This show will explore part of the proposed HHS Omnibus Rule: "modifications to the Enforcement Rule." The HHS Omnibus Rule ("OR") mostly concerns sections of the HITECH Act that went into effect on February 18, 2010. There was an NPRM that was issued on July 14, 2010 that contained the changes proposed for the final rule. HHS has not broken any "land speed records" in finalizing the OR, but all indications are that it will be forthcoming "soon" so now is an appropriate time to preview it. Next week's show will explore subsequent parts of the OR.
Here's our 1/27/2012 episode.
You can follow our weekly show (and review a complete list of the archived episodes) here.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
This show will discuss the changing role and responsibilities of business associates under the HITECH Act. Including the proposed HHS omnibus rule that is likely to make subcontractors of business associates statutorily "on the hook" for complying with the HIPAA Security Rule and the relevant sections of the HIPAA Privacy Rule, made applicable to them via a written contract.
To list click here or cut and paste this URL into a browser:
Here's the overview video of our show. To participate via chat you will need to create a FREE Blog Talk Radio account. No account is necessary just to listen. Archived copies of shows will be made available.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
Harsher data protection sanctions are coming - When Apollo wanted to stop Laokoon from warning the Trojans that there were Greek soldiers in the famous Trojan Horse, he sent two giant snakes to kill Laokoon and his sons. Talk about sanctions...
Peter Fleischer is Google's Privacy General Counsel. In the post above, he writes about increased data breach enforcement across the globe. We recently wrote about 2012 as the year of enforcement here. Peter is not writing specifically about the healthcare industry (i.e. especially since Google Health is no longer with us), but he does have a great perspective as someone who tracks these issues globally, and needless to say, for one of the most powerful corporations on the planet.
There will be blood...the healthcare
industry is well advised to wake-up
and smell the data breaches...2012
will be the year of enforcement.
Many socioeconomic phenomenon manifests themselves in repeatable patterns (e.g. the business cycle, elections, etc.). Right now there is little doubt that privacy is a "hot issue" and is likely to remain so in the foreseeable future. From a policy and enforcement perspective the pendulum is now swinging in the other direction. In other words "there will be blood." The healthcare industry is well advised to "wake-up and smell the data breaches."
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
The consulting firm that lost a laptop computer with medical data on 23,500 Minnesotans last summer has been sued by Minnesota Attorney General Lori Swanson, who says it violated health privacy laws and state consumer protections.
Many are asking whether 2012 is going to be the year of HITECH Act enforcement and I believe that there are many signs that point in that direction.
The States are starving for revenue and suits against large covered entities and business associates could be used to fill up the coffers. Most of these cases will settle so state AG's may not even need to use significant resources to get the money. Nice work if you can get it.
KPMG will continue its "mandatory audit" program under contract with HHS. Early findings may provide significant fodder for HHS to kickstart its virtual money machine (fines levied go into HHS coffers).
We are going to continue to see high profile breaches and this will put additional pressure on HHS to "DO SOMETHING." Pressure is likely to come from Congress as they get sick of getting beat up by consumer advocacy groups.
HHS will deliver the final version of the NPRM released in July 2010 (i.e. the "Omnibus Rule") which is likely to set the stage for enhanced enforcement (e.g. against business associates).
Everyone, including HHS, understands that HIPAA prior to the HITECH Act was unenforced. The HITECH Act was meant to send a message that there was new sheriff in town. In 2012 HHS will start to deliver the message.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
Editor’s note: This guest post was written by Dave Chase, the CEO of Avado.com, a patient portal & relationship management company that was a TechCrunch Disrupt finalist. Previously he was a management consultant for Accenture’s healthcare practice and founder of Microsoft’s Health platform business. You can follow him on Twitter@chasedave.
The post above is NOT about technology companies disrupting healthcare, but rather the use of technology by healthcare providers to disrupt the healthcare industry. Going forward, it will be the use of technology, and not the technology itself, that will be disruptive. That said, obviously technology will remain a huge enabler of the disruption.
Disruptive business models will
build world class privacy and security
into the mix from the onset...that is
how important an issue it is becoming
in the minds of healthcare consumers.
This has already happened despite the fact that "use" generally does not get the same press as the "technolgy." The print industry was NOT disrupted by technology, it was disrupted by clever individuals with industry knowledge with the vision of how to use technology in a way to deliver more value for less, capturing the lion's share of the monetization in a few short years.
We have often written about healthcare innovation as the real disrupter and, going forward, you are likely to see disruptive business models build privacy and security into the mix from the onset. That is how important an issue it is becoming. The healthcare compliance status quo is dead.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
This post will summarize the changes to 45 CFR 164 Subpart A (General Provisions). The general provisions pertain to both the HIPAA Privacy Rule and the HIPAA Security Rule. This post will also summarize the changes to the HIPAA Rules themselves.
Subpart A - General Provisions
Statutory Basis § 164.102 will be modified to include HITECH Act references to 13400 through 13424.
Applicability § 164.104 will be modified to reflect changes to business associates.
Organizational Requirements § 164.105 will reflect changes that this section applies to 164 Subpart D as well (i.e. the Breach Notification Rule).
