With the help of its external partners, Lighthouse Continuity Partners can provide specific disaster-related products including documentation templates, remote online computer system backup, information security services, HIPAA security audits, managed IT services and other products.

“We are excited to open our business office here in Greenville,” Chris Servia, president and chief executive officer, said in a news release. “Our location provides for full access to all areas of eastern North Carolina. For area businesses, there are several natural risks such as snowstorms, tornadoes and hurricanes. Each business also has unique risks inherent to the business industry of which they are a part. Our hope is that our business services can help protect and speed recovery in business disaster events.”

“Our partnerships ensure we can provide services to small, mid-size, and enterprise customers throughout the United States as well as locally. And our specialty includes planning for health care service organizations and helping them meet the electronic security specifications of HIPAA. We are uniquely qualified to help medical organizations prepare for disaster events,” Servia added.

The panel entitled, “Technology, Security Mandates, and HIPAA Privacy.” will cover the new mandates that ARRA has brought practices under HIPAA. “New mandates will force practices to adopt policies and procedures in order to avoid new enforcement provisions and significantly increased penalties,” said Waco Hoover, CEO, Institute for Health Technology Transformation adding, “These critical changes include: new provisions for accounting of disclosures; new patient rights that you will need to incorporate into your policies and staff training; new requirements should your patient data be breached; modifications that will need to be made to your business associate relationships; and increased penalties up to $50,000 per violation to a maximum of $1.5 million a year in the most egregious cases of data breaches.”

The panel will be moderated by Khalid Kark, Principal Analyst, Forrester Research, and speaking, along with John Abraham, will be Ram Krishnan, SVP of Products and Marketing, GuardianEdge; Carole Klove, Chief Compliance Officer & Privacy Officer, UCSF Medical Center; Robert Israel, Vice President & Chief Information Officer, John C Lincoln Health Network; and Aaron Carpenter, Chief Information Security Officer, Arizona Department of Health Services.

The Summit’s attendees include industry leaders and senior executives from the healthcare community with the following job titles: Chief Information Officer, Chief Medical Officer, Chief Medical Informatics Officer, Physician, Practice Manager, VP and Director of IT.

Although it has not been clarified in the regulations as to what constitutes demographic information, but DHHS has indicated that it “generally include[s] in this context name, address and other contact information, age, gender and insurance status.” It specifically excludes “any information about the illness or treatment” including any information about “diagnosis [or] nature of services.” DHHS has also been clear that the limitations apply to internal uses (solely within the covered entity) as well as “external” disclosures to business associates or institutionally related foundations. “Broad access to [PHI] is unnecessary for fundraising and unnecessarily intrudes on the privacy of the patient.”

HIPAA, again, does not offer any explicit definition of fundraising. The only reference available is the DHHS’s commentary that it is activity “for the specific purpose of raising funds” for the institution, rather than a general charitable purpose.

Again, the “institutionally related foundation” is defined as one qualified under the tax code (e.g., 501(c)3) that has an “explicit linkage” to the covered entity, or to a group of organizations of which the covered entity is one. “The term does not include an organization with a general charitable purpose, such as to support research about or to provide treatment for certain diseases” even if some of its resources may be given to the covered entity.

The provision for institutionally-related foundations was included because of tax code provisions that may not allow such foundations to be considered business associates. Note that the tax status of the covered entity — viz., for-profit vs. not-for-profit — does not affect the application of any of these rules.

As per the U.S. Department of Health and Human Services (HHS) updated standards of HIPAA (Versions 5010 and D.0) will replace the current standards (Versions 4010/4010A1 and 5.1). These are designed to promote greater efficiency in electronic transactions and compliance with the new HIPAA 5010 and NCPDP D.0 standards is required by January 12, 2012. The ICD-10 code sets are required in transactions as of October 1, 2013.

Emdeon has launched HIPAA Simplified as a resource to help guide the healthcare industry through the transition to the new standards. In December 2009, Emdeon senior vice president of corporate strategy and government services, Miriam Paramore, testified before the National Committee on Vital and Health Statistics and said, “Emdeon is committed to supporting our customers and leading the industry in compliance and adoption of the new standards and code sets. Our goal is to be ready in advance of the government mandated deadlines to ensure a smooth and successful transition.”

