People have perhaps become used to disclosures by retailers like The TJX Cos. or financial services companies like Heartland Payment Systems Inc. that have had to notify the public of data breaches and the loss of credit card information. Add health care providers to that list.
Buried deep in President Barack Obama's American Recovery and Reinvestment Act of 2009 are new, expanded and tougher laws governing compliance with HIPAA regulations for both health care providers as well as their business associates.
Inside the Recovery Act is another act, the Health Information Technology for Economic and Clinical Health Act (HITECH), which outlines the creation of a new national health care policy coordinator, and a Health Information Technology (HIT) Policy and Standards Committee. Congress is allocating $2 billion toward HITECH, and another $1.5 billion to establish HIT, according to regulatory expert Paul Reymann, CEO of Reymann Group Inc. in Edgewater, Md.
Essentially, HITECH and HIT will put some teeth into the Health Insurance Portability and Accountability Act (HIPAA), such as increased fines for HIPAA violations, up to $1.5 million annually.
In addition, new laws will require health care organizations and their business associates to disclose the loss of "unsecured protected health information" to the affected individuals, as well as post details of the data breach on the Department of Health and Human Services public website.
There will be additional priority on doing what they are supposed to do. It creates better focus, and that will be a good thing.
Paul Reymann, CEO, Reymann Group Inc.
The law hits providers' business associates, such as an accreditation organization, or any third-party group with which the health care provider shares patient records, with disclosure responsibility. Previous HIPAA requirements only mandated that healthcare providers take reasonable measures to ensure data exchanged with associates was secured.
The law is vague on whether a business associate, if at fault, is required to make its own disclosure, or if the heath care provider would make a joint notification. "It's usually best for the entity with the closest relationship with the patient to make the disclosure," said Rebecca Herold of security and privacy consultancy Rebecca Herold & Associates LLC. "It comes down to a liability and customer retention issue, rather than the letter of the law."
Despite the tougher HIPAA regulations, Reymann said he does not foresee them as overtly onerous for health care administrators. "There will be additional priority on doing what they are supposed to do. It creates better focus, and that will be a good thing," he said. "HIPAA officers will have to make sure incident response plans are in place and contracts with business associates get amended."
Let us know what you think about the story; email: Scot Petersen, Executive Editor.