Tag Archives: Omnibus Rule

Business Associate Tips

May 10, 2013 by Jana Langhorne 0 Comments

Complying with the Omnibus Rule

HIS Logo

 

Healthcare Info Security recently featured Mac McMillan’s advice for Business Associates (BAs).  McMillan first addresses that the recent Omnibus Rule defines BAs as “anyone who receives, creates, maintains or transmits protected health information on behalf of a covered entity” and that means BAs are now responsible to comply with the HIPAA Security Rule and several provisions in the HIPAA Privacy Rule.   McMillan reminds us that BAs only have until September 23 to be prepared for enforcement.

McMillan advises that BAs should conduct a risk analysis under the HIPAA Security Rule.  BAs need to conduct the analysis to identify issues in policies and procedures.  Addressing the issues is a stride towards a successful and well-defined security program.  He also suggests that educating and training staff on their responsibilities is also key to assuring an effective security program.  McMillan provides insight that BAs can find guidance on how to conduct a risk analysis through Office for Civil Rights (OCR) website, as well as North Carolina Healthcare Information and Communications Alliance’s website.

Next, McMillan advises BAs to prepare for having to respond to breaches.  Now under the Omnibus Rule BAs will have to notify their covered entity of any loss of personal health information (PHI).  He points out that when a BA has an incident, they should consider the severity of the incident based upon what information was lost, who obtained/received the info and any other factors that could reduce the risk of compromise.  They will need to analyze this info and document their decision of whether to notify or not.

To read the entire article visit Healthcare Info Security’s site.

News
, ,

“Breach Notification: Omnibus Style”

April 9, 2013 by Jana Langhorne 0 Comments

logo

 

 

 

 

 

April 8, 2013 by Mac McMillan, posted on Healthcare Informatics.

Mac McMillan recently featured a blog post for Healthcare Informatics that reviews the Breach Notification Rule with the new Omnibus Rule, and reminds readers that the rule went into effect last month.  He analyzes the controversies of the previous “harm provision” and how the Omnibus Rule addresses the previous shortfalls under the “harm provision”.

McMillan reports on the four considerations of risk to account for when assessing if a compromise happened.  First, not all breaches are equal. It’s dependent upon how much and how sensitive the PHI is. Next, look at who used/received the info and then what they did with that info.  He points out there is a big difference between someone who receives PHI and destroys it, versus it falling into hands of someone that will commit identify theft with it. Last, it is important to consider is if/how the compromised information will be exploited.

McMillan then points out that notifications have not changed much. An incident compromising 500 or more individual records must still be reported within 60 days of knowing about the incident, and incidents with less than 500 records still have up until 60 days after the calendar year. However, there is a minimal change that smaller breaches can now be reported during the year that the incident was uncovered rather than the year of the occurrence. Also, under the new Omnibus Rule, McMillan points out that a risk analysis is only required if the organization is uncertain of the compromise.

Last, McMillan provides four simple tips to do before enforcement takes effect on September 24th. First, now is the time to revise internal breach notification programs and policies, and then educate the workforce of these new procedures. He also suggests to implement a new risk analysis and ensure documenting the analysis.

For the full article, click here to visit Healthcare Informatics site.

News
, , ,

Upcoming Webinar – The Final HIPAA Omnibus Rule

January 30, 2013 by Jana Langhorne 0 Comments

 ”The Final HIPAA Omnibus Rule:  Big Changes for Business Associates”

Thursday, February 14, 2013, 2:00 PM – 3:30 PM EST (11:00 AM – 12:30 PM PST)

The final Omnibus Rule released on January 17, 2013 will have an enormous impact on Business Associates (BAs). They have until September 23, 2013 to comply with the new requirements.  Under the new regulations, BAs and their subcontractors are officially liable for certain requirements of the HIPAA Privacy and Security Rules, whether a formal agreement exists or not.  The Omnibus Rule now gives OCR the latitude to directly investigate BAs for breaches and they will shortly be incorporated into the random audit program that will likely resume later this year.

In this 90 minute session attendees will learn:

  • Details of the final Omnibus Rule
  • Business Associates redefined
  • How BA agreements need to change
  • Breach analysis changes

HCCS, Experts in Healthcare Learning, and CynergisTek cordially invite you to join this free, informative webinar.

