Archive for the ‘Regulations’ Category

OSHA Issues Final Rule on Cranes and Derricks in Construction

Wednesday, July 28th, 2010

craneAs of July 28, 2010 the Office of the Federal register has posted a special filing of the final rule for OSHA regulation 29 CFR 1926 – Subpart N – Cranes and Derricks in Construction.  The change in this rule came about due to the original rule (written in 1971) becoming more and more obsolete as new technologies have developed in the last 39 years.  For example, in 1971 hydraulic cranes were very rarely used in construction, whereas today they are considered the most prevalent form of lifting.  Additionally, with the recent crane accidents, injuries and deaths in the last several years, OSHA was pushed and responded by updating the regulation.

The rule becomes effective 90 days after August 9, 2010, the date the final rule will be published in the Federal Register. Certain provisions have delayed effective dates ranging from 1 to 4 years.

The final standard addresses additional advancements in design, related hazards and qualifications of employees which are needed to operate this type of machinery safely.  Also, the new standard will address the 4 main causes of worker deaths related to cranes and derricks: electrocution, crushed by parts of the equipment, struck by the equipment/load and falls.  Some highlights of the updated rule include:

  • Employers must assess the ground conditions prior to performing a hoist.
  • Employers must comply with local and state operator licensing requirements which meet the minimum criteria specified in § 1926.1427.
  • Employers must pay for certification or qualification of their currently un-certified or unqualified operators.
  • Written certification tests may be administered in any language understood by the operator candidate.
  • When employers with employees qualified for power transmission and distribution are working in accordance with the power transmission and distribution standard (§ 1910.269), that employer will be considered in compliance with this final rule’s requirements for working around power lines.
  • Employers must use a qualified rigger for rigging operations during assembly/disassembly.
  • Employers must perform a pre-erection inspection of tower cranes.

Additional compliance assistance will be released by OSHA in August of 2010 to assist construction companies with the additional regulations being set for for cranes and derricks.  BP RiskTools policies, programs and guidance documents will be updated to reflect the new rule as it becomes law.  To learn more about how to obtain our Environmental Health & Safety/Business Process risk management tools and software solutions, please Contact Us.

To view a full copy of the regulatory text, Download the PDF.

Posted in Business Process Risk Management, Construction, OSHA Construction Standards, OSHA General Industry Standards, Occupational Safety & Health, Regulations | No Comments »

Rite Aid to Pay Out $1 Million to Settle HIPAA Privacy Case

Wednesday, July 28th, 2010

prescriptionIn yet another groundbreaking privacy case, Rite Aid has recently agreed to pay out $1 million in a privacy case involving policy controls and procedures where employees where voluntarily disposing of prescription containers with Personal Identifiable Information (PII) written on them.  This action is a direct violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, in addition there were violations that occurred that violate the Federal Trade Commissions (FTC) FTC Act.

Rite Aid is one of the nations largest chains of drug stores and will be required to implement best practices and  corrective actions to prevent the violations from occurring in the future.  Policies, programs and procedures should be implemented in this case as well as a strict education and training program for the employees handling and exposed to these types of containers with customers PII on them.  Amazingly, this is no the the first time this type of violation has occurred in the drugstore industry.  In February of 2009, CVS Caremark Corp. agreed to pay $2.25 million to settle identical violations of the HIPAA rule.  One might think a corporation would learn from their competitors mistakes, but this is yet another instance where corporations appear to not take the HIPAA rules seriously, and understand there are serious ramifications that can occur when not complied with.

Rite Aid was cited for several infractions from the Office of Civil Rights (OCR) and FTC, who handle HIPAA compliance:

  • Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
  • Rite Aid failed to adequately train employees on how to dispose of such information properly; and
  • Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Under the HHS resolution agreement, RAC agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes:

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Pretty straightforward controls that ALL companies that fall under HIPAA regulations should follow.  RiskAnalytics CyberRiskTools (CRT) Software platform provides the necessary policies and programs, training materials and best practice assessment tools to provide compliance and risk assessment for all of the above infractions.  Implementing the training, tracking the testing, and monitoring results are all benefits such a company can achieve by utilizing our innovative platform to achieve proper cyber risk management.

Click Here to read the official U.S. Department of Health & Human Services (HHS) news release.

Posted in Administrative Safeguards, Cyber Risk Management, HIPPA, Regulations | No Comments »

Dodd-Frank Act Signed into Law

Thursday, July 22nd, 2010

President Obama signed the Dodd-Frank Wall Street Reform and Consumer Protection Act (to be aptly named the “Dodd-Frank Act for short) into law on Wednesday July 21, 2010.  The complete act covers every bit of 2,300 pages and has bearing on almost every single financial services company and industry in the country.

The goals and basis of the Act include restoring “public confidence” in the United States financial system, preventing future crisis and predicting and foreshadowing future financial asset bubble inflations.  In addition, additional regulation of the financial services industry will spur change in the way financial institutions do business.

To read the bill in it’s entirety Click Here.

Below are some quick links to pertinent Business Process and Cyber Security related legislation within the Act:

Section 929I: Protecting Confidentiality of Materials Submitted to the Commission

Section 1071: Small Business Data Collection

Section 1082: Amendments to the Privacy Act of 1974

Section 1093: Amendments to the Gramm-Leach-Bliley Act

Section 1494: Study of Effect of Drywall Presence on Foreclosures

Section 1503: Reporting Requirements Regarding Coal or Other Mine Safety

Whether you manage Environmental Health & Safety or your businesses Cyber Security Risk, the Dodd-Frank Act will have an impact on your risk management efforts.  Continue to check back and read our blog about current events, regulations and risk identification, mitigation and controls to support your business operations.

Tags: , , ,
Posted in Administrative Safeguards, Business Process Risk Management, Construction, Cyber Risk Management, Dodd-Frank, Regulations | No Comments »

States becoming more aggressive in HIPAA enforcement

Monday, July 19th, 2010

Connecticut Attorney General Richard Blumenthal has sued Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.

Blumenthal is also seeking a court order blocking Health Net from continued violations of HIPAA (Health Insurance Portability and Accountability Act) by requiring that any protected health information contained on a portable electronic device be encrypted.

This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.

Obviously, the best policy is to ensure safeguards are in place to prevent these breaches from happening in the first place.

Administrative policy combined with technical controls and employee education are key to preventing these episodes from occurring. Breaches can effect an organization financially and can result in decreased productivity.

Tags: , ,
Posted in Administrative Safeguards, Cyber Risk Management, HIPPA, Personal Identifiable Information (PII) | No Comments »