If you’re involved in the healthcare sector or an organization that deals with healthcare data, you may have heard the term HIPAA violation being thrown around a lot. You might have a rough idea of what it means, but haven’t taken the time to look into the details. The regulations may seem dry and boring, but they’re incredibly important for anyone that deals with health-related data.
Read the rest of this post »
The Office of the National Coordinator for Health Information Technology (ONC) Cures Act Final Rule hardly rolls off the tongue, but it’s bringing important changes to the world of healthcare. Its provisions aim to improve interoperability and facilitate smoother data exchange.
Although these changes would be beneficial to certain aspects of the healthcare experience, there are also some potential drawbacks associated with the ONC Cures Act Final Rule. The most controversial aspect is that it allows patient health information to be shared with third-party app developers, outside of the bounds of HIPAA regulations. This access outside of HIPAA’s regulatory environment could lead to a rise in health-related data breaches.
Read the rest of this post »
The HIPAA Safe Harbor bill has passed the Senate without amendment and with unanimous consent. Known formally as H.R. 7898, the HIPAA Safe Harbor Bill amends the HITECH Act to direct the Department of Health and Human Services (HHS) to recognize organizations that follow security best practices, such as those that have HITRUST CSF Certifications.
It’s hoped that allowing HHS to take these cybersecurity practices into account when determining its rulings will encourage companies to adopt suitable security measures and certifications, while also reducing unfair punishments for those that had appropriate mitigation tactics in place.
The HIPAA Safe Harbor bill grants HHS new considerations when auditing covered entities and business associates in situations that may result in fines. The changes incentivize organizations to adopt security best practices, because they will not face heightened scrutiny from regulators or need to be burdened by additional proof of compliance measures.
More specifically, the legislation amends the HITECH Act to require HHS to take on new considerations when determining enforcement actions or other regulatory compliance activities. The HIPAA Safe Harbor bill’s changes mean that HHS will have to consider whether business associates or covered entities have met recognized security standards in these situations.
Under the new bill, HHS will have to take an organization’s cybersecurity into account when calculating fines that result from data breaches and other security incidents. If the organization is recognized to have followed ‘recognized security practices’ for more than the past 12 months, then fines may be mitigated.
The bill also allows HHS to reduce the extent and length of its audits once it has determined that a provider meets cybersecurity best practice requirements. A history of following these requirements may also mitigate the remedies needed after violations of the HIPAA Security Rule.
The HIPAA Safe Harbor bill’s changes mean that organizations with HITRUST CSF Certifications can meet their compliance obligations under HIPAA’s Security Rule. The HIPAA Safe Harbor bill’s recognition of companies with HITRUST CSF Certifications should also serve to encourage other entities to proactively demonstrate their compliance.
The bill also recognizes the security standards, guidelines and practices developed by NIST and other similar authorities. The HIPAA Safe Harbor legislation’s incentives for covered entities and business associates aim to improve overall protections for health data.
The core of LuxSci’s business relies on high levels of security and compliance, so we are proud to be HITRUST CSF Certified. Our systems and services have been independently verified to conform with the HITRUST CSF Assurance Program. This includes security controls for Massachusetts Privacy Law, the GDPR and HIPAA.
The certification covers all of our services at the time of the assessment, from our secure web forms to our email and web hosting. It covers our systems at the time as well, such as firewalls, load balancers, email servers, backup servers and more.
The comprehensive nature of the HITRUST CSF Certification program, along with LuxSci’s constant commitment to the best in security and compliance, ensure that our clients are always in trusted hands.
The Centers for Medicare and Medicaid Services (CMS) Interoperability and Patient Access Final Rule is a mouthful, but it’s also an important step for improving how health data is accessed and shared. While the rule may be beneficial in certain ways, it’s not without its risks. It opens up the door for patient data to be shared with third-party app developers outside of the tight confines of HIPAA regulations, which could lead to more breaches of sensitive data.
Read the rest of this post »
If your organization collects, stores or processes electronic protected health information (ePHI) it will need a clear understanding of business associate agreements (BAAs). This also applies to businesses that process ePHI on behalf of other organizations.
Each business associate agreement stipulates how a company will share its ePHI with the respective business associate, and where the responsibilities lie. Unless your organization is a rare breed that has its own web hosting, email service, lawyers, accountants and every other aspect of its business in-house, then it needs to have these agreements in place with every provider that it shares ePHI with.
Read the rest of this post »
