Gmail, Google Apps for Business HIPAA Business Associate Agreements

The Health Insurance Portability and Accountability of Act demands that all HIPAA covered businesses prevent unauthorized access to “Protected Health Information” or PHI. PHI includes patients’ names, addresses, and all information pertaining to the patients’ health and payment records. According to the Department of Health and Human Services, “HIPAA Rules apply to covered entities and business associates.” Complete compliance with HIPAA guidelines requires implementation of basic and advanced security measures. Basic security includes benchmark-based password creation and use, personnel education and training, limited access to PHI, data encryption, use of firewalls, antivirus software, and digital signatures. With increasing adoption of electronic medical records and cloud-based software-as-service (SaaS), advanced security measures are…

READ MORE

The Reality of HIPAA Violations and Enforcement

Who is ultimately responsible for enforcement of HIPAA and what types of penalties are levied when a covered entity or business associate is found to be non-compliant with the regulations? Many healthcare offices and their staff don’t know the answer to this question; they have only a vague notion about the enforcement and the consequences of not adhering to the law. The real HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Complaints are filed with the OCR, and they are responsible for administering, investigating and enforcing the HIPAA privacy standards. The Centers for Medicare & Medicaid (CMS) enforce the code…

READ MORE

Five Steps to HIPAA Security Compliance

The health insurance portability and accountability act has set various guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing and sharing any electronic medical data to keep patient data secure . Lack of compliance to the HIPAA security standards could lead to large fines and in extreme cases even loss of medical licenses. Several steps can be followed by medical practices to ensure compliance to HIPAA standards. These steps include: Run a complete risk assessment of the medical practice Some medical practices adopted electronic health recording…

READ MORE

Dentists: Don’t Forget HIPAA Compliance

Since the inception of HIPAA in 1996, its broad implications have affected all areas of health care including dentistry. And, if asked, most dentists and their staff would say they know what the HIPAA regulations are, and yes, they have been trained, but are they really up to date with HIPAA’s ever expanding changes and compliance requirements?  Are they trained in the areas of HIPAA Security, Privacy, Enforcement and Breach Notification Rules and do they know that they must be in compliance with the 2013 HIPAA Omnibus Final Rule by September 23, 2013? Compared to the ever-growing size of medical practices today, most dental offices are still rather small with…

READ MORE

EHR Incentive and Certification Criteria Final Rules Published in Federal Register

The EHR Incentive and Certification final rules were published in the Federal Register this morning, July 28, 2010.  HIPAA.com provides the title, summary, effective date, and URL for each below. Department of Health and Human Services, Centers for Medicare & Medicaid Services, “42 CFR Parts 412, 413, 422, and 495;  Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rule, Federal Register, 75(144), Wednesday, July 28, 2010, pp. 44313-44588. Summary:  This final rule implements the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)(Public Law 111-5) that provide incentive payments to eligible professionals (EPs), eligible hospitals and critical access hospitals (CAHs) participating in Medicare and Medicaid programs…

READ MORE

OCR Reports 107 Breaches Affecting Over 4 Million Individuals (II)

The Office for Civil Rights (OCR) regularly updates its Web site listing of breaches affecting 500 or more individuals. As of July 2, 2010, there were 107 breaches listed that were reported to have occurred between September 22, 2009 and June 11, 2010. Individuals affected by these publicly listed breaches totaled 4,086,980. Six of the 107 breaches, or 5.6% of the total, affected 3,353,627 individuals, or 82% of the total. This is the second of three postings that analyzes the data from these 107 breaches. This posting (II) covers paper breaches. The first posting (I) covered electronic breaches, and the final posting (III) looks at the prevalence of business associate…

READ MORE

Final Rules for EHR Incentives and Certification Criteria at OMB for Review

The Office of Management and Budget (OMB) received in early July for Executive Order (EO) 12866 Regulatory Planning and Review two Final Rules relating to electronic health record (EHR) incentives and certification criteria required under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that was enacted on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009. On Friday, July 2, 2010, OMB received from the Office of the Secretary at the Department of Health and Human Services (HHS) for review Health Information Technology:  Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule.  The Interim Final…

READ MORE

Clock Running Down on Business Associate Compliance with HIPAA Security Rule Required by HITECH Act

Less than one month to go:  Business Associates must comply with the HIPAA Security Rule no later than Wednesday, February 17, 2010.  Here are relevant provisions from the American Recovery and Reinvestment Act, Public Law 111-5, which included HITECH Act Subtitle D:  Privacy. 42 USC 17931 (PART 1–IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS, Section 13401:  Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions). (a)  APPLICATION OF SECURITY PROVISIONS.–Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered…

READ MORE

HHS Publishes Proposed Rule for Electronic Health Record Incentive Program

HHS published today in the Federal Register:  “Medicare and Medicaid Programs–Electronic Health Record Incentive Program; Proposed Rule.”  75 FR 1844-2011.  Comments on this Notice of Proposed Rulemaking (NPRM) may be submitted to HHS no later than March 15, 2010.  Here is the Summary from the NPRM: “This proposed rule would implement the provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)(Public Law 111-5) that provide incentive payments to eligible professionals (EPs) and eligible hospitals participating in Medicare and Medicaid programs that adopt and meaningfully use certified electronic health record (EHR) technology.  The proposed rule would specify the initial criteria an EP and eligible hospital must meet in order…

READ MORE

ONC’s Dr. Blumenthal Announces SHARP Program Funding Availability

Please read the following announcement released on December 18, 2009: A Message from Dr. David Blumenthal, National Coordinator for Health Information Technology Today the Obama administration announced the availability of $60 million in Recovery Act funds to support the development of the Strategic Health IT Advanced Research Projects (SHARP) program. SHARP awards will fund research focused on identifying technology solutions to address well-documented problems impeding broad adoption of health information technology (health IT). By helping to overcome key challenges, the research will also accelerate progress towards achieving nationwide meaningful use of health IT. 

As we continue this unprecedented effort towards meaningful use and seamless, secure information exchange, we also must acknowledge…

READ MORE