Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Information Security: Laws Require Secure Disposal of Information in All Forms; Using BS 8470:2006 for Compliance | Main | SOX Compliance: Fraudsters Posing as Officials Selling "Compliance Solutions;" *NO* vendor Product Can Make an Organization 100% Compliant With ANY Regulation »

HIPAA: Advisory Workgroup Proposes PHI Security and Privacy Requirements Should Apply to All Organizations

The Department of Health and Human Services (HHS) has a Confidentiality, Privacy, and Security Workgroup, also known as the American Health Information Community, that is made up of practitioners, IT folks, lawyers and other leaders outside of the government who want a say in how protected health information (PHI) is safeguarded, shared, and otherwise handled.

This group met on April 12, 2007 to discuss personal health records and personal health exchanges along with the effectiveness of HIPAA.

They created a draft policy that would require all persons and entities that store, compile, transmit, or access electronic PHI to meet all the HIPAA requirements if it is adopted by the HHS. Currently the only organizations that must follow HIPAA are covered entities (CEs); healthcare providers, healthcare insurers/payers, and healthcare clearinghouses.

Business associates (BAs; generally those businesses that handle PHI in some way for CEs) are currently not directly covered by HIPAA, but CEs must have contracts in place specifying the safeguards the BAs must follow.

The HHS Secretary, Michael O. Leavitt, has stated in various speeches and reports his opposition to such a plan, indicating that making such changes woud upset the years of regulatory work already done and delay the goal to establish a nationwide health information network by 2014.

I personally think it is a good idea to make safeguarding PHI requirements applicable to any organization that handles PHI. And, in addition to this, it would be good to expand this to all personally identifiable information (PII), and move the enforcement oversight from the HHS, which is has been completely ineffective so far, and move it to the much more proactive Federal Trade Commission (FTC).
http://www.ftc.gov

Yes...then the U.S. would finally have one comprehensive PII protection law being enforced by an agency that is proactive.

Why do I always get an image of Barney Fife in my mind when I think of the HHS and HIPAA enforcement...and them having only one bullet for their enforcement gun that they can never use?

Tags:                              
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on April 23, 2007 10:53 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/386

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.