NAVEOS® Reminds Healthcare Organizations the HIPAA/HITECH Final Rule Deadline for Provision Compliance is September 23, 2013

Share Article

Beginning September 23, 2013, entities that regularly handle patient information are subject to the enhanced HIPAA regulations and penalties issued in the final HIPAA regulations (the Final Rule) in January of this year, by the Department of Health and Human Services, Office for Civil Rights (OCR).

News Image
...significant changes will affect all parties that handle PHI from healthcare providers, to their business associates and all other allowable third parties.

NAVEOS®, a Virginia-based healthcare data analytics company, reports the Health Insurance Portability and Accountability Act (HIPAA) HIPAA / HITECH Final Rule published in January, has heightened requirements regarding Privacy and Security of Personal Health Information (PHI). The Final Rule, considered an Omnibus Rule, require all parties comply with all provisions by September 23, 2013.

Mike Sabo, Vice President of Regulatory Affairs for NAVEOS®, states the significant changes will affect all parties that handle PHI from healthcare providers, to their business associates and all other allowable third parties.

Sabo says, “It is imperative that healthcare organizations review the final rule in its entirety.” For all HIPAA related information and the Omnibus Rule, go to the Office for Civil Rights Office (OCR) website: http://www.hhs.gov/ocr/privacy/index.html.

Highlights include:

RELATIONSHIPS between Covered Entities (CE) and their Business Associates (BA) and sub-contractors require a Business Associate Agreement (BAA).

It is imperative that all healthcare organizations have a BAA in place for all Business Associates.

ENFORCEMENT RULES: BA’s and subcontractors are now subjected to substantial Criminal and or Civil liabilities.

Liabilities for BA’s and subcontractors will be as if they were a Covered Entity.

BREACH NOTIFICATIONS

Removal of “Risk of Harm Assessment.”

The Final Rule states that impermissible disclosures of PHI will be considered a breach unless the CE or BA can demonstrate a “low probability that the PHI has been compromised.”

RISK ANALYSIS REVISIONS

Potential or Presumptive Breach “Risk Harm Assessment” has been replaced by Risk Analysis Factors that should be considered and designed to “focus more objectively on the risk that the PHI has been compromised. The Final Rule states the four factors below AND any other relevant considerations be included in the Risk Analysis:

1.    The nature and extent of the PHI involved, including they types of identifiers and the likelihood of re-identification.
2.    The unauthorized person who used the PHI or to whom the disclosure was made.
3.    Whether the PHI was actually acquired and viewed.
4.    The extent to which the risk to the PHI was mitigated.

NAVEOS® can advise healthcare providers on the impact the HIPAA/HITECH Final Rule to their organization. If you have any questions regarding information in this press release, please contact Mike Sabo, Vice President of Regulatory Affairs for NAVEOS at mike(dot)sabo(at)naveosdata(dot)com, or visit http://www.NaveosData.com.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Lisa Martin
NAVEOS
+1 703-444-2422
Email >
Visit website