February 01, 2012

Data Breaches: State AGs will become more agressive in 2012?

The Illinois Personal Information Protection Act (PIPA) requires that any “data collector”, which includes businesses, universities, governmental agencies or any other entity that deals with personal information, notify Illinois residents in the event of a data security breach.     

via privacylaw.proskauer.com

We have written previously that 2012 will be the year of enforcement (see this post). It will also be the year of the data breach. In 2012 State AGs will awaken from their slumber and start going after companies on the wrong side of this issue. They have a statutory right to bring an action under the HITECH Act, and as the link above illustrates they may become increasingly more agressive in bringing actions under state law law well.

In 2012 State AGs will awaken from

their slumber and start going after

companies on the wrong side of 

this issue.

 

The States are starving for revenue and the time is right with cybersecurity now a front and center national issue. You don't need a crystal ball to understand that this is where we are headed in the short run. Therefore, covered entities and business associates are well advised to get their houses in order.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

Posted at 02:40 PM in HIPAA Breach Notificaiton, HIPAA Compliance, HITECH Act |

January 31, 2012

HSG Radio: Preview of HHS Proposed Omnibus Rule?

When: Fri, Feb 3, 2012 03:00PM

This show will explore part of the proposed HHS Omnibus Rule: "modifications to the Enforcement Rule." The HHS Omnibus Rule ("OR") mostly concerns sections of the HITECH Act that went into effect on February 18, 2010. There was an NPRM that was issued on July 14, 2010 that contained the changes proposed for the final rule. HHS has not broken any "land speed records" in finalizing the OR, but all indications are that it will be forthcoming "soon" so now is an appropriate time to preview it. Next week's show will explore subsequent parts of the OR.

Here's our 1/27/2012 episode.

You can follow our weekly show (and review a complete list of the archived episodes) here.

Listen to internet radio with cleyva on Blog Talk Radio

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

 

Posted at 05:29 PM in HIPAA Compliance, HITECH/HIPAA |

January 28, 2012

HSG Radio Archive: Business Associates: That was Then, This is Now

Here's our 1/27/2012 episode.

You can follow our weekly show (and review a complete list of the archived episodes) here.

Listen to internet radio with cleyva on Blog Talk Radio

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

 

Posted at 08:12 AM in HIPAA Compliance, HIPAA Survival Guide Radio, HITECH Act |

January 27, 2012

HSG Radio - Business Associates: That was Then, This is Now!

When: Friday January 27, 2012 3:00 EST.

This show will discuss the changing role and responsibilities of business associates under the HITECH Act. Including the proposed HHS omnibus rule that is likely to make subcontractors of business associates statutorily "on the hook" for complying with the HIPAA Security Rule and the relevant sections of the HIPAA Privacy Rule, made applicable to them via a written contract.

To list click here or cut and paste this URL into a browser:

http://www.blogtalkradio.com/hipaasurvivalguide/2012/01/27/business-associates-that-was-then-this-is-now

Here's the overview video of our show. To participate via chat you will need to create a FREE Blog Talk Radio account. No account is necessary just to listen. Archived copies of shows will be made available.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

 

Posted at 09:18 AM in Business Associates, HIPAA Survival Guide Radio |

January 24, 2012

HIPAA Compliance: Is 2012 the year of enforcement (redux)?

Harsher data protection sanctions are coming - When Apollo wanted to stop Laokoon from warning the Trojans that there were Greek soldiers in the famous Trojan Horse, he sent two giant snakes to kill Laokoon and his sons. Talk about sanctions...

via peterfleischer.blogspot.com/

Peter Fleischer is Google's Privacy General Counsel. In the post above, he writes about increased data breach enforcement across the globe. We recently wrote about 2012 as the year of enforcement here. Peter is not writing specifically about the healthcare industry (i.e. especially since Google Health is no longer with us), but he does have a great perspective as someone who tracks these issues globally, and needless to say, for one of the most powerful corporations on the planet.

HSGLogoThere will be blood...the healthcare

industry is well advised to wake-up

and smell the data breaches...2012

will be the year of enforcement.

 

Many socioeconomic phenomenon manifests themselves in repeatable patterns (e.g. the business cycle, elections, etc.). Right now there is little doubt that privacy is a "hot issue" and is likely to remain so in the foreseeable future. From a policy and enforcement perspective the pendulum is now swinging in the other direction. In other words "there will be blood." The healthcare industry is well advised to "wake-up and smell the data breaches."

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

 

Posted at 10:39 AM in HIPAA Compliance, HITECH Act |

January 23, 2012

Another day another PHI data breach lawsuit?

