HIPAA Compliance Questions to Ask as HITECH Date Nears
Editor's note: This is the first of a three-part series this week focusing on expert advice on complying with HIPAA and preparing for HITECH regulations. The HITECH compliance date for business associates to comply with the security rule is Wednesday, February 17.
As a HIPAA covered entity, you should watch HITECH closely.
So as your organization works to comply with breach notification regulations and sets up a "harm threshold" risk analysis team, per HITECH, it should also go back to HIPAA security 101.
"HITECH did include significant changes, but the bottom line is and especially security officers need to do is make sure they actually comply with the HIPAA Security Rule," says Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, OR.
Business associates (BAs) are concerned that by February 17, they must comply with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule. In reality, Apgar says BAs should have been compliant since 2003 for privacy and 2005 for security, by contract.
"Yes, the new requirements [especially breach notification] need to be addressed, but the bottom line is many covered entities and business associates have consistently failed to comply with the HIPAA Security Rule," Apgar says. "I find this over and over when conducting compliance audits."
And it's not as if HIPAA Security Rule compliance is all technical. The most significant risk, and the largest section of the security rule itself, is administrative safeguards.
"You can have the best technical security infrastructure in the industry, but that will not adequately protect against breaches and carelessness," Apgar says. "This is another reason why training and policies and procedures are so important."
- As Retail Clinics Surge, Quality Metrics MIA
- Providers' Push to Consolidate Roils Payers
- Medicare Cost, Quality Data Tools Weak, Says GAO
- No Employee Satisfaction, No Patient-Centered Culture
- RN Named Chief Patient Experience Officer
- Former NQF Co-Chair Linked to Conflicts of Interest in Journal Probe
- Population Health Pays Off for NY Collaborative
- How Simple Data Analytics is Driving Physician Incentives
- AMA Pushes Lame Duck Congress for SGR Repeal
- In PCMH, the 'P' is Not for 'Physician'