Monday, February 11, 2013

Law Firm HIPAA / HITECH -- More Details, Developments and Advice

Following last week's post on law firm HIPAA implications with recent rule changes, come additional stories worth noting:

Law Technology News digs into greater detail on breach notifications: "The HIPAA Final Rule Is a Game-Changer for Breach Notification" --
  • "Your email inboxes have likely been flooded with updates regarding the U.S. Department of Health and Human Services' final rule to strengthen the privacy and security protections of health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)."
  • "The Final Rule, among other things, enhances a patient's privacy protections, provides individuals new rights to access their health information, and strengthens the government's ability to enforce the law... The biggest change for everyone is probably the definition of a breach. Prior to the final rule, and up until March 26, a HIPAA/HITECH breach was defined as a use or disclosure that caused a 'significant risk of financial, reputational, or other harm.'"
  • "The final rule has changed the definition of a breach. An impermissible use or disclosure of PHI or ePHI is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI or ePHI has been compromised."
Looking at steps organizations should take to mitigate new risks, business and technology analysis site GigaOM writes: "Are health care companies prepared for the new HIPAA privacy and security rules?" The article includes commentary from Kirk Nahra, partner and co-chair of Wiley Rein's healthcare practice group:

  • "Even though the ruling has been expected for some time, companies in the industry are all over the map when it comes to being prepared. Some have the security infrastructure, policies and documentation in place, he said, but others have a ways to go before being in compliance. Although the act goes into effect in March, companies don’t need to be compliant until September."
  • "To meet the new standards of the law, Nahra said, companies may need to evaluate the extent to which they encrypt data, train all employees on privacy and security, develop appropriate procedures for the disposal of information, designate a security official and implement appropriate contracts with subcontractors, among other tasks."
  • "'It’s a big deal,' said Nahra. 'The government hasn’t been incredibly aggressive about enforcing it, but they’re getting more aggressive.'"

No comments:

Post a Comment