[ Wednesday, February 17, 2010 ]


Today is the Day.

One year ago, February 17, 2009, the President signed the American Recovery and Reinvestment Act of 2009 ("ARRA"), sometimes called the Stimulus Bill. Within ARRA was an act with the clever acronymic name of the Health Information Technology for Economic and Clinical Health Act (or "HITECH"), which contained a number of health-technology-wish-list items like financial incentives for the adoption of electronic health records, health technology infrastructure grants, and a dramatic expansion of HIPAA. Much of the HIPAA expansion becomes effective TODAY.

If you are a covered entity, you must (i) make sure your Business Associate Agreements are in line with the HITECH requirements, (ii) make sure you are prepared to investigate and report any data breaches, and (iii) make sure your policies and procedures are sufficient.

If you are a business associate, HIPAA now applies directly to you. You must abide by the restrictions that are required to be in business associate agreements, even if you haven't actually entered into those agreements (which probably means that you are just as liable as the covered entity for the failure to enter into a business associate agreement). You are now required to comply with the HIPAA Security Rule, which means you must run a risk analysis and adopt policies and procedures to institutionalize the administrative, technical and physical safeguards necessary to protect the confidentiality, integrity, and availability of the information.

Failure to do so means you are in violation of HIPAA. There hasn't been much enforcement of HIPAA in the past, except where extreme violations or other obvious crimes have been committed. However, HITECH also (i) increased the potential fines for HIPAA violatins, (ii) allows your state Attorney General to enforce HIPAA against you, and (iii) allows the injured individual to get a piece of the pie if there's a financial recovery. Because of this, you can bet there will be more HIPAA enforcement, and particularly more penalties.

  1. Fix your Business Associate Agreements
  2. Set up data breach notification investigation/action plans
  3. Fix/adopt policies and procedures.

The costs for failing to do so will be much higher than they were in the past.

Jeff [11:08 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template