Permission for access must be provided by covered entities to DHHS “during normal business hours” to any information, including protected health information, relevant to determining compliance.

If an investigation pursuant to a general compliance review (or a specific individual complaint) indicates organizational violations, the Secretary must notify the institution (and any complainants) in writing.

The regulations direct the Secretary to “attempt to resolve [problems] by informal means whenever possible.” If informal resolution is not possible, the Secretary must issue formal, written findings, which presumably would raise the possibility of further investigation, and legal or financial sanctions.

Ram Krishnan, senior vice president of products and marketing at GuardianEdge, said, “Health care providers are entrusted with their patients’ most sensitive information, with the expectation that it will remain secure under all circumstances. Regulations such as HIPAA underscore these concerns. With our solutions, organizations in all industries that rely on sensitive customer or company information to conduct business are secure from internal and external threats, assisting with compliance efforts.”

• for the originator of the notes (i.e., the mental health practitioner), for treatment of the subject patient;
• for students, trainees or practitioners, for supervised training programs;
• to defend a legal action or other proceeding brought by the patient against the covered entity;
• for lawful health oversight activities or as otherwise required by law,
• for coroners or medical examiners (where the patient is deceased); or
• where, consistent with applicable law and the standards to ethical conduct, there is a good faith belief that the use or disclosure is necessary to prevent or lessen a serious threat to health or safety.

In a doctor’s office, the two rules that affect email compliance are the Privacy Rule and the Security Rule. Of the two, the Security Rule is more in-depth and essentially mirrors the Privacy Rule; its purpose is to focus on information and security best practices and revolves around the security cornerstones of confidentiality, integrity, and availability. The Security Rule focuses on everything from workstation management of information to facility access and transmission security. It is vital that any information you send via email, not speak of the patient’s identity or the problem they are facing; many offices will use initials when speaking about patients via email.

In the financial industry, email compliance is governed by the Gramm-Leach-Bliley Act. Also known as GLBA, it is basically the same law as HIPAA, just for a different type of business. It is designed to ensure the privacy and security of non-public personal information as it relates to individuals financial information. GLBA’s rules apply to mortgage lenders, banks, stock firms and others of the like. Within GLBA, the financial company is charged with several things: to designate an employee or employees to coordinate the information security program, to identify reasonably foreseeable risks to non-public information, to make sure their suppliers are also using safeguards, and to monitor all of the above.

To conclude, when it comes to email compliance, there are rules everywhere, and your business needs to know which apply to you and how to handle them. There are several ways to handle these issues, most of which include hiring at least some type of IT security firm to develop a total information security plan that will comply with recent, and future, government email regulations.

The insurer issued a statement Wednesday saying: “Protecting the privacy of our members is extremely important to us. Health Net’s company policy states that data must be encrypted and secure.”

“These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft,” Blumenthal said in a statement. “The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable.”

Health Net argues that there is no evidence of any of the missing data being misused. The company is offering two years of free credit monitoring to all affected members who want it, and has said that special software is needed to decipher information contained on the missing drive.

Nevada’s law addresses transaction data created by a customer’s use of a credit, debit, or other payment card, and personal information, and applies to “a data collector doing business” in Nevada. The law requires that a data collector that accepts payment cards is now required to comply with “the current version” of the PCI DSS, no later than the date for compliance set forth by the PCI DSS or the PCI Security Standards Council. Data collectors who do not accept payment cards must use encryption when transferring personal information through “an electronic, non voice transmission other than a facsimile” to a person outside the secure system of the data collector and when moving any data storage device containing personal information “beyond the logical or physical controls of the data collector.”

The Nevada law redefines “encryption” as

(1) “an encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology”.

(2) “[a]ppropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.”

The new law also establishes a safe harbor by stating that a data collector is not liable for damages for a breach of the system data security if the data collector is in compliance with this law and the security breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees, or agents.