The consulting firm that lost a laptop computer with medical data on 23,500 Minnesotans last summer has been sued by Minnesota Attorney General Lori Swanson, who says it violated health privacy laws and state consumer protections.

via www.startribune.com

Many are asking whether 2012 is going to be the year of HITECH Act enforcement and I believe that there are many signs that point in that direction.

  • The States are starving for revenue and suits against large covered entities and business associates could be used to fill up the coffers. Most of these cases will settle so state AG's may not even need to use significant resources to get the money. Nice work if you can get it.
  • KPMG will continue its "mandatory audit" program under contract with HHS. Early findings may provide significant fodder for HHS to kickstart its virtual money machine (fines levied go into HHS coffers).
  • We are going to continue to see high profile breaches and this will put additional pressure on HHS to "DO SOMETHING." Pressure is likely to come from Congress as they get sick of getting beat up by consumer advocacy groups.
  • HHS will deliver the final version of the NPRM released in July 2010 (i.e. the "Omnibus Rule") which is likely to set the stage for enhanced enforcement (e.g. against business associates).

Everyone, including HHS, understands that HIPAA prior to the HITECH Act was unenforced. The HITECH Act was meant to send a message that there was new sheriff in town. In 2012 HHS will start to deliver the message.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

 

 

Posted at 11:33 AM in HIPAA Compliance, HITECH Act |

January 20, 2012

HIPAA Survival Guide Radio: Patient's Bill of Rights

Here's our kickoff episode.

Listen to internet radio with cleyva on Blog Talk Radio

You can follow our weekly show (and review a complete list of the archived episodes) here.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

 

Posted at 04:34 PM in HIPAA Compliance, HIPAA Survival Guide Radio, HITECH Act |

Money Ball Healthcare Business Models?

Editor’s note: This guest post was written by Dave Chase, the CEO of Avado.com, a patient portal & relationship management company that was a TechCrunch Disrupt finalist. Previously he was a management consultant for Accenture’s healthcare practice and founder of Microsoft’s Health platform business. You can follow him on Twitter@chasedave.

via techcrunch.com

The post above is NOT about technology companies disrupting healthcare, but rather the use of technology by healthcare providers to disrupt the healthcare industry. Going forward, it will be the use of technology, and not the technology itself, that will be disruptive. That said, obviously technology will remain a huge enabler of the disruption.

HSGLogoDisruptive business models will

build world class privacy and security

into the mix from the onset...that is

how important an issue it is becoming

in the minds of healthcare consumers. 

This has already happened despite the fact that "use" generally does not get the same press as the "technolgy." The print industry was NOT disrupted by technology, it was disrupted by clever individuals with industry knowledge with the vision of how to use technology in a way to deliver more value for less, capturing the lion's share of the monetization in a few short years.

We have often written about healthcare innovation as the real disrupter and, going forward, you are likely to see disruptive business models build privacy and security into the mix from the onset. That is how important an issue it is becoming. The healthcare compliance status quo is dead.

 

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

 

Posted at 08:34 AM in HIPAA Compliance, HIPAA Compliance Software, HITECH Act |

January 18, 2012

HIPAA Compliance: HHS Omnibus Rule Part III

This post will summarize the changes to 45 CFR 164 Subpart A (General Provisions). The general provisions pertain to both the HIPAA Privacy Rule and the HIPAA Security Rule. This post will also summarize the changes to the HIPAA Rules themselves.

Subpart A - General Provisions

  • Statutory Basis § 164.102  will be modified to include HITECH Act references to 13400 through 13424.
  • Applicability § 164.104  will be modified to reflect changes to business associates.
  • Organizational Requirements § 164.105 will reflect changes that this section applies to 164 Subpart D as well (i.e. the Breach Notification Rule).
  • Organizational Requirements § 164.105 will also include a number of other minor technical changes and clarification modifications.

HIPAA Security Rule

  • References will be added throughout the Security Rule to indicate that the Rule now applies to business associates as well as covered entities.
  • Security standards: General rules § 164.306 will be modified to specifically reflect that sections § 164.308, § 164.310, and § 164.312 also apply to business associates.
  • Administrative safeguards § 164.308; certain exceptions as to who qualifies as a business associate are being removed because these exceptions will be included in the new definition of business associate. Also modifications are being made reflecting the fact that a written contract will now be required between business associates and their subcontractors (i.e. under the OR subcontractors will be treated as business associates).
  • Organizational requirements § 164.314 will now apply to business associates as well, despite the fact that it was not one of the enumerated sections of HITECH 13401.

