« Why PCI DSS is a good thing for YOU! | Main | The Breach You Didn't Expect »

Guest Post: HITECH Alters HIPAA—Will HIPAA be 'Hip'?

The following is a guest post by Bindu Sundaresan, a consulting manager in our Risk & Compliance consulting practice.

With the current "non-stimulating" economy, there is a lot of talk about the "stimulus" bill which is impacting all areas of the US economy. One such impact is the reason for today's blog post.

A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), will have a significant impact on Health Insurance Portability and Accountability Act of 1996(HIPAA). This new law revives HIPAA (which has been around for over a decade), but has many a time gone unnoticed/ not strongly enforced, and no incentive to comply, amongst the other regulatory demands.

Changes to HIPAA become effective one year after the enactment of the HITECH Act—February 17, 2010—but proactive actions have to be taken by healthcare providers and their partners in order to comply with the new law.

There is the need for some reworking and rethinking by "covered entities" and "business associates"- the terms that HIPAA created for the parties dealing with health information.

"Covered entities" include physicians, hospitals, health plans and health care clearinghouses, who store, process, or transmit health information.
"Business Associates" are those who use health information to perform services on behalf of a covered entity, such as legal, accounting, consulting or administrative work.

Highlights from the HITECH's impact on HIPAA:

  • Expanded obligation and direct regulation of business associates
  • New restrictions on use and disclosure of Protected Health Information (PHI), including sale and marketing
  • Affirmative Notification of Breach Requirements
  • Increased Enforcement and Penalties, including applicability to Business Associates
  • Federal security breach notification requirement
  • Useful Tips to get the ball rolling:
  • Develop an inventory of your current Business Associates and third party vendors.
  • Develop a PHI data flow map that maps PHI data to critical systems and assess whether the systems can meet the new standards
  • Identify entities with which you share PHI that may be subject to the same privacy and security rules as covered entities and carefully manage data exchanges with them
  • Get your Legal department involved now and draft new legal agreements for business associates that comply with the Act
  • Update your HIPAA privacy and security policies and procedures
  • Develop or modify your existing Breach Notification Policy to comply with state and federal breach notification provisions.
  • Develop a comprehensive Incident Management policies and procedures framework that help achieve compliance with not only HIPAA but also other applicable regulatory requirements, industry standards, and internal requirements
Are you ready to play ball or are you going to pay the price of non-compliance? Are you going to be part of the next wave in Secure Healthcare Infrastructure or will your information be a washout? The new rules are here to stay, so get onboard with a plan and jumpstart your compliance initiatives. And don't forget to seek advice from your friendly security consultant!

Posted by Branden Williams on July 17, 2009 6:38 AM |

Comments

Wow Bindu, you've done an excellent job outing yourseld as someone who doesn't know much about HIPAA.

This new law revives HIPAA (which has been around for over a decade),

HIPAA may have been signed into law in 1996, but it only went into effect in his final form in 2003.

Changes to HIPAA become effective one year after the enactment of the HITECH Act—February 17, 2010

Incorrect. See the following link for a timeline of when the different provisions go into effect.
http://geekdoctor.blogspot.com/2009/03/timeline-for-arra-privacy-provisions.html

Highlights from the HITECH's impact on HIPAA

I don't get the sense you even know what it is you are writing about here. Did you just cut and paste this off another website or something?

Posted by: Dugolo | July 24, 2009 5:16 AM

Thank you for the reference!

You are right about the fact that HIPAA became effective in 2003 and the law was signed in 1996. Having said that, When I wrote 'This new law revives HIPAA (which has been around for over a decade)', that is still correct, because the Law has been around since 1996.

Source Wikipedia:
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act

Some of the changes are effective starting Feb 17, 2010, but the general idea was to be able to provide some pointers on getting started.

As far as my knowledge of HIPAA and HITECH goes, I did not claim to be an expert at this and I did not come up with the law or its requirements. I was providing my opinion/guidance based on my experience and industry best practices.

Posted by: Branden Williams Author Profile Page | July 24, 2009 10:23 AM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)