HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • HITECH Act updates
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • CD-Rom, books on privacy and security
  • Business associate training
  • Videos with real-life HIPAA scenarios

More»

Archive for October, 2009

Oct
30

Enforcement interim final rule published in FR

Posted by: Dom Nicastro | Comments (1)
Email This Post Print This Post

HHS published in the Federal Register today the HIPAA enforcement interim final rule as part of the provisions in the HITECH Act, according to an OCR press release.

No major changes to HITECH enforcement. Just some slight language changes.

The interim final rule becomes effective November 30. HHS has invited public comments on the interim final rule, which will be considered if received by December 29.

Categories : HHS, HIPAA News, HIPAA Violations, HIPAA security, HITECH Act, Unsecure PHI
Comments (1)
Oct
28

Q&A: Notification of compliance breach

Posted by: Dom Nicastro | Comments (0)
Email This Post Print This Post

 Q: Is a business associate (BA) that discovers a breach ever responsible for notifying the individual(s) affected, media outlets, or HHS? Or does the BA only have to notify the covered entity (CE)?

 A: The CE has sole responsibility for notifying individuals when required. The CE must notify HHS immediately if a breach involves 500 or more individuals and/or at the end of the calendar year with respect to all breaches, regardless of whether the CE or the BA caused the breach.
 
A review of the breach notification interim final rule, which is final and was published in the Federal Register August 24, is a good idea. Visit www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html
 
Chris Apgar, CISSP, answered this question in the Octobert 2009 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.
Categories : Compliance Monitor
Comments (0)
Oct
28

Survey: “Red Flags” rule

Posted by: Dom Nicastro | Comments (0)
Email This Post Print This Post
Is your facility compliant with the FTC “Red Flags” rule to protect against identity theft?
1. Yes
2. No
3. I don’t know

To submit your answer, go to “Quick Poll” at HCPro’s Corporate Compliance Web site.


Categories : Compliance Monitor
Comments (0)
Oct
26

Houses passes Red Flags Rule amendment bill

Posted by: Dom Nicastro | Comments (1)
Email This Post Print This Post

The House of Representatives unanimously passed a bill Tuesday, Oct. 20, that would exempt providers with fewer than 20 employees from complying with the FTC’s identity theft Red Flags Rule.





Categories : Red Flags Rule
Comments (1)
Oct
26

Group: HHS harm threshold ‘outrageous’

Posted by: Dom Nicastro | Comments (0)
Email This Post Print This Post

Throw in some more rhetoric in support of HHS eliminating its “harm threshold” from its interim final rule on breach notification. This time, it’s the consumer advocacy group Consumer Watchdog, which says in a letter to HHS:

Inexplicably, and flouting Congressional intent, the Department of Health and Human Services has introduced a “harm” standard before breach notification is required. You have decided to interpret “compromises the security” of data to include a substantial harm standard. Under the HHS interpretation, if the breaching entity decides there is no significant risk of financial, reputation or other harm to the individual, the provider or health insurer never has to disclose that the sensitive information was used or disclosed in violation of the federal privacy rule.

In other words, the company responsible for protecting the sensitive data gets to decide if it needs to bother to tell anyone that sensitive health data was breached. This is simply outrageous.

It is even more troublesome when one recalls that the House Committee on Energy and Commerce considered a similar “harm” standard during discussions of health and information technology legislation in May 2008. Committee members considered public comments and practices of various states; they explicitly rejected a “harm” standard.

Read the full letter.

Categories : Breach Notification, HHS
Comments (0)
Next Page »

Search this site

Subscribe!

Get blog updates in your e-mail
Subscribe to our e-zine

Want to start a conversation?

Click here to learn how!

Links

Archives

Categories

Recent Comments

HIPAA Handbooks