HIPAA-covered entities, business associates confront HITECH rules

With the recent Health Information Technology for Economic and Clinical Health Act (HITECH Act), HIPAA finally has some teeth. The HITECH Act was part of President Barack Obama's 2009 government expansion bill. It contains provisions to extend HIPAA security and privacy compliance to business associates, and it adds data breach notification requirements, new rules for using encryption for protecting health information and a requirement for periodic audits of covered entities and business associates to ensure compliance.

Security compliance reviews are already being performed on HIPAA-covered entities. These aren't the typical reviews that have been performed in the past. The federal government is actually seeking out healthcare providers and plans in order to spot-check their compliance status. The Center for Medicare & Medicaid Services' (CMS) Office of E-Health Standards and Services has revealed HIPAA compliance gaps that many businesses thought they had under control, or were immune to.

The report found everything, from covered entities not performing risk assessments, to poor processes around security documentation and a lack of workstation security assessments. This is contrary to the practices of some covered entities, which believe that just a notice of privacy practices and a firewall are all that's needed for HIPAA compliance.

I...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT HIPAA and other healthcare compliance requirements Enterprise document management FAQ: IT operations and compliance Google adds Dashboard: Does transparency mean more online privacy? Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda Record locator service a step to health information exchange FTC pursuing HIPAA violations as a matter of consumer protection Regulatory compliance audits Facing uncertainty, IT turns to governance, risk and compliance, ERM Effective compliance document management in five days FAQ: What is the impact of a compliance audit on IT operations? ISO 27001 certification not enough for verifying SaaS, cloud security HIPAA-covered entities' first step should be a quality assurance plan Healthcare, cybersecurity policy and privacy on legislative agenda FTC pursuing HIPAA violations as a matter of consumer protection New HIPAA data breach notification rules put health industry on notice PCI DSS compliance fails to raise the bar on financial fraud PCI DSS FAQ: The Payment Card Industry Data Security Standard and IT Managing compliance teams Priorities for your sound regulatory compliance management policy HIPAA-covered entities' first step should be a quality assurance plan Survey shows privacy policy success lies in collaboration with IT Steps toward making information security as important as data security FAQ: What is the impact of e-discovery law on IT operations? A compliance officer, secure network aren't enough for real compliance Chapter excerpt: Decision-making processes and IT governance Is all the PCI DSS compliance whining and complaining justified? Anatomy of a hyperproductive compliance management team Chapter excerpt: The Three Core Disciplines of IT Risk Management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

n addition to these reviews, actual enforcement is stepping up as well. It was recently announced that the division of the U.S. Department of Health and Human Services responsible for HIPAA Privacy Rule enforcement -- the Office for Civil Rights -- is now responsible for HIPAA Security Rule enforcement as well, a responsibility previously held by the CMS. And as we saw, very little was done to monitor or enforce this component of HIPAA. Now that enforcement of both rules is under one umbrella, it appears the government is finally taking its own laws seriously.

If you're a HIPAA-covered entity or business associate, you have some work ahead of you:

• Review the HITECH Act and the HIPAA Security Rule to (re)familiarize yourself with what's expected.
• Meet with your legal counsel and security committee to ensure everyone is on the same page regarding what needs to be done.
• Review your business associate contracts to ensure they're in line with the requirements.
• Perform that in-depth risk analysis that the HIPAA Security Rule mandates and find out where your business is weak.
• If you performed an in-depth analysis a while back, it's probably a good time to look at things again, since so many things undoubtedly change in your information systems from year to year.

The bottom line is to know what you're up against so you can cover the essentials and minimize your business risks. I usually say the more things change with security the more they stay the same, but when it comes to HIPAA compliance, times, they are a-changin' indeed. And I don't expect that they'll ever be the same again.

Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. He has authored/co-authored seven books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go.