To Do List: #1 - Align Your Business with HIPAA/HITECH

By Evan Tegethoff ·

In February 2009, President Obama signed into law the American Recovery Reinvestment Act (ARRA), an economic stimulus package that included new Health Information Technology for Economic and Clinical Health (HITECH) provisions. These provisions strengthened requirements for protecting patient information, extended the reach of HIPAA requirements to business associates of covered entities, subjecting them to the same civil and criminal penalties, and increased fines for non-compliance and new breach notification protocols. The federal government even earmarked $20 billion in ARRA stimulus funds for healthcare providers and business associates that could demonstrate meaningful use for these incentives.

But, here we are, nearly a year and a half later, and a recent healthcare survey conducted by the Healthcare Information and Management Systems Society (HIMSS) found that many hospitals, behavioral health sciences organizations and doctors offices, and their business associates are still unprepared to meet the new HITECH provisions. Why? Because the impact of HIPAA HITECH is far reaching, and can be overwhelming to businesses that fall within its scope.

Understanding the provisions and implications is the first step in achieving compliance. It is also a necessity if you’re going to build policies and practices that adhere to HIPAA/HITECH, and potentially secure some of those stimulus incentives. Here are what I deem to be some of the most important requirements:

  • All of the elements of the HIPAA Security Rule. While the Final Rule has been in place since 2003, many organizations took a “wait and see” approach to fully implementing these standards for protecting electronic protected health information (e-PHI). HITECH should be seen as an opportunity to revisit the overall alignment with HIPAA security and improve current security practices.
  • Under HIPAA/HITECH, business associates of covered entities such as health plans and providers are subject to HIPAA privacy and security rules. As a result, those associates are now required to implement appropriate safeguards. In addition, covered entities must now re-evaluate the way they manage contractual relationships with these entities to make sure that all patients are protected.
  • The ARRA requires the U.S Department of Health and Human Services (HHS) to audit covered entities and their business associates regarding HIPAA privacy and security compliance, and to formally investigate a covered entity or a business associate upon receipt of a complaint. Under the ARRA, penalties can range, depending on type of violation, from $100 to $50,000 per violation, with a cap of $25,000 to $1.5 million per year for violations of an identical requirement during the same calendar year.
  • The HIPAA security standard did not previously include explicit breach notification requirements. Now, individuals affected by a breach of the privacy and security of their e-PHI must be notified within 30 days after HHS issues guidance. Breach notification applies to covered entities, but also extends to their business associates.
The bottom line is that regulation complexity continues to increase, combined with stiffer penalties and disclosure requirements for breaches. It is imperative that healthcare participants understand the implications for their organizations and respond appropriately.