We knew this would not be an easy transition. The key to success was RPM's ability to manage all aspects of the process, adapt to changing requirements, solve problems quickly and keep the process moving.
- -Patrik Jeanmonod, CFO
Bridge Laboratories
News
8-05-2011 OCR Undecided on Including BAs in HIPAA Audits
The Office for Civil Rights (OCR) is undecided whether to include business associates (BAs) in its HIPAA-compliance audit plans per a $9.2 million contract it awarded last month.
Susan McAndrew, JD, OCR’s deputy director of health information privacy, says the contractor, KPMG, LLC, will be developing protocols to support business associate audits.
However, “OCR has not yet determined whether it will audit business associates in addition to covered entities during the audits that are anticipated to take place in 2012,” McAndrew says.
For the full article, visit www.healthleadersmedia.com.
6-03-2011 Proposed Rule Would Let Patients See Who Accessed Their Electronic Health Data
Patients would have the right to request and receive a record of who accessed and viewed their electronic protected health information in a proposed change to the Health Insurance Portability and Affordability Act's Privacy Rule.
Under HIPAA, healthcare organizations are already required to track access to patient data contained in electronic records, but they're not required to disclose this access information to patients. The proposed rule change, part of the Department of Health and Human Service's implementation of the 2009 HITECH Act, "represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard health information," says HHS Office of Civil Rights Director Georgina Verdugo in a press release.
For the full article, visit www.outpatientsurgery.net.
5-26-2011 HIPAA, HITECH Compliance Not Improving Health Care Data Security
Despite spending a lot of time making sure they are compliant with federal and state regulations, health care organizations claim they are still seeing a lot of data breaches. Being regulatory-compliant does not necessarily reduce the chances of a data breach, at least for the health care industry, according to a new study. Even more worrisome, organizations appear to be focusing more on compliance and less on security. About 56 percent of IT security professionals in the health care industry said they spend the majority of their time addressing compliance requirements, according to the results of a GlobalSign survey released May 26. Even so, 34 percent of the health care industry IT security professionals polled said their organizations experienced a patient-records data breach within the past two years.
For the full article, visit www.eweek.com.
4-15-2010 New HIPAA Regulation Coming Soon
HIPAA Covered Entities and Business Associates have anxiously been awaiting the issuance by HHS of the regulations that will further define and detail the HIPAA privacy and security requirements under the HITECH Act, including the effective dates for HHS enforcement of those requirements. Based on recent activity, the issuance of the proposed rule containing those regulations is expected to occur soon. On April 12, HHS presented its proposed rule to the Office of Management Budget (OMB) for review of financial implications. OMB review can take up to three (3) months, but it is not expected to take that long in the present case. The proposed rule will provide interested parties the opportunity to comment on the proposed regulations, which will lead to the issuance of a final rule by HHS. Visit www.inspn.org for future updates.
4-12-2010 Privacy Act Protects Some Practices With Patient Data Breaches
Dom Nicastro, for HealthLeaders Media, April 12, 2010
The Office for Civil Rights (OCR) cited a 36-year-old privacy law as the reason why it cannot post on its breach
notification Web site the names of private Practitioners who report breaches of unsecured PHI affecting 500 or more individuals.
Visit Health Leaders Media for the complete story.
3-19-2010 ENCRYPTION - Evaluating the Legal and Technical Challenges
Speakers Joan Antokol, Esq and Chris Prader, ITIL Certified presented at the March 18th Indiana Security and Privacy Network (INSPN) quarterly meeting on evaluating the legal and technical challenges of data encryption. Meeting highlights are below:
- It is very important to know which states your customers are resident in because some state laws are more stringent than others - so you have to work toward the most stringent.
- Don't forget to encrypt not only the original messages but also the back-up tapes, less your primary protection could be worthless.
- Be sure to "classify" all your data so you know what needs protection.
- Laptops and other portable back-up devices (memory sticks etc) are very problematic.
- Be sure to cover these issues when training staff.
- Be sure to have policies and procedures that address these issues - and follow them religiously.
11-10-2009 FTC Extends Enforcement Deadline for Identity Theft Red Flag Rule until June 1, 2010
At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.
The Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.
For additional information on Red Flag Regulations visit the FTC’s website ftc.gov/redflagsrule .
5-15-2009 Stimulus Package extends HIPPA Regulations
The American Recovery and Reinvestment Act, Title XIII HITECH (Health Information Technology for Economic and Clinical Health) expands HIPPA regulations to include “business associates”. This will require third parties that handle patient data to comply with HIPPA standards by next year. Prior to this bill, such firms were exempt and only had contractual obligation to data privacy. Companies that handle digital patient information will no longer be able to contract liability and will be required to adhere to the same stringent standards put upon health care providers.
In addition, the U.S. Department of Health & Human Services continues to release details on the disposal of protected information and breach notification guidance. For more information visit the HHS site on health information privacy. http://www.hhs.gov/ocr/privacy/index.html
4-30-2009 FTC Suspends Red Flags Enforcement
The FTC's Red Flags Rule became law Nov 1st 2008. At that time the FTC suspended enforcement until May 1st 2009 and they've now granted another delay until August 1st 2009 to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law.
Some of the confusion stems around the definition of a creditor and who is obligated to comply. Under the Rule, financial institutions and creditors with covered accounts must have identity theft prevention programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. The Rule applies to creditors and financial institutions. Federal law defines a creditor to be: any entity that regularly extends, renews, or continues credit. Accepting credit cards as a form of payment does not, in and of itself, make an entity a creditor. Some examples of creditors are finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, hospitals, medical offices, non-profit and government entities that defer payment for goods or services.
The rule requires that businesses to develop a program that identifies and detects the relevant warning signs - or "red flags" - of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
For more information visit http://www.ftc.gov/opa/2009/04/redflagsrule.shtm
