HMT Newsletter Sign Up










Health Management Technology White Paper Library


 Industry Watch

Industry Watch

Email this article to a friend

   May 2013

The body as a source of Big Data 



Industry heavyweights launch Epic EHR help center

Dell, Red Hat, Intel and VMware have joined forces to open a dedicated center where hospitals can test and deploy a new option for running Epic Systems’ electronic health records (EHR) software on Red Hat Enterprise Linux. The DRIVE (Dell, Red Hat, Intel and VMware for Epic) Center of Excellence is located near Epic’s Verona, Wis., headquarters.

More small to mid-size hospitals are using Linux to run key applications, because using open-source versus proprietary platforms produces cost savings and improved interoperability benefits. St. Joseph’s Hospital Health Center, a 431-bed hospital and health system in Syracuse, N.Y., is one example. St. Joseph’s is also one of the first customers to turn to the DRIVE team for help in implementing Epic on Linux. The move is part of a 16-month conversion of the hospital’s EHR system. Working closely with both the hospital and Epic, the companies are making the best use of St. Joseph’s current infrastructure and resources to build a test and training environment, as well as preparing to deploy the full production system. In addition to training and planning assistance, the DRIVE team will provide ongoing support to fine tune the system for optimal performance.

“Using VMware and Red Hat Enterprise Linux to run Epic’s database on Dell’s x86 servers will not only significantly reduce hardware costs, but also will simplify our environment and allow our IT staff to focus on delivering the best user experience for our clinicians,” says Chris Snow, manager of IT systems engineering for St. Joseph’s. “We are confident that Dell and its partners have the deep experience required for this type of complex implementation.”

Email inquiries to




The Society for Imaging Informatics in Medicine (SIIM) 2013 Annual Meeting, June 6-9, Grapevine-Dallas, Texas, is the place to discover today’s imaging informatics essentials and trends. Educational sessions, exhibit hall hours and networking opportunities provide dynamic interaction between practitioners and vendors.

America’s Health Insurance Plans (AHIP) Institute 2013, June 12-14, Las Vegas, invites you to join thousands of health insurance decision makers to experience the industry’s premier educational event.

ANI: The 2013 HFMA National Institute, June 16-19, Orlando, presents financial management how-to solutions for pressing challenges like reform, value, clinical transformation, accountable care and revenue cycles.


The 2013 American Society for Healthcare Human Resources Administration (ASHHRA) 49th Annual Conference & Exposition, Sept. 28-Oct. 1, Washington, D.C., will feature more than 150 exhibitors and plenty of opportunities for networking and knowledge sharing on state-of-the-art services in healthcare HR.


Medical Group Management Association (MGMA) 2013 Annual Conference, Oct. 6-9, San Diego, will host thousands of professionals engaged in managing the business of medicine. Practice administrators and physician leaders are highly encouraged to consider team participation. More than 356 exhibiting companies shared their industry insights, products and services at MGMA12.

The 85th American Health Information Management Association (AHIMA) Convention & Exhibit, Oct. 26-30, Atlanta, will draw HIM professionals from all areas of health informatics and information management for an intense focus on HIM’s global transformation. Learn how to implement some of the most important changes in HIM history. Pre-convention workshops take place Oct. 26-27.



HIPAA Omnibus Rule

The ABCs for working with BAs: A 2013 update

By Rita Bowen and Jan McDavid


Rita Bowen, SVP
of HIM and privacy
officer, HealthPort
Jan McDavid,
compliance officer
and general
counsel, HealthPort

In mid-January, the Dept. of Health and Human Services (HHS) released its long-awaited HIPAA omnibus rule, which significantly amends the original HIPAA privacy, security and breach rules. Nowhere are the changes more impactful than in the relationship between covered entities (CEs) and business associates (BAs).

BAs are now, for the first time, directly liable for compliance with certain requirements of the HIPAA rules, including the cost of remediation of breaches for which they are responsible. The new rule went into effect March 26, 2013. Covered entities and BAs are expected to comply by September 23 of this year, so there is much work to do.

The following tip sheet includes a general overview of the new HIPAA rule and provides suggestions on how to best communicate the changes to BAs to ensure a smooth path to compliance.

What’s new for BAs in the new HIPAA rule?

• Security rule safeguards apply.

• Privacy rule use and disclosure rules apply.

• They can use protected health information only as stated in the business associate agreement.

• Penalties can now be assessed on BAs.

• BAs are now responsible for having business associate agreements (BAAs) with their subcontractors, who will now be treated as BAs.

CEs must have BAAs with their BAs, and BAs must have BAAs with their subcontractors. Key components must include:

• Start date, expiration date, review dates and signatures.

• Terms and conditions of how to use or disclose private health information (PHI), data rights, security, etc.

• New language surrounding breach notification and the securing of data.

• New disclosure-related requirements concerning EHRs.

• Policies and procedures for retention and destruction of data and the recording and reporting of breaches.

What’s the process for updating the BAA?

• Arrange by expiration date to evaluate risk and/or priority.

• Evaluate current liability and indemnification details regarding breach incidents.

• Evaluate to include the new required elements.

• Determine if the BA is classified as an “agent.” If so, include stringent requirements for security reviews and documentation of compliance.

Quick start guide

• Download the 563-page rule ( and become acquainted with it – in intimate detail.

• Review the new requirements, and adjust your policies and notice-of-policy practices accordingly.

• Ensure that policies have been applied.

• Complete a thorough assessment of risk.

• Implement and train.

• Evaluate your BAAs and prioritize by risk and need for updates.

• Ensure your BAs can meet the capabilities of the new regulatory requirements.

• Ensure that BAAs provide adequate coverage of incident and breach handling.

Overall, devise a detailed plan for moving forward. Follow your plan, stay focused and document your steps. Willful neglect will cost you, so don’t be in denial!


Risk-assessment tool helps BAs address HIPAA compliance

Are you a healthcare business associate (BA) or subcontractor wondering about your compliance status regarding the new HIPAA Final Rule changes? Kroll Advisory Solutions has a program that can help.

The “Business Associate HIPAA Self-Risk Assessment (BA HSRA)” is Kroll’s self-guided tool based on HIPAA provisions, security best practices and guidance from the National Institute of Standards and Technology (NIST). Developed in collaboration with Grant Peterson, J.D., chief compliance officer and founder of HIPAA Analytics, the Kroll tool produces valuable performance measurements, remediation insight and forms for attestation of HIPAA compliance status. Users can identify vulnerabilities within their administrative, physical and technical security safeguards and pinpoint privacy aspects where improvement is needed. The assessment is delivered via Kroll’s secure client portal. A competitively priced program allows for one year of unlimited access.

Learn more at

Tags:  Industry Watch