Recovery Act puts teeth in HIPAA regulations

By Scot Petersen, Executive Editor 16 Mar 2009 | SearchCompliance.com

Compliance news and advice for senior IT and business managers Digg This!     StumbleUpon     Del.icio.us

More on HIPPA, regulations Organization develops health care security framework Compliance regulations: Understanding the dirty dozen

Buried deep in President Barack Obama's American Recovery and Reinvestment Act of 2009 are new, expanded and tougher laws governing compliance with HIPAA regulations for both health care providers as well as their business associates.

Inside the Recovery Act is another act, the Health Information Technology for Economic and Clinical Health Act (HITECH), which outlines the creation of a new national health care policy coordinator, and a Health Information Technology (HIT) Policy and Standards Committee. Congress is allocating $2 billion toward HITECH, and another $1.5 billion to establish HIT, according to regulatory expert Paul Reymann, CEO of Reymann Group Inc. in Edgewater, Md.

Essentially, HITECH and HIT will put some teeth into the Health Insurance Portability and Accountability Act (HIPAA), such as increased fines for HIPAA violations, up to $1.5 million annually.

In addition, new laws will require health care organizations and their business associates to disclose the loss of "unsecured protected health information" to the affected individuals, as well as post details of the data breach on the Department of Health and Human Services public website.

There will be additional priority on doing what they are supposed to do. It creates better focus, and that will be a good thing. Paul Reymann CEO, Reymann Group Inc.

The law hits providers' business associates, such as an accreditation organization, or any third-party group with which the health care provider shares patient records, with disclosure responsibility. Previous HIPAA requirements only mandated that healthcare providers take reasonable measures to ensure data exchanged with associates was secured.

The law is vague on whether a business associate, if at fault, is required to make its own disclosure, or if the heath care provider would make a joint notification. "It's usually best for the entity with the closest relationship with the patient to make the disclosure," said Rebecca Herold of security and privacy consultancy Rebecca Herold & Associates LLC. "It comes down to a liability and customer retention issue, rather than the letter of the law."

Despite the tougher HIPAA regulations, Reymann said he does not foresee them as overtly onerous for health care administrators. "There will be additional priority on doing what they are supposed to do. It creates better focus, and that will be a good thing," he said. "HIPAA officers will have to make sure incident response plans are in place and contracts with business associates get amended."

Tags: HIPAA and other healthcare compliance requirements,  Managing governance and compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA and other healthcare compliance requirements IT compliance: FAQs about IT operations, regulations and standards Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda Record locator service a step to health information exchange Managing governance and compliance A business continuity management standard would offer consistency Business Model for Information Security: Security right the first time Facing uncertainty, IT turns to governance, risk and compliance, ERM Google adds Dashboard: Does transparency mean more online privacy? NERC CSO warns of cybersecurity threats, risk to electric grid Priorities for your sound regulatory compliance management policy Threat management for information systems relies on categorization HITECH FAQ: What is the impact of the HITECH Act on IT operations? Survey shows privacy policy success lies in collaboration with IT Record locator service a step to health information exchange

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary