HIPAA-covered entities, business associates confront HITECH rules

Are you a HIPAA covered entity or one of the hundreds of thousands of HIPAA business associates? Either way, now's the time to start re-evaluating HIPAA, that old federal regulation affecting the

    Requires Free Membership to View

 healthcare industry that helped put compliance on the map back in 2003—the regulation that seemingly everyone has ignored.HIPAA-covered entities, business associates confront HITECH rules HIPAA-covered entities, business associates confront HITECH rules.

With the recent HITECH Act (Health Information Technology for Economic and Clinical Health Act), HIPAA finally has some teeth. The HITECH Act was part of President Obama’s 2009 government expansion bill. It contains provisions to extend HIPAA security and privacy compliance to business associates, adds breach notification requirements, new rules for using encryption for protecting health information and periodic audits of covered entities and business associates to ensure compliance.

Security compliance “reviews” are already being performed on HIPAA covered entities. And these aren’t the typical reviews that have been performed in the past. The federal government is actually seeking out healthcare providers and plans in order to spot check their compliance status. The CMS Office of E-Health Standards and Services has revealed HIPAA compliance gaps that many businesses thought they had under control, or were immune to.

The report found everything, from covered entities not performing risk assessments, to poor processes around security documentation, to lack of workstation security assessments. This is contrary to the practices of some covered entities that having a notice of privacy practices and a firewall are all that's needed for HIPAA compliance.

In addition to these reviews, actual enforcement is stepping up as well. It was recently announced that the division of the U.S. Department of Health and Human Services responsible for HIPAA Privacy Rule enforcement—the Office for Civil Rights (OCR)—is now responsible for HIPAA Security Rule enforcement as well. Formerly the Centers for Medicare and Medicaid Services (CMS) was responsible for the Security Rule. And as we saw, very little was done to monitor or enforce this component of HIPAA. Now that enforcement of both rules is under one umbrella, it appears the government is finally taking their own laws seriously.

If you're a HIPAA covered entity or business associate, you've got some work ahead of you:

  • Review the HITECH Act and the HIPAA Security Rule to (re)familiarize yourself with what's expected.
  • Meet with your legal counsel and security committee to ensure everyone is on the same page regarding what needs to be done.
  • Review your business associate contracts to ensure they're in line with the requirements.
  • Perform that in-depth risk analysis that the HIPAA Security Rule mandates and find out where your business is weak.
  • If you performed an in-depth analysis a while back, it's probably a good time to look at things again since so many things undoubtedly change in your information systems from year to year.

The bottom line is to know what you're up against so you can cover the essentials and minimize your business risks. I usually say the more things change with security the more they stay the same, but when it comes to HIPAA compliance—times, they are a changin' indeed. And I don't expect that they'll ever be the same again.

Kevin Beaver is an  information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic LLC. He has authored/co-authored seven books on information security including  The Practical Guide to HIPAA Privacy and Security Compliance and  Hacking For Dummies . In addition, he’s the creator of the Security On Wheels information security audio books and  blog providing security learning for IT professionals on the go. Kevin can be reached at  www.principlelogic.com.

This was first published in August 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.