Newsletters Welcome, Guest Log In | Register
Blogs:

Lora Bentley

Governance and Risk

From regulatory compliance to corporate governance structure, everyone is involved

About this Blogger RSS

< Previous | Next >

Subscribe

Sign up now and get the best business technology insights direct to your inbox.

  • Daily Edge
  • CTO Edge Update
  • Business Tools & Templates
  • Aligning IT & Business Goals
  • Maximizing IT Investments

0

Recovery Act Extends HIPAA Reach, Adds Data Breach Notification Rules

Posted by Lora Bentley Mar 18, 2009 5:30:39 PM

Tuesday, Compliance Week published a story highlighting several of the compliance changes that are coming -- or have already arrived -- as a result of the American Recovery and Reinvestment Act of 2009. In addition to the restrictions placed on companies receiving bailout money, some of of the most significant changes concern compliance with the Health Insurance Portability and Accountability Act (HIPAA).

 

According to Mondaq, Title XIII of the Recovery Act, known as the Health Information Technology for Economic and Clinical Health (HITECH) Act, commits $22 billion to "advance the use of health information technology" and broadens HIPAA privacy and security requirements. As writers Deborah S. Birnbach, Louise N. Howe and Jacqueline Klosek, from the law firm of Goodwin Procter, point out, the biggest change concerns those businesses that provide support and services to HIPAA covered entities:

Most notably, the legislation makes business associates, and not just the covered entities to which they provide services, directly subject to HIPAA's privacy and security requirements as well as the penalties for violating those requirements...Under the changes ushered in by the HITECH Act, business associates will now be subject to the same government civil and criminal penalties as covered entities....Business associates must also now comply with the HIPAA regulation requiring the implementation of formal policies and procedures as well as documentation requirements.

Prior to the new legislation, "business associates" that failed to properly protect the patient information at issue were liable to the covered entities via their service contracts, but they did not face governmental penalties.

 

The HITECH Act also adds data breach notification requirements. Though several states have such requirements, few have applied them to health information so far. And this is the first data breach notification requirement to come from the federal government, the writers say. HIPAA covered entities will have to notify patients and/or customers when their protected health information has been compromised. Business associates that experience breaches will have to notify the covered entities with wihich they have contracts.

 

Jeffrey D. Neuburger and Sara Krauss explain the requirements in the Privacy Law Blog, which is maintained by their law firm, Proskauer Rose. Beginning no later than Sept. 16, 2009, they say, HIPAA-covered entities will be required to notify individuals when protected health information that is "unsecured" has been compromised. Notice must be given to the individuals whose data is affected "without unreasonable delay," and no later than 60 days after the breach. If the breach involves 500 people or more, the covered entity will be required to notify the U.S. Department of Health and Human Services and major media outlets.

Add a comment Leave a comment on this blog post.

There are no comments on this post

Related Content

Browse

Topic: HIPAA

Health care companies must safeguard patient information from internal, external threats

Blog: No Easy Answers on Smartphone Management and Security

Article: HITECH Extends Privacy Obligations to EHRs and PHR Vendors

White Paper: The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164

Related Topics

Data Security, Privacy, Security Breaches

Featured White Papers

Browse

Buyer's Guide for Enterprise Single Sign-On

This white paper offers a thorough checklist that should enable potential ESSO implementers to deploy the right ESSO solution, to help eliminate sign-on problems, reduce helpdesk costs, maximize user productivity, strengthen security, simplify administration and accelerate regulatory compliance.

Tape Fallacies Exposed — The Future of Tape Is Still Bright

Tape isn't going away anytime soon. This Mesabi Group white paper sheds light on the most common misperceptions about tape-based storage.

Resource Centers

Browse

Virtual Workforce

The virtual, remote, and mobile technologies that allow your company's workforce to work anywhere and at any time.

Featured Whitepapers

Virtual Workforce: The Key to Expanding the Business While Cutting Costs

Network Optimization

Network management tools and tips to increase network speed and efficiency, regardless of office location.

Featured Whitepapers

Extreme Savings: Cutting Costs with WAN Optimization

Database Management

Data management tips and techniques that insure ease of access, comprehensive security and absolute privacy for your invaluable company information.

Featured Whitepapers

Lowering Your IT Costs with Oracle Database 11g Release 2

Tape Storage

Disaster recovery and business continuation that includes encryption, all at a manageable TCO.

Featured Whitepapers

Tape Fallacies Exposed — The Future of Tape Is Still Bright

Premium Tools

Browse

Windows 7 Upgrade Project Kit

Moving to Windows 7? The Windows 7 Upgrade Project Kit is the ideal support tool for managing all phases of an organizational upgrade to Windows 7. The tools and templates in this kit will help you develop a strategy and map out the implementation tactics which link your Windows 7 deployment to your company's bottom line.

Learn more >

All About Reducing Your IT Costs

Looking to cut costs? Use this research-driven Excel tool to pinpoint which IT cost reduction measures best fit your needs.

Learn more >