RegisterNow

 

 

 

Events, News
, ,

More on the Omnibus Rule

January 25, 2013 by Jana Langhorne 0 Comments

The Omnibus Rule Arrives | PhysBizTech.comth

by Mac McMillan, January 25, 2013

Mac McMillan provided his thoughts to PhysBizTech.com on the recently released Omnibus Rule.  In the article, Mac explains that the revised guidelines will bring huge changes for covered entities and business associates.  He points out that now business associates can be investigated by the OCR  and that business associates will probably be added into the Random Audit Program that should pick up again later this year.

Mac also proceeds to break down some of the other revised regulations, such as now the “harm” standard has more defined guidelines, fines can be increased up to $1.5 million and there are tighter restrictions on PHI that will it more difficult for marketing and selling it and easier for patients to obtain their records.

The article concludes with a few simple steps that organizations can be doing right now to prepare for the changes that must be made by September 23, 2013.

To read the full article and see what steps to take to prepare for the Omnibus Rule, please visit http://www.physbiztech.com/blog/omnibus-rule-arrives.

News
, , ,

Government Health IT Discusses Mac McMillan’s Thoughts on Omnibus Rule

January 21, 2013 by Jana Langhorne 0 Comments

CynergisTek’s CEO, Mac McMillan was recently interviewed and cited by Government Health IT.

Omnibus HIPAA’s Rule’s Impact on Data Breach Notification  January 18, 2013 by Tom Sullivan, Editor and Mary Mosquera

WASHINGTON – “The Omnibus Rule will come out this year,” Michael “Mac” McMillan, CEO of security and regulatory specialist CynergisTek explained earlier this week, “and when it does OCR will have what it needs to investigate their issues.”

And so the HIPAA Privacy and Security final rule arrived late Thursday, to a large extent tracking what was in the proposed rule, but also bringing some significant changes that will impact the industry, according to Bob Belfort, partner in the healthcare practice at Manatt, Phelps & Phillips, which works with states and providers on health IT and related public policy issues, and frequently helps clients craft breach notifications.

“The one that will probably get the most attention is the definition of a breach,” Belfort added. “There’s been a lot of controversy over the ‘risk of harm’ standard.”

[Q&A: Belfort on the delicate dance of data breach notification]

Indeed, the proposed rule held that there would be no breach unless there was significant risk of harm to the individual, but HHS indicated it might rethink that, Belfort explained, and in the omnibus rule replaced it with an assessment of whether the improper disclosure compromises PHI (protected health information).

“The burden is on the covered entity to show that there’s a low probability that the information has been compromised. There are two changes there,” Belfort said. “Number one, the focus of the assessment is no longer on the harm to the patient but whether the information has been compromised and, secondly, the burden of proof is clearly on the covered entity so if it can’t be determined pretty clearly that there is a low probability the information has been compromised, the covered entity has to treat it as a breach.”

Belfort views the final rule as HHS navigating the middle ground between privacy advocates arguing that any improper disclosure should be treated as a breach and those who wanted to retain the risk of harm standard.

Deven McGraw, director of the health privacy project at Center for Democracy and Technology and a member of the federal advisory Health IT Policy Committee said this is a very positive development.

[See also: Final HIPAA rule brings changes to fundraising, marketing of PHI]

“It continues to give organizations the right to do an investigation about what happened in the breach, and to make the judgment call in circumstances where the likelihood that anyone else saw the data is very low that they can make a decision not to notify for breach purposes,” McGraw continued. “This addresses the notion of over-notification that many stakeholders commented on and does it in a way that doesn’t give the breaching entity the subjective judgment call about whether that information would harm you or not. It refines some of the gray area and is a response to some of the criticism after the interim final rule. That’s appropriate.”

The rule also, as McMillan pointed out, arms OCR to continue audits and fines. “Third parties account for 40 percent of the breaches reported and 75 percent of the records exposed,” McMillan said.

Belfort expects the uptick in audits and fines currently under way to continue.

