out-of-the-box or customized to meet your organization's specific requirements. However, ourChecklist contains much more than mere policy statements. A policy is a necessary, but insufficient, component of a compliance initiative.
What is a Process?
A process is a repeatable series of steps that must be accomplished over time. From a HIPAA regulatory compliance perspective, processes are how policies get implemented. Policies without processes are nothing more than empty promises and will not prevent serious compliance liability. HHS is going to want to see evidence not only of policies but of processes as well. Every Checklist Item contains process suggestions that will enable you to quickly "stand-up" your CSMM Compliance initiative.
What is a Tracking Mechanism?
A tracking mechanism is a way to keep track of process results. For example, QuickBooks is a tracking mechanism for accounting data and processes. You must be able to track the results of your compliance processes if you hope to provide visible demonstrable evidence that you are meeting your regulatory requirements.
Other components included in our Checklist?
Component
Description
Model Cloud Computing Policy
Comprised of Cloud policy statements included in the individual Checklist Items with some global clauses added.
Model Social Media Policy
Comprised of Social Media policy statements included in the individual Checklist Items with some global clauses added.
Model Mobile Policy
Comprised of Mobile policy statements included in the individual Checklist Items with some global clauses added.
H2 Compliance Scorecard
H2 Compliance Scorecard for the Checklist. The Scorecard can be used as an internal tracking system to log an organization’s CSMM compliance improvement initiative over time.
Customize It!
Our CSMM Checklist under HITECH was developed in a manner that lends itself readily to customization in order to meet the unique requirements of Your Organization.
We have argued that the HHS Omnibus Rule ("the Rule") is neither a "Tweak" or "Sweeping Reform." There is far too much substantive law included in the Rule for it to be characterized as the former. It also cannot be characterized as the latter/ However the HITECH ActWAS sweeping and, for the most part, the Rule is simply HITECH-izing the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule.
Sure there are some "odds and ends" that deal with something other than these Rules, but that is a very small part. What is "sweeping" however, is the clarification and commentary that HHS has provided as part of the Final Rule. For the foreseeable future the PDF Version of the Rule will remain the goto place for HHS guidance on any number of issues. Although the next version of our FREE Newsletter will attempt to summarize the changes under the various Rules, there is simply no substitute for going to the source itself.
The HHS Summary
HHS summarized the over 500 pages of Omnibus Rule as follows:
This omnibus final rule is comprised of the following four final rules:
1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules,which were issued as a proposed rule on July 14, 2010. These modifications:
a) Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements.
b) Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
c) Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
d) Require modifications to, and redistribution of, a covered entity's notice of privacy practices.
e) Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
f) Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.
3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.
4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.
Although HHS presents an excellent summary at 100K feet, we will attempt a more detailed summary that gives you a look at the prominent changes under each rule. In addition the Full Omnibus Rule Text, as reflected in the updated Rules, is now available on the HIPAA Survival Guide. It is safe to say that "we aren't in Kansas anymore and this is not your daddy's HIPAA."
The HIPAA Survival Guide Review
Although HHS presents an excellent summary at 100K feet, we will attempt a more detailed summary that gives you a look at the prominent changes under each rule. In addition the Full Omnibus Rule Text, as reflected in the updated Rules, is now available on the HIPAA Survival Guide. It is safe to say that "we aren't in Kansas anymore and this is not your daddy's HIPAA."
