In a busy month for the Department of Health and Human Services, three significant rules and guidance have been published in October that will have an effect on Healthcare Providers and HIPAA Covered Entities.
The first from OCR/HHS clarifies that Cloud Service Providers are Business Associates and must meet the HIPAA requirements surrounding that designation. We are including the HHS statement dated October 7, 2016 and a valuable summary by Mike Semel, a trusted HIPAA advisor. Mike provides a great checklist of suggestions related to this OCR/HHS statement and ePHI.
If you utilize Cloud Computing (also known as “Hosting” or “Data Center” or “Virtual Infrastructure”), obtain a Business Associate Agreement (BAA) from the provider of that service.
Secondly, on October 14th, CMS issued the Final Rule for MACRA. MACRA comes into play January 1, 2017 and is the most significant reimbursement change for healthcare entities since Meaningful Use. The Final Rule eases some of the requirements of the Proposed Rule. Don’t be discouraged - remember how much we hated SGR! Read more about this final rule.
Also on October 14th, the ONC issued the Final Rule for EHR oversight. This rule expands the ONC’s authority to include decertification as a possible course of action for noncompliant products. Read more about this change.