• HITECH business associate deadlines looming

    10Feb
    Author: ben Categories: IT Management, Security Comments: 0

    We wrote about the HITECH act and its impact on business associates a little less than a year ago. By February 18, business associates are required to:

    • Comply with the HIPAA security and privacy rules
    • Provide medical information breach notifications
    • Work with the Department of Health and Human Services to perform compliance audits as requested
    • Train employees on HIPAA and its requirements for business associates

    BAs, I hope you’re taking note. Violations can incur fines for as much as $1.5 million per year and, in the most serious circumstances, may include prison time. According to HITECH, DHHS audits are also mandatory beginning 2/18/2010. (See sections 13410 and 13411).

    Most of the associates that I’m familiar with haven’t made many changes in the past year to improve HIPAA compliance. So what should any self-respecting business associate, now subject to these somewhat draconian and certainly expensive rules, do to avert heavy fines and lost productivity? Avoid becoming a business associate at all costs.

    First, re-evaluate whether the business truly qualifies as an associate, for one. In the past, BAAs had very few directly applicable requirements, and those that were in place were rarely or never audited and enforced. Businesses should no longer haphazardly sign BAAs when they aren’t strictly necessary.

    If the business has determined that they are indeed an associate, what can be changed to eliminate that status? If there isn’t a dire business need for access to medical records, but they’re being collected incidentally, eliminate that dependency and escape the compliance game. Of course, most health care organizations don’t freely distribute health records, and most organizations don’t want them unless they need them.

    If the business is resigned to being an associate subject to HIPAA courtesy of HITECH, it’s time to get to work. Start at www.hipaasurvivalguide.com, an excellent resource for learning the regulation and applying its teachings.

    And never forget the old proverb (that I’m making up right now): more regulation always improves security. Emphasis added.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: , , ,

  • New HIPAA modifications under the ARRA

    12Mar
    Author: ben Categories: IT Management, Security Comments: 0

    If you haven’t been paying attention, now is a good time to start. The recently passed American Recovery and Reinvestment Act of 2009 adds stunning, strict new provisions to the already-stringent federal health care legislation, HIPAA. In particular, the changes include:

    • Serious ramifications for business associates, or organizations that have signed agreements with health care organizations to handle patient data. Business Associates are now directly subject to the HIPAA Privacy and Security rule, and must implement all the safeguards employed by fully covered entities. The agreements themselves must be revised, a significant effort for most medium to large sized health care organizations.
    • New data breach notification requirements. Any protected health information (PHI) that has been compromised (accessed or disclosed, essentially) and is not encrypted must be disclosed to the affected individual and the Department of Health and Human Services. Breaches affecting 500 or more individuals must also be reported to the media.
    • Increased enforcement and auditing abilities. The DHHS will now be required to perform a formal investigation if a HIPAA complaint is received. Penalties for violations are also increased.
    • Accounting for treatment, payment, and health care operations for patients that request it. This might seem innocuous on the surface, but most large health care institutions face significant challenges with understanding full footprint of a patient’s health record. The change will create significant administrative burdens, new technical projects, and serious revisions to policies and procedures within and outside of IT.

    These changes seem to have taken the compliance industry by surprise. Few blogs, even those focused on HIPAA, have any analysis. At the time of this writing, Wikipedia neglects to mention the HITECH Act section of the stimulus package that includes the sweeping changes (only a vague $19 billion reference to “health information technology”). This article covers the changes in some detail. In depth analysis here.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: ,

Subscribe:

Popular Posts