Next year should be interesting. From Red Flag compliance, federal breach reporting requirements, significantly augmented HIPAA penalties, and HIPAA security standards that are based on NIST guidelines will change the traditional compliance model for Covered Entities and Business Associates. Hot topics for enforcement next year (based on recent CMS audits of their business partners) will likely be in the areas encryption of portable media devices, remote access by employees to protected health information, and failure to document a rational risk management [...]
|
|||||
|
By Robert Hudock, on November 17th, 2009
 Print This PostNovember 17th, 2009 | Tags: ARRA, breach, EHR, Encryption, enforcement actions, FISMA, HIPAA, Interoperability, NIST, OIG, security | Category: American Recovery and Reinvestment Act, EMR, Encryption, FIPS 140-2, HIPAA Security, HITECH Act, Health Information Technology, Health and Humans Services (HHS), Interoperability, Meaningful Use, NIST, unsecured protected health information |
2 comments
Print This PostBy Robert Hudock, on August 24th, 2009
Print This PostThe Office of the National Coordinator for Health Information Technology (ONC) has recently release more information on two grant programs. The HITECH Act authorizes two grant programs: (1) a Health Information Technology Extension Program (Extension Program) and (2) the State Health Information Exchange Coopertive Agreement Program (Agreement Program). This program provides grants for the establishment of Health Information Technology Regional Extension Centers that will offer technical assistance, guidance and information on best practices to support and accelerate health care providers’ efforts to become meaningful users of Electronic Health Records (EHRs). The consistent, nationwide adoption and use of secure EHRs will ultimately enhance the quality and value of health care. The State Health Information Exchange Cooperative Agreement Program supports states and/or State Designated Entities (SDEs) in establishing health information exchange (HIE) capacity among health care providers and hospitals in their [...] August 24th, 2009 | Tags: EHR, Health Information Technology Regional Extension Centers, HIE, Office of the National Coordinator for Health Information Technology, ONC, State Designated Entities, State Health Information Exchange Cooperative | Category: American Recovery and Reinvestment Act, EMR, HITECH Act, Health Information Technology, Health Reform, Health and Humans Services (HHS), Interoperability, Meaningful Use, Office of the National Coordinator for Health Information Technology |
One comment
Print This PostBy Robert Hudock, on July 30th, 2009
Print This PostOffice of the National Coordinator (“ONC”) for Health Information Technology health IT policy committee voted on July 16, 2009 to accept itsworkgroup’s matrix of qualifications that will be used to define “meaningful use” of health IT. Compliance with ONC’s definition of “meaningful use” is essential to reimbursement bonuses and avoiding penalties under the American Recovery and Reinvestment Act of 2009 (ARRA). Bonuses will begin in 2011 (maximum bonus payments for the implementation of a qualified EHR can be collected where an EHR is implemented no later 2012) thereafter the amount of bonus payments will be reduced with each subsequent year. Penalties will begin accruing 2017 for Medicare and Medicaid providers who have failed to implement a qualified EHR. A qualified EHR under ARA is essentially an EHR that meets the Government’s tortured definition of meaningful [...] July 30th, 2009 | Tags: HIT, Meaningful Use, ONC, uncertainty | Category: American Recovery and Reinvestment Act, CCHIT, EMR, HITECH Act, Health Information Technology, Interoperability, Meaningful Use |
Leave a comment
Print This PostImprove the web with Nofollow Reciprocity. |
|||||
|
Copyright © 2010 Law Blog 2.0 - Robert Hudock, Esq., CISSP - All Rights Reserved - This Blog is a personal blog of Robert Hudock. |
|||||
Business Associate and Covered Entity HIPAA Compliance -- Auditing Questions and NIST 800-53 Security Controls.
This article discusses techniques for implementing the updated requirements of the HIPAA Security Rule, with particular focus on strategies for assessing the effectiveness of implemented security controls to support compliance and audit, as well as a covered entity’s (or business associate) overarching risk management program in the context of HIPAA Compliance. Covered entities are becoming more pro-active in monitoring their business associate compliance with HIPAA privacy and security regulations and the recent changes largely the product of the HITECH Act. In the past I have used a series of questions to ascertain the compliance status of business associates to comply with HIPAA privacy and security rules. I find it useful to map security controls to NIST Special Publication 800-53. The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems. The controls are included in the final version of Special Publication 800-53, Revision 3 “Recommended Security Controls for Federal Information Systems and Organizations,” released in August of 2009. (Available at http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf). [...]