Health Information Management

Digesting the HIPAA proposed rule: Part 2

HIM-HIPAA Insider, August 9, 2010

Editor’s note: This is the second in a series of articles breaking down the Department of Health & Human Services (HHS) HIPAA proposed rule published in the Federal Register July 14.

The following items are courtesy of Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. Herold will serve as one of the speakers of the HCPro, Inc. audio conference, “HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations,” Tuesday, August 31:

  • Subcontractors are now BAs. Many subcontracted entities handle PHI, and it makes sense to make them BAs by definition and liable for breaches. “Including subcontractors is a very good thing,” Herold says. “They [are responsible for] many of the breaches.” It’s also good to see the following entities included under HITECH:
    • Patient safety organizations (PSOs)
    • Health information organizations (HIO)
    • E-Prescribing gateways
    • Other persons who facilitate data transmission
    • Vendors of personal health records
  • Updated definition of “electronic media.” The original definition became outdated quickly, Herold says. “The new one does allow for ongoing technological innovation and changes to be covered,” Herold says. “Pointing to a NIST definition is a good way to have it more consistent with other laws and regulations that also use this definition.”

Most Popular