Organizational Requirements § 164.105 will also include a number of other minor technical changes and clarification modifications.
HIPAA Security Rule
References will be added throughout the Security Rule to indicate that the Rule now applies to business associates as well as covered entities.
Administrative safeguards § 164.308; certain exceptions as to who qualifies as a business associate are being removed because these exceptions will be included in the new definition of business associate. Also modifications are being made reflecting the fact that a written contract will now be required between business associates and their subcontractors (i.e. under the OR subcontractors will be treated as business associates).
Organizational requirements § 164.314 will now apply to business associates as well, despite the fact that it was not one of the enumerated sections of HITECH 13401.
Clearly, as illustrated above, many of the changes to the Security Rule are being driven by the fact that business associates are now statutorily required to comply with the Rule under HITECH 13401.
Definitions § 164.501: modifications to "Heath Care Operations" and "Marketing" are proposed and discussed at length in the NPRM.
Uses and Disclosures § 164.502 are being modified because HITECH 13404 "creates direct liability for noncompliance by business associates" for the Privacy Rule requirements contained therein. Other detailed modifications to § 164.502 are also discussed at length in the NPRM.
Uses and disclosures for which an authorization is required § 164.508; the sale of PHI will now require an authorization under HITECH 13405(d)(1).
Transition provisions § 164.532; changes proposed to provide for a 1 year compliance period (i.e. instead of 180 days) in order to make conforming changes to business associate agreements.
Uses and disclosures for which an authorization or opportunity to agree or object is not required (disclosure of student immunizations to schools) § 164.512; proof of immunization will be treated as a public health disclosure and therefore expressly permitted under the Privacy Rule.
Other requirements relating to uses & disclosures of protected health information § 164.514 (f) (fund-raising); under HITECH 13406(b) covered entities are required to provide a conspicuous "opt out" provision regarding fund-raising communications. HHS proposes to "strengthen the opt out by requiring that the covered entity provide, with each fund-raising communication sent to an individual...a clear and conspicous opportunity to elect not to receive further fund-raising communications."
Notice of privacy practices ("NOPP") for protected health information§ 164.520; HHS proposes to make material changes to what is required in the NOPP and therefore readers are encouraged to review the NPRM in detail regarding these modifications.
Rights to request privacy protection for protected health information § 164.522; HHS proposes to modify this section consistent with HITECH 13405(a).
Access of individuals to protected health information § 164.524; HHS proposes to modify this section consistent with HITECH 13405(e) to reflect new rights regarding access to PHI in those instances where covered entities have implemented electronic health records.
As you can see from the discussion above, the OR encompasses a large number of changes in order to make the Rules conform to the HITECH Act and to otherwise clarify ambiguities and correct some technical problems.
This series of posts are intended as a shorthand summary to proposed OR changes so that readers can begin to see the forest from the trees. Here's Part II of this series of posts.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
Our weekly radio show kicks off this Friday (see below). Each week we will discuss topics related to how the HITECH Act is transforming HIPAA and: 1) provide exposure to industry thought leaders; 2) provide analysis of proposed and promulgated HHS/OCR rule making; and 3) provide a forum for sharing industry best practices.
Here's the overview video. To participate via chat you will need to create a FREE Blog Talk Radio account. No account is necessary just to listen. Archived copies of shows will be made available. This week's show will be discussing the Patient's Bill of Rights under the HITECH Act.
Date: January 20, 2012.
Time: 3:00 to 3:30 EST.
To listen Click Here or cut and paste this URL into your browser address line on the designated date.time:
Business Associates (BAs) of Covered Entities (CEs) are facing tough economic choices. On the one hand CEs, now in a much more competitive and uncertain economic environment, are likely going to want more from their BAs for less. On the other hand, in order to win business going forward, BAs are going to need a strong regulatory compliance story (read HITECH/HIPAA) and that is going to require investment.
However, it's now all bad news for BAs (at least not for some). Make the investment in regulatory compliance, streamline operations so as to deliver more value, and some significant market share may be out there for the taking. Why? Because historically these opportunities have always existed any time an industry is undergoing this much disruption. There is simply no one that has been following the healthcare industry (and is still breathing) for the last few years that does not believe that the industry is being disrupted at an alarming rate.
Innovate or die has been tech's mantra
for a long time now. What's changed?
Now there is not a mature industry that
is not threatened by the same
imperative, especially the healthcare
industry.
Innovate or die has been tech's mantra for a long time now. What's changed? Now there is not a mature industry that is not threatened by the same imperative, especially the heatlhcare industry. The transition from "fee for service" to a real (i.e. functioning according to market principles) healthcare marketplace (which has never existed in modern times) is as big as it gets from a disruption perspective. That's why we are reading about all the M&A activity. However, over the next few years we are going to be reading a whole more about innovation.
BAs that want to remain viable better follow suit, including making regulatory compliance a marketplace differentiator. The HITECH horse left the barn a long time ago (especially in Internet years) and it looks like that horse was "born to run" because we "ain't never getting him back in the barn."
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
