UBP blog

11/30/2009

4 major HITECH Act changes to HIPAA and 4 steps you’ll need to take to comply with them

Filed under: HR compliance — ubpblogger @ 4:12 pm
Tags: ,

As part of the ARRA Act passed earlier this year, several legislative changes were made to HIPAA. These changes were documented in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Among other things, the HITECH Act:

  • Added breach notification rules to HIPAA
  • Extended the privacy responsibilities of covered entities to their business associates—This means that business associates of HIPAA covered entities are not only governed by the contracts that they have with covered entities, they are also now subject to the same civil and criminal penalties for HIPAA violations. In addition, they will now have to answer directly to the HHS on all HIPAA matters.
  • Increased the monetary penalties for noncompliance—Under the HITECH Act, civil penalties can go as steep as $1.5 million for all identical violations that occur in a given calendar year.
  • Enhanced enforcement capabilities (at both the state and federal level)—The HITECH Act requires formal investigations of potential breaches by the secretary of HHS in certain cases. Also, if he or she feels that the interests of a state’s residents have been threatened or affected by a HIPAA violation, a State Attorney General can bring civil action to a federal court.

As you can see, HIPAA regulations now pack more of a punch than they did before the HITECH Act. Effective February 22, 2010, when the government begins to enforce the HITECH Act, more people will be affected by its requirements and will have a lot more to lose if they are noncompliant.

Here are 4 steps you should take to comply with these much tougher HIPAA regulations:

  1. Conduct a complete risk assessment—Your assessment should first and foremost identify all personal health information (PHI) records (both manual and electronic) that you work with in your company. It should also help you determine the risks to PHI security that exist in your company and spell out all the controls you have in place for safeguarding PHI.
  2. Create a plan to mitigate your major risks—Once you’ve done your risk assessment and identified your top risks, you’ll need to then create a written plan with the appropriate controls to address these risks. You’ll also need to implement the controls from your plan into your organization’s business practices.
  3. Make sure all business associate contracts are modified by February 17, 2010—All of the added HIPAA privacy requirements applicable to covered entities will also be applicable to business associates.  As a result, all covered entities must incorporate these new requirements into their contracts with business associates by February 17, 2010 at the latest.
  4. Update policies and procedures—Take a good look at your policies and procedures and determine what needs to be updated or enhanced for compliance with HITECH. Also, business associates of HIPAA covered-entities will now be subject to HHS audits and will need to be able to produce documentation (such as policies and procedures) proving that they have formal steps in place to safeguard PHI.
Advertisements

Blog at WordPress.com.