Comments on: Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. http://law2point0.com/wordpress/2009/11/29/business-associate-and-covered-entity-hipaa-compliance-auditing-questions-and-nist-800-53-security-controls/ This blog covers privacy, security, health information technology and e-discovery related topics. The primary goal of this blog is to raise public awareness of legal issues pertaining to the use of law and technology. Tue, 30 Mar 2010 19:55:16 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Robert Hudock http://law2point0.com/wordpress/2009/11/29/business-associate-and-covered-entity-hipaa-compliance-auditing-questions-and-nist-800-53-security-controls/comment-page-1/#comment-233 Robert Hudock Thu, 04 Feb 2010 20:49:19 +0000 http://law2point0.com/wordpress/?p=1213#comment-233 (This is a complex issue and very factually specific -- you should consult an attorney on this issue) Some off the cuff thoughts and concerns, which should not be taken as legal advise: (1) the issue partly becomes an issue of whether there exists personal jurisdiction in the United States over the entity located in China, India, Mexico, etc. (2) There also may exist treaties that would potentially address this issue. (3) Ultimately you would likely see some sort of commitment between Covered Entities and BA's, by contract, that the information would not be sent offshore without prior consent. (4) Generally, if a company is seeking to do business with US companies they would be submitting themselves to the jurisdiction of US courts and would likely have to comply with US law (but again you should consult a lawyer on this). (5) When a company is outside the united states I would generally want to seem some sort of ISO Security certification -- again I think these issues would likely be addressed in the parties due diligence process. If your a BA or CE engaging a company outside the United States I would be very interested in making sure that the company will comply with these new requirements. Your comment raises some serious questions which really have not been addressed with clarity. (This is a complex issue and very factually specific — you should consult an attorney on this issue) Some off the cuff thoughts and concerns, which should not be taken as legal advise: (1) the issue partly becomes an issue of whether there exists personal jurisdiction in the United States over the entity located in China, India, Mexico, etc. (2) There also may exist treaties that would potentially address this issue. (3) Ultimately you would likely see some sort of commitment between Covered Entities and BA’s, by contract, that the information would not be sent offshore without prior consent. (4) Generally, if a company is seeking to do business with US companies they would be submitting themselves to the jurisdiction of US courts and would likely have to comply with US law (but again you should consult a lawyer on this). (5) When a company is outside the united states I would generally want to seem some sort of ISO Security certification — again I think these issues would likely be addressed in the parties due diligence process. If your a BA or CE engaging a company outside the United States I would be very interested in making sure that the company will comply with these new requirements. Your comment raises some serious questions which really have not been addressed with clarity.

]]> By: Rao http://law2point0.com/wordpress/2009/11/29/business-associate-and-covered-entity-hipaa-compliance-auditing-questions-and-nist-800-53-security-controls/comment-page-1/#comment-232 Rao Thu, 04 Feb 2010 07:43:20 +0000 http://law2point0.com/wordpress/?p=1213#comment-232 Very useful and informative posting. I understand that under HITECH act some BAs are coming under CEs. However, I am still not clear what type of BAs becoming CEs. Let us take a scenario - A payer has a claim process outsourced to a BPO vendor/Claim exchange. This BPO vendor may in turn outsource the claim operation to offshore vendor or certain activities are performed by offshore team (location irrelevant - can be china, India or Mexico). In this scenario - BPO vendor is becoming a CE. But what about this vendors offshore partner? Very useful and informative posting. I understand that under HITECH act some BAs are coming under CEs. However, I am still not clear what type of BAs becoming CEs.

Let us take a scenario – A payer has a claim process outsourced to a BPO vendor/Claim exchange. This BPO vendor may in turn outsource the claim operation to offshore vendor or certain activities are performed by offshore team (location irrelevant – can be china, India or Mexico). In this scenario – BPO vendor is becoming a CE. But what about this vendors offshore partner?

