Plenty of HIPAA Action but Regs in Holding Pattern

Greetings, All,

If I keep waiting for the new rules to send a client message out, it may never happen, or so it seems.  So here's a summary of the latest goings on in the world of HIPAA.

Final HIPAA Rules Expected Maybe Someday

OK, so it's gotten so bad that I've about given up updating my slides in HIPAA presentations with the latest expected dates for release of the final HIPAA changes in the big Omnibus rule, and now it's clear we'll hear nothing before the election, so we'll see.  All of the uncertainty is causing a lot of inaction and stalling a lot of work that really needs to be done to get healthcare down the road to at least the present day, if not the future.  When will we see the regs?  Someday, maybe, maybe not.  Meanwhile, state attorneys general have sued business associates for violations under the HITECH act, even without the regulations in place.  So we continue in regulatory limbo -- both the old and new rules apply...

HIPAA Audit Protocol Updated

At some point during September, without announcement, the HIPAA Audit Protocol was updated, improved, and moved to a new web page, leaving the old one still active without any notice that a new version had been published elsewhere.  Hey thanks for the heads up!  Anyway, it's up from 165 to 169 questions, but the big news is the "Export" button that makes it possible to export the contents to something useful like a spreadsheet, where you can add columns for Item Number (so you can always sort things back to the original order!), unresolved questions, issues to be addressed, supporting documentation, and priority for resolution.  Once you do this, you can format the cells so the contents are readable (what a concept!) and use the HIPAA Audit Protocol as a master HIPAA compliance guide and documentation record.  Sort of like a simpler, less detailed, lightweight version of the NIST HIPAA Security Rule Toolkit.  It's still not perfect, and there are still some wonky questions, but it can be actually used.  Let me know if you'd like a copy of the protocol (as published on October 15, 2012) in a formatted .xlsx spreadsheet something like what I described, and I'll e-mail you one.

And the Settlements Go On

Is this starting to sound like a broken record?  Organization loses a laptop, HHS OCR investigates, finds no laptop encryption, no real information security management process, no risk analysis, no polices and procedures, or training on using laptops, etc., etc., and a one-point-something million dollar settlement and an expensive Corrective Action Plan are the result.  This time it's Mass. Eye and Ear Infirmary (and Mass. Eye and Ear Associates) on the hook, for $1.5 million, plus a nice fat CAP.  So, do we all get the message yet?  Repeat after me: No unencrypted PHI on laptops or portable devices.  Otherwise, you are SO looking for trouble.

New Risk Assessment Guide Great for Federal Agencies, Not So for Health Care

Sorry, but the new NIST SP 800-30 Revision 1 is clumsy, fat, overwrought, and just about useless.  Use the old one.  The new one will make your head hurt.  So warned, the new version is available at:, and the old version (recommended) is still available at:  

New Incident Handling Guide Great for Everybody

This new update from NIST is a winner, and there's even a ITL (NIST's Information Technology Laboratory) Bulletin with more discussion and guidance.  NIST SP 800-61 Revision 2 is strongly recommended, available at: and the September ITL Bulletin is available at:  Take note!  If you have an incident and HHS investigates, they will want to see your incident management plan and the report from the incident.  Get to know SP 800-61 Rev 2 -- it is your friend.

More News and Resources

Yes, there's more -- announcements from Verizon about BAA-quality cloud services, new free privacy training resources from the Office of the National Coordinator, and the beat goes on.  See the Lewis Creek Systems site for more.

And Training Sessions

Don't forget to check the Upcoming Pubic Seminars schedule at to see what's coming up in person and on the Web.  If you need a serious HIPAA hit in the next week, I'm doing an intense 2-day session in DC on October 25 and 26 at the Marriott Courtyard Embassy Row -- see  

But life is not all HIPAA...

I'm off for a three-day Electric Bass Workout (see ) so I can concentrate on something other than HIPAA for a few days.  I find I am much more productive and work much better when I take the time out to concentrate on something other than what I concentrate on every day, which is HIPAA.  For me, it's music, for some it's fishing or working on their old car or gardening or something, but the message is, you'll be happier and get more work done if you remember to take care of your self and spend time focusing on your joys.  So, if you need to reach me from this afternoon through the weekend, be prepared for a delay -- I'm taking care of some important business.

And as always,

If you have any questions, please let me know, and I'll be happy to do my best, though perhaps not until next week!


              Copyright © 2002-2019 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us