“We’re already seeing the beginning of more aggressive enforcement and stiffer penalties, more frequent penalties,” Belfort said. “And I think that trend will definitely accelerate.”

http://www.govhealthit.com/news/omnibus-hipaa-rules-impact-data-breach-notification

News
, , , , ,
LOGO-HCCA

CynergisTek to Showcase HIPAA Audit Readiness Solution Portfolio at 2012 HCCA Compliance Institute

April 29, 2012 by Stephanie Crabb Comments Off

Company Co-Designed Solution Series with Davis Wright Tremaine LLP; Drew Upon Firsthand Experience Providing Consulting and Advisory Services Under HIPAA Audit Pilot Program

Las Vegas, April 26, 2012 – HCCA Booth #205— CynergisTek™, an authority in enterprise security and privacy solutions and services for healthcare organizations, today announced that the company will feature its new joint offering, the HIPAA Audit Readiness Solution Portfolio, at the 16th Annual HCCA Compliance Institute from April 29 through May 2 in Las Vegas. The CynergisTek experts designed the solution series in collaboration with the health information technology (HIT) and HIPAA team of national law firm, Davis Wright Tremaine LLP (DWT).

At the HCCA booth, experts from each organization, including CynergisTek CEO, Mac McMillan, and DWT Partner, Adam Greene, will be on hand discussing the new audit readiness portfolio, which was architected specifically to evaluate and improve an organization’s compliance with HIPAA/HITECH based on OCR’s HIPAA Audit Program. The companies will highlight the portfolio’s customized services designed to accommodate the different audit readiness objectives of every healthcare organization with components covering the full scope of audit preparation, from training and risk assessment to a full mock audit. In addition, McMillan and Greene will host “Ask the Expert” informal breakfast briefings in the the exhibit hall on the mornings of April 30th and May 1st.

“The experience CynergisTek gained working with one of the hospitals selected for OCR’s HIPAA Audit Pilot Program provided us an opportunity to glimpse into the upcoming phase of compliance and enforcement that will soon become a reality for all healthcare organizations,” said McMillan. “In developing the solution series with DWT, we wanted to address new complexities that are being added to the already-daunting challenges facing compliance professionals today. In unveiling the HIPAA Audit Readiness Portfolio and engaging in discussions with our colleagues at the HCCA Compliance Institute, we hope to make strides in ensuring all healthcare organizations are equipped to handle OCR’s impending enforcement.”

CynergisTek will also be featuring its additional solutions and services, which are specifically designed to help healthcare organizations improve their security and privacy posture, facilitate compliance, advance operational efficiency and foster trust. CynergisTek’s managed and on-demand solutions address the fundamental elements of information security management, including:

  • Strategy and Governance
  • Compliance and Risk
  • Infrastructure
  • Technical Vulnerability Management
  • Audit
  • Managed Security Solutions

To learn more about the CynergisTek-DWT HIPAA Audit Readiness Solution Portfolio and CynergisTek’s range of enterprise security and privacy solutions and services for healthcare organizations, visit HCCA booth #205.

About CynergisTek

CynergisTek is an authority in healthcare information security and privacy management, regulatory compliance, IT audit and advisory services, business continuity management, security technology selection and implementation, and secure IT infrastructure architecture and design solutions. The firm offers practical, manageable and affordable consulting services for organizations of all sizes and complexity. Using an organized, planned and collaborative approach, CynergisTek applies multidisciplinary expertise to serve as partner and mentor, to enhance the consulting experience and, ultimately, clients’ compliance and business performance. CynergisTek participates in and contributes to HIMSS, AHIMA, HFMA, HCCA, AHIA and other industry bellwether organizations. For more information visit http://www.cynergistek.com, call 512.402.8550 or email info@cynergistek.com.

About Davis, Wright Tremaine LLP

The national healthcare practice of Davis Wright Tremaine provides clients with comprehensive regulatory and transactional services, along with real estate, labor/employment, benefits, litigation, financing (including tax-exempt financing, bankruptcy and tax work. Most healthcare clients also face intense challenges in electronic health records and information management. The health information technology and HIPAA team of Davis Wright Tremaine is deeply involved in helping clients take advantage of emerging technical opportunities and cope with related obligation, including the ongoing HIPAA audits.  Learn more at www.dwt.com or contact Adam Greene directly at adamgreene@dwt.com.

###

Media Contact:

Megan Malarkey

Senior Account Executive

Aria Marketing

(617) 332-9999, x215

mmalarkey@ariamarketing.com


Events, News
, , , , , , , , ,
Older Entries

%d bloggers like this: