HITECH Act Ramps up HIPAA Compliance Requirements
| 03 Apr, 2009
More Resources:
DOWNLOAD: HITECH Terminology Quick Reference
Make sense of the alphabet soup of acronyms
TIPS: Five Things You Need to Know About the HITECH Act
OPINION: HITECH Act: Business Associates Unprepared for the Longer Arm of the Law
Among tax cuts and credits, more bailout fund requirements, and restrictions on executive pay packages, the American Recovery and Reinvestment Act of 2009 (ARRA) also includes a section that expands the reach of the Health Insurance Portability and Accountability Act (HIPAA) and introduces the first federally mandated data breach notification requirement.
Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act), reserves $22 billion to "advance the use of health information technology" -- in large part so the U.S. will be able to move to e-health records by President Obama's 2014 deadline.
It also expands the reach of HIPAA data privacy and security requirements to include the "business associates" of those entities (health care providers, pharmacies, and the like) that are subject to HIPAA. Business associates, according to Goodwin Procter attorney Jacqueline Klosek, are companies like accounting firms, billing agencies, law firms or others that provide services to the entities covered under HIPAA.
Under the HITECH Act, those companies are now directly subject to HIPAA security and privacy requirements, as well as to the same civil and criminal penalties that hospitals, pharmacies and other HIPAA-covered entities face for violations. Before HITECH came into force, Klosek explains, business associates that failed to properly protect patient information were liable to the covered entities via their service contracts, but they did not face governmental penalties.
Kelly Hagan, a shareholder in the law firm of Schwabe, Williamson and Wyatt, says the most significant (and least publicized, in his opinion) changes in the HITECH Act are those that strengthen HIPAA enforcement measures. In particular, Hagan points to subsection 13410(c), which requires civil penalties that are collected under the HITECH Act to be funneled back into the Department of Health and Human Services' Office of Civil Rights enforcement budget.
He says the situation now is reminiscent of the creation of the Fraud and Abuse Control Account: "It was remarkable when they put the Fraud and Abuse Control Account in place and started funneling the monetary penalties back into the enforcement agency's budget how quickly that became a priority. If history repeats itself, what that suggests is that the OCR's traditional approach to enforcement, which has been complaint-driven and compliance-oriented, is going to ... become more proactive, more punitive."
Moreover, monetary penalties are mandatory for violations involving "willful neglect" as of Feb. 17, 2011. At that point, "all of a sudden HIPAA compliance becomes a fact of life instead of a paper tiger," Hagan says.
If that's not enough, Proskauer Rose associate Sara Krauss observes yet another enhancement: The HITECH Act provides for the Department of Justice to pursue criminal penalties for a violation that rises to the level of criminal activity. However, in the event that DOJ declines to act on a violation, the HITECH Act allows OCR to pursue civil penalties for that same violation.
More from Our Network
Add Comment Leave a comment on this blog post
Crystal
says:
in response to mindy rodriguez
Mindy,
You have no idea what you are talking about. As a HIM professional this bill holds libility for indivuduals PHI in the hands of their health care providers. This bill is to protect you, not do anything else. Please study up before you make a comment that is so far off the mark. This bill stengthens HIPAA regulations to notify you if there has been a breach your medical records and other PHI.
Reply
Richard
says:
I had also wondered why the HITECH act was part of the stimulus package. After further reading, it appears to make sense that an Act that is providing $19.2 billion for EHR (Electronic Health Records), should also put some teeth into the provision of the money, making sure pateint protection is in place BEFORE everyone is out there spending it on various EHR projects.
I certainly don't understand our political system the way I need to, but I'm guessing that attaching additional HIPAA criteria to the bill was faster and more effective than trying to change or update the HIPAA laws already in place. I too view this Act and the provisions, as an increase in patient protection AND with power to enforce.
Reply
chance
says:
in response to Crystal
Well it sure make a lot of problems for everyone especially small business and is again one more way to insure we are becoming the HIPPA police as a healthcare provider.
If we ran our business like the government runs the VA Hospital system, its for sure, we would need this new broad reaching legislation.
Lets hope we never breach the personal medical records like banks breach personal banking information and never told their account holders
So why were banks never penalized after they breached personal financial information of ite depositors.??
quid pro quo boys!
Reply
Tami
says:
in response to Crystal
As a HIPAA Consultant, let me tell you your personal and medical information can be accessed very easily. Most medical places are NOT HIPAA Compliant, nor are they HITECH ACT Compliant. Oh, they are saying they are, are they really, NO. That makes me MAD as hell, I want to know who is looking at my information and why. I want to know I am protected. I took my grandmother to the doctors last month and when I was signing her in, I looked across the desk and saw a computer screen that had someones information on it, name address, soc. sec. and so on. I asked if they were HIPAA Compliant and of course they said Yes we are. I told them no you are not, you are beaching information and who knows where else they are beaching information and yes I turned them in. Nothing gets done if you don't speak up. Quit being lazy concerning your personal and health information, unless you don't care. If you don't care I don't want to hear when your information gets in the wrong hands.
Reply
sophmortimer
says:
Post a comment
Subscribe to our Newsletters
Resource centers
Business Intelligence
Business performance information for strategic and operational decision-making
SOA
SOA uses interoperable services grouped around business processes to ease data integration
Data Warehousing
Data warehousing helps companies make sense of their operational data
obama and his marxist followers are taking away every bit of freedom we have...why was this put in the stimulus bill when hitech act could have been included in the duty to die we hate seniors health (isn't that a joke) bills
Reply