July 14, 2010 InFo

ANNOUNCEMENT
NEW HIPAA RULE PUBLISHED IN JULY 14 FEDERAL REGISTER – CAMPAIGN TO BEGIN ON MONDAY, JULY 19 – A new proposed rule has been issued by Health and Human Services. The Federal Register download has been loaded onto the Resources area of the PRISM Community and can be accessed at the following link:
http://edocket.access.gpo.gov/2010/2010-16718.htm
A text version can also be accessed from the Federal Register at this link:
http://my.prismintl.org/resources/profile/view/id/1182
 
This rule is primarily responsible for modifying the Privacy Rule, Security Rule and Enforcement Rule so that they conform to the HITECH Act. PRISM staff has conducted a preliminary review of the rule and has flagged the following areas that could impact your business if the rule becomes final, as proposed:

• The Business Associate definition has been broadened to include, among other things, “administrative” functions and also a “person who offers a personal health record to one or more individuals on behalf of a covered entity”.
• Responsibilities of subcontractors to Business Associates are modified throughout the rule to duplicate the responsibilities of the Business Associate. In other words if a Business Associate employs a subcontractor to carry out the work, a shredding contractor for example, the responsibilities of that shredding contractor are essentially the same as those of the Business Associate.
• The Secretary of HHS is given wide latitude in determining the severity of penalties and civil monetary fines based on mitigating factors
• Established positive defenses for non-compliance at various time periods during implementation of the various HIPAA rules (before February 18, 2009; between February 18 2009 and February 18, 2011; and after February 18 2011).
• Modifies administrative and physical safeguards in the security rule
• Modifies the conditions that must be included in Business Associate Agreements and requires agreements for subcontractors• Establishes transition provisions and deadlines with some flexibilities to make modifications to existing agreements.
• Please note that this is not a comprehensive list of changes proposed in the rule; this list has not been reviewed by legal counsel and so should not be relied upon for business planning purposes. It is provided as a convenience summary to members of PRISM International. Please consult with your own legal counsel before modifying your Business Associate Agreement or business practices.
• Based on discussions between PRISM International and Health and Human Services, all PRISM International members in the United States (and as many non-members in the United States as we can contact) will be asked to comment on this rule. We have developed a resource page to assist members in commenting. In the course of commenting on the rule, we would ask members and non-members to stress two important points:• Covered Entities have been using changes in HIPAA rules as an excuse to shift indemnification from themselves to Business Associates. There is no law or rule that requires this.
• If records storage companies provide minimum services to Covered Entities that do not require them to use or disclose PHI, they should not be treated any differently than a common carrier such as FedEx or UPS, who are not considered Business Associates.

In communications between PRISM International and the Small Business Administration Office of Advocacy, which may be able to assist PRISM International with this issue, the SBA advocacy attorney with liaison responsibilities to HHS suggested that individually written letters and not form letters have the greatest impact. He also stressed the need to quantify the costs associated with compliance and specifically address the risks and burdens that these rules place on small business.
PRISM International has established a resource page on this issue here:
http://www.prismintl.org/2010-hipaa-campaign-key-points
Look for a special communication about this campaign next week.
 
REMINDERS
REGISTRATION FOR 2010 DATA PROTECTION WORKSHOP IS NOW OPEN – If you are looking to boost your data protection business, learn new techniques, trim operating costs and increase sales then Winston-Salem North Carolina is the place for you this October 19-20. In addition to outstanding educational sessions and spectacular networking opportunities, this event will also feature a tour of DataChambers, who just completed a 20,000 square foot expansion of their data center. Make sure to download the brochure and make plans now to attend this very special event. Here is the link: http://www.prismintl.org/events/2010/10/prism-international-data-protect....
 
REGISTRATION FOR 2010 JOINT EUROPEAN CONFERENCE IN ATHENS IS OPEN – PRISM International and NAID are once again teaming up to bring you an exciting Joint European Conference Event. The conference will be held at Westin Astir Palace Beach Resort in Athens on September 27-29, 2010. As with past conferences, the breakout sessions will divide by organization (NAID Europe will provide a session track on information destruction issues and PRISM International will offer a track on information management issues.) Members are encouraged to download and share the conference brochure with friends. The conference brochure can be downloaded here: http://prismintl.org/events/2010/09/joint-european-region-conference
 
FEATURE
REVIEW OF SOME GLOBAL RESOURCES RELATED TO INFORMATION MANAGEMENT – In order to provide clients with services and benefits, it is sometimes necessary to know what types of free resources are available. Here is a quick review of resources that can be used around the world to help promote records and information management.
 
“WHY RECORDS MANAGEMENT” – This book is published by PRISM International. The book, authored by records management professor and consultant Mike Pemberton, Ph.D., provides a basic overview for records management. It is available to members in digital form for free on the members only section of the PRISM International website at this link: http://prismintl.org/publications.
 
INTERNATIONAL RECORDS MANAGEMENT TRUST TRAINING MODULES – The International Records Management Trust is a non-profit UK registered charity that does project work to improve records and information management around the world. The IRMT has two educational modules that may be accessed for free. Public Sector Records Management and Training in Electronic Records Management. There are also some training materials translated to Spanish on the website. You can access and download these materials here: http://www.irmt.org/educationTrainMaterials.php.
 
ARMA INTERNATIONAL EDUCATIONAL FOUNDATION RESEARCH REPORTS – The ARMA International Educational Foundation conducts research on behalf of the records and information management discipline. Once completed, this research is usually presented at the ARMA International Annual Conference and is also available for free download from the ARMA International Educational Foundation website at this link: http://www.armaedfoundation.org/reports.php.
 
NATIONAL ARCHIVES OF AUSTRALIA DIRKS MANUAL – The manual titled Designing and Implementing Record Keeping Systems (called the DIRKS manual) is one of the most comprehensive records management resources available for free. The manual is published online by the National Archives of Australia and is a companion to the predecessor of ISO 15489 parts I and II (AS 4390). The manual can be downloaded in segments from this link: http://www.naa.gov.au/records-management/publications/dirks-manual.aspx.
 
NATIONAL ARCHIVES AND RECORDS ADMINISTRATION INSTRUCTIONAL GUIDE FOR VITAL RECORDS PROTECTION – This free online instructional guide is an important resource for both records management clients and commercial records centers. Clients and consultative sales personnel can use the educational resources in the guide to become well backgrounded on vital records protection and how to establish a vital records program, conduct contingency planning activities and conduct disaster mitigation activities. In addition, Appendix D of the guide has an excellent template for preparing a disaster plan for a records center. Here is the link: http://www.archives.gov/records-mgmt/vital-records/.
 
The Internet is rich with templates, resources and studies that can help clients manage information more successfully. Members are asked to share any additional resources through the PRISM Community in the Resources area. Contact a member of the PRISM International staff to learn more.
Next Week: Examining the French Records Center Standard

Contact:
Jim Booth, Editor
V: 919-771-0657
F: 919-771-0457
E: jim@prismintl.org