Building Assurance Through HIPAA Security, Washington D.C., May 10th-11th

360 views

Published on

Healthcare IT transformation is well underway and IT security will play a major role in whether or not we, collectively, succeed as an industry, as a major part of the U.S. economy and as a country.

While I gained a wealth of information and education from this conference, I want to summarize a few of the most important “take-away” items here.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
360
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Building Assurance Through HIPAA Security, Washington D.C., May 10th-11th

  1. 1. Building Assurance through HIPAA Security,Washington D.C., May 10th-11thLast Monday night, I boarded a “red-eye” flight from LAX to Dulles to attend the OCR/NIST HIPAA SecurityConference. I landed at 6:15AM, did a quick change into my business attire, grabbed some coffee, rented a car,and found my way to the Ronald Reagan Building at 1600 Pennsylvania Avenue, 3 blocks from The WhiteHouse. I thankfully arrived just before the breakfast buffet ended and took a seat at the back of the conferenceballroom.The room was packed with 400+ attendees – literally standing room only until the conference organizers couldarrange for more chairs to be brought in. The congregation included providers, government policy-makers,healthcare lawyers, academics, vendors, and consultants. From the start of the conference at 9AM Tuesdaymorning to well after 4PM Wednesday afternoon, there was a sense of purpose in the air. Healthcare ITtransformation is well underway and IT security will play a major role in whether or not we, collectively,succeed as an industry, as a major part of the U.S. economy and as a country.While I gained a wealth of information and education from this conference, I want to summarize a few of themost important “take-away” items here.- The development of Stage 2 “meaningful use” requirements is well underway. Security will remain a keyfocus. New providers will be expected to conduct a HIPAA security risk analysis (SRA) and Stage 1 qualifierswill be ask to “update and re-assess” the previous SRA they completed in order to meet Stage 1 attestation.- While still likely stopping short of mandating encryption, Stage 2 meaningful use will also “shine a spotlight”on the security of data at rest, according to Deven McGraw, co-Chair of the HIT Policy Committee “TigerTeam” and Director of the Health Privacy Project at the Center for Democracy and Technology.- A batch of final regulations dealing with healthcare privacy and security issues will be issued in one“Omnibus” package to be released this year and likely within months, if not within weeks. This will include:  HITECH Act modifications to the HIPAA privacy, security and enforcement rules.  The final version of the breach notification rule, replacing the current interim version.  Formalizing privacy provisions under the Genetic Information Nondiscrimination Act that forbids use of genetic information for insurance underwriting and categorizes such use as a violation of both privacy and non-discrimination regulations. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
  2. 2. - Sue McAndrew, Deputy Director for Health Information Privacy at the Office of Civil Rights (OCR) calledthe HIPAA security risk analysis provision a foundational element of HITECH, along with updating the SRAregularly and implementing reasonable and appropriate safeguards.- Ms. McAndrew further confirmed and clarified that business associates and their subcontractors will have thesame obligations as covered entities under the HIPAA Security Rule and therefore must conduct their ownHIPAA security risk assessments. Within 12 months from the issuance of the Omnibus NPRM, businessassociates will be directly liable for the breach of protected health information (PHI) under HITECH Actsections 13401 and 13404. She went on to describe this extension of directly liability to business associates “asea change” in the regulations.- Stepped-up enforcement of the HIPAA security and privacy provisions is on the way. Federal enforcementtraining of State Attorneys Generals offices was done in Texas this past April, and will be conducted in Atlantaand Washington D.C. by end or May and in San Francisco in early June. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

×