HITECH | reforming HIPAA compliance (Part I)
By Ben Osbrach, National Risk Advisory Leader
With the passage of the American Recovery and Reinvestment Act (ARRA) of 2009, new HIPAA provisions were created which resulted in the HITECH Act. So what is all the noise about HITECH affecting service organizations…since this new provision became effective, service organizations or as the HITECH act indicates “Business Associates” are now responsible for their own compliance with HIPAA, which is enforceable by law with financial penalties for none compliance. Previously HIPAA was only enforced at the Covered Entity (e.g. Hospitals, Insurance Companies, Healthcare Providers, etc) and the covered entity may have had contractual obligations with their third party providers. Business Associates are consider any organization that’s responsible for the storing, accessing, or processing Protected Healthcare Information (PHI) and normally includes organizations such as third party data centers, third party administrators (TPA), vendors used to process health data, courier services, and many more.
What is required of Business Associates?
Compliance with HITECH, which includes the HIPAA security rule and breach notification requirements. This can be a daunting task for some service organizations, as the HIPAA security rule is organized into three categories (1. Administrative Safeguards; 2. Physical Safeguards; 3. Technical Safeguards) and within these three categories there are 18 standards and 36 implementation specifications (implementation specifications are similar to controls or safeguards). The HITECH act imposes penalties for noncompliance due to willful neglect and authorizes Health and Human Services (HHS) to investigate any complaint of suspected noncompliance. In the event of noncompliance, the violating party may be subject to civil monetary penalties that can range from $100 to $1,500,000 per violation. HITECH also requires HHS to perform random audits to ensure that covered entities and business associates are in compliance.
What can you do? Perform a risk assessment and compare your internal controls and procedures against the HIPAA security rule and Breach notification requirements. Identify non compliance issues and implement a plan to make your organization conforming to HITECH.