In our last post, we discussed the four principal objectives of the Security Rule (§160.306(a)).
We mentioned that although the items enumerated did not appear unreasonable or overly burdensome, the devil was in the details. So here are some of those details.
The Security Rule contains a concept called the "Flexibility Approach;" what others refer to as the Security Rule's guiding principle. In essence, the flexibility principle enumerates four factors that a Business Associate should consider when deciding how to "reasonably and appropriately" implement the standards and implementation specifications.
The four Security Rule Flexibility Factors are as follows:
The size, complexity, and capabilities of the BA.
The BA's technical infrastructure, hardware, and software security capabilities.
The costs of security measures.
The probability and criticality of potential risks to ePHI.
More on the standards and implementation specifications next time.
This webinar explores the same topic covered in this month's article. Business Associates struggling with this issue will learn about what others are doing in the space and can ask questions to thought leaders interacting with the HITECH / HIPAA marketplace daily.
If a sigificant part of your operations has to do with transacting with a covered entity (CE) as a business associate(BA) then this article should bring to light (and confirm) what you may be seeing from a regulatory compliance perspective in the quickly evolving healthcare compliance landscape.
More and more covered entities are waking up to the fact that this is "Simply NOT your Daddy's HIPAA any more." Yes, we all know that the industry's "awakening" has been a long slow work in progress. We also realize that more than a few "Docs" have threatened to "retire instead of complying." However, by and large these comments are now correctly viewed as fringe statements made by "grumpy old Docs" and/or those Docs that have been "banking" and can actually afford to retire (God Bless 'Em).
Minnesota attorney general brings the first formal enforcement action against a business associate, Accretive Health, Inc., for an alleged violation under HIPAA using her authority under the HITECH Act.
HHS has added to the confusion by slow walking the Omnibus Rule and given a grace period (understatement) for BAs to comply. However, as indicated in the link above, there is nothing preventing a State AG or the US Department of Justice from bring an action today.
What is likely to trigger an action? Although currently there is a small probability of a BAs being audited, given the fact that HHS has announced that BAs would not be targets of the first round of audits conducted by KPMG through the end of 2012, there is a high probability that a data breach will occur. Breach Notification is the 800 pound gorilla of the HITECH Act, not only because of the costs and the fines, but because of the lawsuits a breach is likely to trigger.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
This show will discuss the changing role and responsibilities of business associates under the HITECH Act. Including the proposed HHS omnibus rule that is likely to make subcontractors of business associates statutorily "on the hook" for complying with the HIPAA Security Rule and the relevant sections of the HIPAA Privacy Rule, made applicable to them via a written contract.
To list click here or cut and paste this URL into a browser:
Here's the overview video of our show. To participate via chat you will need to create a FREE Blog Talk Radio account. No account is necessary just to listen. Archived copies of shows will be made available.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?