« June 2015 | Main | August 2015 »

July 27, 2015

FREE HIPAA SURVIVAL GUIDE FOURTH EDITION

Sign-up for our FREE Newsletter and receive our HIPAA Survival Guide Fourth Edition (a $29.95 value) at no cost.  Its a win-win!

Posted at 04:50 PM | | Comments (0)

July 26, 2015

More on Business Associates and the Security Rule

In our last post, we discussed the four principal objectives of the Security Rule (§160.306(a)). 

We mentioned that although the items enumerated did not appear unreasonable or overly burdensome, the devil was in the details.  So here are some of those details.  

The Security Rule contains a concept called the "Flexibility Approach;" what others refer to as the Security Rule's guiding principle. In essence, the flexibility principle enumerates four factors that a Business Associate should consider when deciding how to "reasonably and appropriately" implement the standards and implementation specifications.

The four Security Rule Flexibility Factors are as follows:

  1. The size, complexity, and capabilities of the BA.
  2. The BA's technical infrastructure, hardware, and software security capabilities.
  3. The costs of security measures.
  4. The probability and criticality of potential risks to ePHI.

More on the standards and implementation specifications next time.

Posted at 06:57 PM in Business Associates | | Comments (0)

July 21, 2015

Business Associates and the Security Rule

Five years out from the promulgation of the HITECH Act, and business associates are still struggling with what the Act requires of them under the modified HIPAA regulations. Although under the Omnibus Rule it should be clear that a business associate ("BA") must comply with the Privacy Rule, the Security Rule, and the Breach Notification Rule, the requirements of the Security Rule ("SR") bedevil BAs the most.

The SR requires that a BA implement three types of safeguards: (1) administrative, (2) physical, and (3) technical.  The principal objectives of the SR, as it pertains to both a Covered Entity and a BA, are as follows (§160.306(a)): 

  1. Ensure the confidentiality, integrity, and availability of all its ePHI.
  2. Protect against any reasonably anticipated threats or hazards of its ePHI.
  3. Protect against any reasonably anticipated uses or disclosures of ePHI not permitted or required under the Privacy Rule ("PR").
  4. Ensure its workforce complies with the SR.

 The items enumerated above do not appear unreasonable or overly burdensome. However, the devil (as always) lies in the details.

Posted at 05:28 PM | | Comments (0)

July 19, 2015

Conducting a Risk Assessment

Conducting an effective Risk Assessment is a daunting task no matter how often you may have done it. However, if it's your first time then your anxiety level is likely to be an order of magnitude higher. The silver bullet in a nutshell is that there is "no such thing as a perfect Risk Assessment" and there is no compliance requirement for one. The objective is not perfection, but rather the objective is to establish a baseline that you can continue to improve on over time.

A Risk Assessment is not something that you perform once and then forget. Because the threat landscape changes on a daily basis, it is inconceivable that you could perform a rigorous "full blown" Risk Assessment less than once a year. Further, it is more likely that once a quarter should be what you strive for. Now the HIPAA Rules do not mandate the frequency of Risk Assessments, rather the Rules require that you perform a Risk Assessment whenever your operational environment, or the law, changes in a material way. That said, a couple of points need to be noted: (1) given the amount of change occurring in the healthcare industry (now and in the foreseeable further) operational environments are going to be changing quite often; and (2) if your objective is to manage risk then performing a Risk Assessment only once a year is simply not a "reasonable and appropriate" thing to do.

Posted at 12:45 PM | | Comments (0)

My Photo

About

NEWSLETTER


  • ACO COMPLIANCE NEWSLETTER

    Join My ACO Mailing List

  • Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon
    Sign up for a FREE
    HITECH / HIPAA
    Compliance Newsletter

    Enter your email address

Categories

CC

Tools

  • Google Analytics

Essays and Such

  • HIPAA Survival Guide (PDF)
    Read the HSG in PDF format.
  • HIPAA Survival Guide (online)
    Practical advice for health care practitioners.

  • Search, KM & the Practice of Law

  • Silicon Stories eBook

  • Dirty Little Secret

  • Competitive Advantage

  • Process Patterns

  • Movie Making and Software Development

  • The Missing Factory

  • Architecture: Shack, House or Skyscraper?

  • The Talent Wars

  • Knowledge Management and Infotainment

  • What comes after what comes next?

February 2019

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28    

Archives

More...