The Office of Civil Rights has begun to publish the list of organizations who have had breaches of patient information that impact more than 500 people. In browsing this list, it’s important to note that it is not just the covered entity who is listed, but also the business associate, if one was involved.

In the list of breaches, OCR lists the company, the business associate if applicable, how many people were impacted, what kind of breach (theft, unauthorized access, other), and what kind of device. It’s interesting to peruse this list and see that laptops are frequently being stolen and sometimes even a network server.

The first step in being sure you’re not on this anytime is to know where you fit in the definitions that are in the rules. Knowing what category you are in helps determine what your responsibilities are related to HIPAA and the HITECH Act.

What are you doing to be sure that the information you work with is protected? Are all of those files sitting on your devices encrypted so that if it is stolen, the information isn’t breached? Do your policies and procedures outline how to handle a breach, and are these in written documentation?

If you are a covered entity, have you updated your business associate contracts with the new requirements for business associates? If you are a business associate, you probably have a lot more to do than those who are covered entities simply because some of this is new for you.

Do what you can today to be ready should a breach happen in your organization. This is not a list you want to show up on!

That question is one I hear a lot recently. What's all the fuss about? Why do I need to pay attention to all of these new "rules"? Isn't it just a way for someone to make money?

With the passing of the HITECH Act, the HIPAA rules and regulations have undergone some big changes. Things that previously could be overlooked can no longer be ignored. Business associates are now required to implement the things in the security rule and much of the privacy rule. Even something as simple as not having written policies and procedures will mean you are not compliant.

"It won't happen to me." So many people seem to be thinking that, while they understand there are new rules, it really doesn't apply to them because their business is so small it just won't matter. And so, like the ostrich with their head in the sand, we move along thinking that as long as we don't address it, no one will see we're out there.

While it may seem daunting, being compliant really isn't that tough. There are a lot of simple things you can do to assure that you have taken the necessary steps. And having that written documentation that shows you're making a good faith effort will go a long way if you do happen to be one who gets audited. There are now required random audits and nothing in those rules says just go after big organizations. Protection of patient privacy applies to everyone, no matter how big or small you are.

We are already seeing the changes of the new laws. HHS has already posted the first group of breaches on their website. And by the way, it's not just healthcare organizations. Where it applies, each business associate involved is also listed. That sure isn't a way to get good publicity for your business.

What about you? What's stopping you from taking the steps toward compliance?

As the healthcare industry struggles to figure out how to implement the recent changes in the HIPAA rules and regulations due to the HITECH Act, one thing that often is asked is where to start. It is perhaps the best question being asked for those who are trying to wade through the myriad of subjects. Everywhere you turn, someone is discussion HIPAA, HITECH, privacy, and security.

One of the first things listed in the security rule for HIPAA is to do a risk analysis. As you read through the rule, this can be a daunting task at best. And yet, it's required, and your findings must be documented. Your risk analysis will then become your blueprint for your risk management process. It's not enough to address risks as they occur, although you certainly have to do that as well. What is important is to know where those holes might be in your current operations and to address ways to minimize them.

In addition to looking at your own business processes, many people use an application service provider, or ASP, for their system to manage the documentation process. That means working with your vendors to be sure that you can document how that system assures your compliance.

If you haven't already done it, get your risk analysis started today! It is one of the first steps in your compliance process for the security rule.