Friday at Five – 10/15/10

Join us every Friday at Five for our weekly top 5 favorites in the world of HIT and HITECH. This week our HIPAA Security expert Bob Chaput has contributed posts on HIPAA and HITECH. Here are five things to remember.

  1. The Security Rule 9, reinforced by the HITECH Act, requires a CE and a BA, in accordance with the security standards general rules (CFR §164.306), to have a security management process in place “to implement policies and procedures to prevent, detect, contain, and correct security violations.
  2. The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.) This series of guidances will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (ePHI).
  3. A thorough HIPAA Security Compliance Assessment broadly covers all aspects of the law including all 18 Standards and 42 Implementation specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312). Additionally, this assessment would cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.
  4. A HIPAA Security Risk Analysis (§164.308(a)(1)(ii)(A)) is required by law to be performed by every Covered Entity and Business Associate. Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use requirements.
  5. New dynamic HHS web site that posts “Breaches Affecting 500 or More Individuals“.

Contact Bob Chaput directly with additional questions.  He can be reached at:

Looking for a HITECH ready Business Associate Agreement? The provisions in the Business Associate Agreement model for sale on this site meet the requirements of both HIPAA and the HITECH Act. The agreement comes with a Users Guide and is downloaded upon purchase.