I’m sure that I’m not the only one out there who’s at times overwhelmed by the amount of chatter and attention that the HITECH Act is getting, most of which is focused on the incentives and their related rules for participation. And, granted, these are very valid and important subjects to be discussing as their details evolve. However, that being said, there’s another lurking issue that this Act includes that seems to be quietly evading popular attention, and one that has the potential to impact healthcare providers in significant ways. Our old, and sometimes misunderstood friend, HIPAA, has been reintroduced with several new twists.
HIPAA privacy and security rules have been expanded under the HITECH Act
A few examples of the HITECH Act’s new HIPAA requirements are as follows …
- Data breach of protected health information must be reported, “… without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach.”
- If the breach believed to concern more than 500 individuals, “… notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach.”
- Business associates are subject to the administrative, physical, and technical safeguards required under HIPAA.
HIPAA violations under the HITECH Act have changed as well
A sampling of HIPAA violations and their related penalties under the HITECH Act …
- made without knowledge – penalties start at $100 per violation,
- based on reasonable cause – penalties start at $1,000 per violation,
- due to willful neglect – penalties start at $10,000 per violation, and
- due to willful neglect that are not corrected within 30 days – penalties start at $50,000 per violation.
These are just a few of the changes going into effect. Other areas affected include the sale of personal health information (PHI), marketing communications, and access to EHR, to name a few. Some of these efforts are new, and some are consolidations of previous efforts. But all represent increased exposure for healthcare providers to additional audits and claims by individuals and the government.
The HITECH Act has an impact on healthcare compliance programs
It’s more critical than ever that providers be proactive in establishing an up-to-date Compliance Program that, among other things, adequately adresses HIPAA and its further reaches and implications. Some considerations to be covered include …
- establishing the provider’s expectations of proper compliance in all of the provider’s healthcare activities,
- provision for conducting internal monitoring and auditing through the performance of periodic audit, and
- proper response to detected offenses through the investigation of allegations, the disclosure of incidents to appropriate entities, and the development of corrective actions.
So, not to take away from the significance of the thrust toward EHR systems and the provisions of the Act that directly pertain to the incentives, rules, and penalties, but the HITECH Act has consequences that reach far beyond the more popular notion that it’s simply about pressuring a shift to an electronic health record.
Do yourself a favor and either assess your current state of HIPAA compliance, or find someone who can do it for you. HIPAA’s been with us for a dozen years now … but this old dog has finally got some bite.
I’d love to hear about your own HIPAA plans in light of the coming changes, or if you’ve got some stories to share that we may all benefit from. So please feel free to post your comments.