The following is a guest post by Bindu Sundaresan, a consulting manager in our Risk & Compliance consulting practice.
With the current “non-stimulating” economy, there is a lot of talk about the “stimulus” bill which is impacting all areas of the US economy. One such impact is the reason for today’s blog post.
A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), will have a significant impact on Health Insurance Portability and Accountability Act of 1996(HIPAA). This new law revives HIPAA (which has been around for over a decade), but has many a time gone unnoticed/ not strongly enforced, and no incentive to comply, amongst the other regulatory demands.
Changes to HIPAA become effective one year after the enactment of the HITECH Act—February 17, 2010—but proactive actions have to be taken by healthcare providers and their partners in order to comply with the new law.
There is the need for some reworking and rethinking by “covered entities” and “business associates”- the terms that HIPAA created for the parties dealing with health information.
“Covered entities” include physicians, hospitals, health plans and health care clearinghouses, who store, process, or transmit health information.
“Business Associates” are those who use health information to perform services on behalf of a covered entity, such as legal, accounting, consulting or administrative work.
Highlights from the HITECH’s impact on HIPAA:
- Expanded obligation and direct regulation of business associates
- New restrictions on use and disclosure of Protected Health Information (PHI), including sale and marketing
- Affirmative Notification of Breach Requirements
- Increased Enforcement and Penalties, including applicability to Business Associates
- Federal security breach notification requirement
- Useful Tips to get the ball rolling:
- Develop an inventory of your current Business Associates and third party vendors.
- Develop a PHI data flow map that maps PHI data to critical systems and assess whether the systems can meet the new standards
- Identify entities with which you share PHI that may be subject to the same privacy and security rules as covered entities and carefully manage data exchanges with them
- Get your Legal department involved now and draft new legal agreements for business associates that comply with the Act
- Update your HIPAA privacy and security policies and procedures
- Develop or modify your existing Breach Notification Policy to comply with state and federal breach notification provisions.
- Develop a comprehensive Incident Management policies and procedures framework that help achieve compliance with not only HIPAA but also other applicable regulatory requirements, industry standards, and internal requirements
Are you ready to play ball or are you going to pay the price of non-compliance? Are you going to be part of the next wave in Secure Healthcare Infrastructure or will your information be a washout? The new rules are here to stay, so get onboard with a plan and jumpstart your compliance initiatives. And don’t forget to seek advice from your friendly security consultant!
Possibly Related Posts:
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Improve Outbound Email with SPF, DKIM, and DMARC
- Life after G-Suite/Postini