The HITECH Act’s Other Problem – HIPAA Compliance

HITECH Act and HIPAA Compliance

I’m sure that I’m not the only one out there who’s at times overwhelmed by the amount of chatter and attention that the HITECH Act is getting, most of which is focused on the incentives and their related rules for participation.  And, granted, these are very valid and important subjects to be discussing as their details evolve.  However, that being said, there’s another lurking issue that this Act includes that seems to be quietly evading popular attention, and one that has the potential to impact healthcare providers in significant ways.  Our old, and sometimes misunderstood friend, HIPAA, has been reintroduced with several new twists.

HIPAA privacy and security rules have been expanded under the HITECH Act

A few examples of the HITECH Act’s new HIPAA requirements are as follows …

  • Data breach of protected health information must be reported, “… without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach.”
  • If the breach believed to concern more than 500 individuals, “… notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach.”
  • Business associates are subject to the administrative, physical, and technical safeguards required under HIPAA.

 HIPAA violations under the HITECH Act have changed as well

A sampling of HIPAA violations and their related penalties under the HITECH Act …

  • made without knowledge  –  penalties start at $100 per violation,
  • based on reasonable cause  –  penalties start at $1,000 per violation,
  • due to willful neglect  –  penalties start at $10,000 per violation, and
  • due to willful neglect that are not corrected within 30 days  –  penalties start at $50,000 per violation.

These are just a few of the changes going into effect.  Other areas affected include the sale of personal health information (PHI), marketing communications, and access to EHR, to name a few.  Some of these efforts are new, and some are consolidations of previous efforts.  But all represent increased exposure for healthcare providers to additional audits and claims by individuals and the government.

The HITECH Act has an impact on healthcare compliance programs

It’s more critical than ever that providers be proactive in establishing an up-to-date Compliance Program that, among other things, adequately adresses HIPAA and its further reaches and implications.  Some considerations to be covered include …

  • establishing the provider’s expectations of proper compliance in all of the provider’s healthcare activities,
  • provision for conducting internal monitoring and auditing through the performance of periodic audit, and
  • proper response to detected offenses through the investigation of allegations, the disclosure of incidents to appropriate entities, and the development of corrective actions.

So, not to take away from the significance of the thrust toward EHR systems and the provisions of the Act that directly pertain to the incentives, rules, and penalties, but the HITECH Act has consequences that reach far beyond the more popular notion that it’s simply about pressuring a shift to an electronic health record.

Do yourself a favor and either assess your current state of HIPAA compliance, or find someone who can do it for you.  HIPAA’s been with us for a dozen years now … but this old dog has finally got some bite.

I’d love to hear about your own HIPAA plans in light of the coming changes, or if you’ve got some stories to share that we may all benefit from.  So please feel free to post your comments.

When you need proven expertise and performance

Thomas M. Lee, Partner

Mr. Thomas M. Lee has over 35 years of experience in the business of healthcare with special emphasis in operations management, financial analysis, financial forecasting, construction projects, and new program development.

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy

One thought on “The HITECH Act’s Other Problem – HIPAA Compliance

  1. XLEMR does offer a software solution that is risk assessment solution that fulfills the meaningful use requirement #25 under stage one, and also fulfills the HIIPAA security rule section 1.1 requirement for a risk assessment.

    As you know, the HITECH Act will reimburse eligible professionals for purchasing and implementing a qualified EHR system. However, many providers are unaware that the HITECH Act also expands the scope of HIPAA in terms of penalties, compliance, and enforcement. Until recently, HIPAA has been laxly enforced. The HITECH Act significantly increases the risk exposure of non-compliance. If you are unfamiliar with the changes to HIPAA law, please let us know.

    As consultants, it is our job to advise clients on how best to allocate their resources. We believe now is the time for practices to begin moving towards full security rule compliance. We would like to discuss some strategies and solutions that will move small practices / large practices and hospitals towards compliance in an affordable manner.

    I have included a list of the key issues for security rule compliance. As you know, the bulk of security rule compliance revolves around documentation and policies. These requirements are often daunting and prohibitively expensive for small practices. We must work together to establish ways for clients to achieve compliance using methods and resources appropriate to their organization.

    Risk Analysis – Security rule section 1.1 calls for a risk analysis. This is also required as item #25 in the list of HITECH meaningful use requirements. A risk analysis should be the starting point for any security implementation process. We have a software solution that will allow you to conduct a standards-based risk analysis quickly and efficiently.

    Risk Management – Security rule section 1.1 also mandates a risk management program. We need to help our clients come up with a risk management program based on the results of the risk analysis and their available resources. The plan should address the most critical risks first, and then deal with other items as resources allow.

    Education and Training Programs – Security rule section 1.5 requires formal education and training programs for staff members. We need to help our clients develop a program that is appropriate to their organization, level of complexity, and resources. The best technological controls will be useless if the staff is ignorant of security issues and responsibilities.

    Contingency Plan – Security rule section 1.7 states that practices need to have a contingency plan that includes data backups, disaster recovery, emergency mode procedures, etc. It is important for practices, or any business, to have robust plans and procedures to deal with emergencies such as data loss, equipment theft, and other important issues.

    Technical Safeguards – Security rule section 3 outlines the necessary technical security controls. We need to work with practices to meet the minimum necessary technical controls that are appropriate for their organization. As you know, technical safeguards are where the rubber meets the road. We need to advise our clients on what technologies are appropriate for their organization and how they should be implemented in a timely, cost-effective manner.

    I am committed to helping our clients and the Medical Market work towards HIPAA compliance in an efficient, timely, and affordable way. I would also like to help you foster the growth of your businesses and the sharing of expertise. Please let me know when you would like to review the software.