]]> By: Mike http://law2point0.com/wordpress/2009/11/29/business-associate-and-covered-entity-hipaa-compliance-auditing-questions-and-nist-800-53-security-controls/comment-page-1/#comment-229 Mike Tue, 29 Dec 2009 06:47:52 +0000 http://law2point0.com/wordpress/?p=1213#comment-229 You had really summarized much information on HIPAA privacy and security regulations. I also would like to add few Questions and answers specifically Discussing security terminology. 1 Define the term security. Security is generally defined as having controls, countermeasures, and procedures in place to ensure the protection of information assets and control access to valued resources. Security is how an entity decides to protect its information assets. 2 What’s the goal of security? Generally, the goal of security is to counter identified threats and to satisfy relevant security policies and assumptions. 3 Define authentication. Authentication is the process of proving your identity. A system needs to authenticate users to a degree appropriate for the level of risk/threat that an authenticated user represents. 4 Define access control. Access control is assuring that only authorized users access a system, and that all unauthorized users are rejected. 5 Describe data confidentiality. Data confidentiality is assuring the privacy of data on the system, and network data confidentiality protects your data from passive threats. 6 Describe data integrity. Data integrity is the assurance that data hasn’t been altered or destroyed in any unauthorized manner. Data integrity provides protection against active threats. 7 What’s the objective of security mechanisms? Both types of security mechanisms (specific and pervasive) implement security services. 8 What are some factors guiding the philosophy behind HIPAA’s Security Rule? The security standards are designed to be: • Comprehensive—They cover all aspects of security safeguards. • Technology neutral—Standards can be implemented using a broad range of off-the-shelf and user-developed technologies and security solutions. • Scalable—The goals of the regulations can be achieved by entities of all sizes from single practitioners to large multinational health care organizations. 9 Describe the major category areas covered by the final Security Rule under HIPAA that an organization needs to address for compliance. The final Security Rule outlines the requirements in three major categories: • Administrative safeguards • Physical safeguards • Technical safeguards 10 What are the central principles of security? Confidentiality, integrity, and availability. Mike <a href="http://hipaatraining.net" rel="nofollow">HIPAA Training</a> You had really summarized much information on HIPAA privacy and security regulations. I also would like to add few Questions and answers specifically Discussing security terminology.

1 Define the term security.
Security is generally defined as having controls, countermeasures, and procedures in place to ensure the protection of information assets and control access to valued resources. Security is how an entity decides to protect its information assets.

2 What’s the goal of security?
Generally, the goal of security is to counter identified threats and to satisfy relevant security policies and assumptions.

3 Define authentication.
Authentication is the process of proving your identity. A system needs to authenticate users to a degree appropriate for the level of risk/threat that an authenticated user represents.

4 Define access control.
Access control is assuring that only authorized users access a system, and that all unauthorized users are rejected.

5 Describe data confidentiality.
Data confidentiality is assuring the privacy of data on the system, and network data confidentiality protects your data from passive threats.

6 Describe data integrity.
Data integrity is the assurance that data hasn’t been altered or destroyed in any unauthorized manner. Data integrity provides protection against active threats.

7 What’s the objective of security mechanisms?
Both types of security mechanisms (specific and pervasive) implement security services.

8 What are some factors guiding the philosophy behind HIPAA’s Security Rule?
The security standards are designed to be:
• Comprehensive—They cover all aspects of security safeguards.
• Technology neutral—Standards can be implemented using a broad range of off-the-shelf and user-developed technologies and security solutions.
• Scalable—The goals of the regulations can be achieved by entities of all sizes from single practitioners to large multinational health care organizations.

9 Describe the major category areas covered by the final Security Rule under
HIPAA that an organization needs to address for compliance.
The final Security Rule outlines the requirements in three major categories:
• Administrative safeguards
• Physical safeguards
• Technical safeguards

10 What are the central principles of security?
Confidentiality, integrity, and availability.

Mike
HIPAA Training

]]> By: Business Associate and Covered Entity HIPAA Compliance — Auditing … « Internet Cafe Solution http://law2point0.com/wordpress/2009/11/29/business-associate-and-covered-entity-hipaa-compliance-auditing-questions-and-nist-800-53-security-controls/comment-page-1/#comment-222 Business Associate and Covered Entity HIPAA Compliance — Auditing … « Internet Cafe Solution Sun, 29 Nov 2009 13:36:35 +0000 http://law2point0.com/wordpress/?p=1213#comment-222 [...] Originally posted here: Business Associate and Covered Entity HIPAA Compliance — Auditing … [...] [...] Originally posted here: Business Associate and Covered Entity HIPAA Compliance — Auditing … [...]

]]> By: Tweets that mention Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. | Law Blog 2.0 -- Topsy.com http://law2point0.com/wordpress/2009/11/29/business-associate-and-covered-entity-hipaa-compliance-auditing-questions-and-nist-800-53-security-controls/comment-page-1/#comment-221 Tweets that mention Business Associate and Covered Entity HIPAA Compliance — Auditing Questions and NIST 800-53 Security Controls. | Law Blog 2.0 -- Topsy.com Sun, 29 Nov 2009 12:29:14 +0000 http://law2point0.com/wordpress/?p=1213#comment-221 [...] This post was mentioned on Twitter by Joshua Schlinsky, Suzen Sam. Suzen Sam said: Business Associate and Covered Entity HIPAA Compliance — Auditing ...: Maintenance Records, Addressable, P&.. http://bit.ly/5UlIxM [...] [...] This post was mentioned on Twitter by Joshua Schlinsky, Suzen Sam. Suzen Sam said: Business Associate and Covered Entity HIPAA Compliance — Auditing …: Maintenance Records, Addressable, P&.. http://bit.ly/5UlIxM [...]

]]>