Health Industry Should Beware HITECH

If you work in the health industry then you might be really thankful for that $31.2 billion provided in President Obama’s Economic Stimulus Bill.  The Health Information Technology for Economic and Clinical Health (HITECH) Act will provide the funds for the healthcare infrastructure to adopt electronic health records (EHR).  But be warned, this isn’t a free lunch from the government.  That HITECH money comes with a steep price tag.

HITECH expands the scope of HIPAA adding some new privacy and security requirements.  These include public notification of security breaches, complying with individual requests regarding PHI (Personal Health Information) disclosure, and giving electronic PHI to those individuals that request it.  But sure to be one of the more annoying requirements is accounting for PHI disclosures.  Every time a patient’s PHI is disclosed in the form of treatment, payment, or other health care operations, a record must keep account of each and every disclosure.

Also, now business associates of healthcare providers will fall under the growing canopy of HIPAA.  Any business that contracts with a HIPAA covered entity and routinely accesses PHI must now also be HIPAA compliant.  This will include Health Information Exchange Organizations, Regional Health Information Organizations, or any other vendor that contracts that with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record.

But these changes are not what worry me.  What worries me is the shift from the Office of Civil Right’s compliant-driven approach to enforcing HIPAA to the new OCR-funded approach.  Effective immediately, collected civil moneys from HIPAA neglectors goes directly to the OCR.  That’s right; the OCR is now driven by a cash incentive to find HIPAA violators, as opposed to just waiting until someone complains about it. 

While HIPAA has mostly been a toothless tiger up to this point, we can expect the OCR to act much more aggressively and prosecute violators further now that they get to keep whatever they can collect. 

The cash penalties are steeper now with HITECH.  “Did not know” or “reasonable cause” violations will be fined $100 to $50,000 for each incident.  Entities that show “willful neglect” will be given a minimum fine of $10,000.

Because of HITECH, ignoring HIPAA compliance just became a bigger gamble than ever.

Tags: economic stimulus bill, EHR, electronic health record, electronic health records, electronic health records ehr, health care operations, health information exchange, HITECH, information disclosure, personal health record, President Obama, Privacy, public notification, security, security breaches, violation

Related posts

• Why did they even have the data in the first place? (0)
• P2P: Still A Risk (0)
• Understanding Your Attackers with a Honeypot (0)
• The Joys of Security Audits (0)
• Server Hack Leads to Data Loss, Suicide (0)

 Email This Post  Print This Post

Tagged as: economic stimulus bill, EHR, electronic health record, electronic health records, electronic health records ehr, health care operations, health information exchange, HITECH, information disclosure, personal health record, President Obama, Privacy, public notification, security, security breaches, violation