Clearly, as illustrated above, many of the changes to the Security Rule are being driven by the fact that business associates are now statutorily required to comply with the Rule under HITECH 13401.

HIPAA Privacy Rule

  • Applicability § 164.500  will be modified to reflect changes requiring  business associates  to comply with HITECH 13404
  • Definitions § 164.501: modifications to   "Heath Care Operations" and "Marketing" are proposed and discussed at length in the NPRM.
  • Uses and Disclosures § 164.502 are being modified because HITECH 13404 "creates direct liability for noncompliance by business associates" for the Privacy Rule requirements contained therein. Other detailed modifications to § 164.502  are also discussed at length in the NPRM.
  • Uses and disclosures: organizational requirements (i.e. business associate agreements) § 164.504 is being modified to reflect change under HITECH 13404.
  • Uses and disclosures for which an authorization is required § 164.508; the sale of PHI will now require an authorization under HITECH 13405(d)(1)
  • Transition provisions § 164.532; changes proposed to provide for a 1 year compliance period (i.e. instead of 180 days) in order to make conforming changes to business associate agreements.
  • Uses and disclosures for which an authorization or opportunity to agree or object is not required (disclosure of student immunizations to schools) § 164.512; proof of immunization will be treated as a public health disclosure and therefore expressly permitted under the Privacy Rule.
  • Other requirements relating to uses & disclosures of protected health information § 164.514 (f) (fund-raising); under HITECH 13406(b) covered entities are required to provide a conspicuous "opt out" provision regarding fund-raising communications. HHS proposes to "strengthen the opt out by requiring that the covered entity provide, with each fund-raising communication sent to an individual...a clear and conspicous opportunity to elect not to receive further fund-raising communications."
  • Notice of privacy practices ("NOPP") for protected health information§ 164.520; HHS proposes to make material changes to what is required in the NOPP and therefore readers are encouraged to review the NPRM in detail regarding these modifications. 
  • Rights to request privacy protection for protected health information § 164.522; HHS proposes to modify this section consistent with HITECH 13405(a).
  • Access of individuals to protected health information § 164.524; HHS proposes to modify this section consistent with HITECH 13405(e) to reflect new rights regarding access to PHI in those instances where covered entities have implemented electronic health records.

As you can see from the discussion above, the OR encompasses a large number of changes in order to make the Rules conform to the HITECH Act and to otherwise clarify ambiguities and correct some technical problems.

This series of posts are intended as a shorthand summary to proposed OR changes so that readers can begin to see the forest from the trees. Here's Part II of this series of posts.

HSGLogo Looking for best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?

 

Posted at 01:11 PM |

January 16, 2012

HIPAA Survival Guide Radio?

Our weekly radio show kicks off this Friday (see below). Each week we will discuss topics related to how the HITECH Act is transforming HIPAA and: 1) provide exposure to industry thought leaders; 2) provide analysis of proposed and promulgated HHS/OCR rule making; and 3) provide a forum for sharing industry best practices.

Here's the overview video. To participate via chat you will need to create a FREE Blog Talk Radio account. No account is necessary just to listen. Archived copies of shows will be made available. This week's show will be discussing the Patient's Bill of Rights under the HITECH Act.

Date: January 20, 2012. 

Time: 3:00 to 3:30 EST. 

To listen Click Here or cut and paste this URL into your browser address line on the designated date.time:

http://www.blogtalkradio.com/hipaasurvivalguide/2012/01/20/hipaa-privacy-rule-patients-bill-of-rights

 

Posted at 03:56 PM in HIPAA Compliance |

« Previous | Next »
My Photo

About

NEWSLETTER


  • Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon
    Sign up for a FREE
    HITECH / HIPAA
    Compliance Newsletter

    Enter your email address

Hot off the Press

Categories

Greatest Hits

Blog Roll

CC

Tools

  • Google Analytics

Become a Fan

EHR Tools

EHR Collateral


Become a Fan

Essays and Such

  • HIPAA Survival Guide (PDF)
    Read the HSG in PDF format.
  • HIPAA Survival Guide (online)
    Practical advice for health care practitioners.

  • Search, KM & the Practice of Law

  • Silicon Stories eBook

  • Dirty Little Secret

  • Competitive Advantage

  • Process Patterns

  • Movie Making and Software Development

  • The Missing Factory

  • Architecture: Shack, House or Skyscraper?

  • The Talent Wars

  • Knowledge Management and Infotainment

  • What comes after what comes next?

Silicon Stories Online

February 2012

Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29      

Archives

More...