Getting Hip to HIPAA and HITECH
As an experienced IT consultant, Network Depot, advises our healthcare clients and their business associates on how to remain HIPAA-compliant. In this blog post, we’ll summarize the important aspects of HIPAA and HITECH for your company. If your company is involved in any way with the use or management of personal health information (PHI) of individuals, you are required to follow stringent security guidelines to protect this sensitive information. Importantly, this requirement not only applies to health care companies such as physician offices, but to any business associates who work with this private information such as IT companies, billing services, attorneys, and accounting firms.
Background of HIPAA and HITECH
HIPAA (the Health Insurance Portability and Accountability Act), was passed in 1996 to improve the nation’s health care system by mandating the standards-based implementation of security controls by all health care entities that create, store, or transmit health information.
HITECH (the Health Information Technology for Economic and Clinical Health Act) was part of the American Recovery and Reinvestment Act of 2009. Its passage built upon the standards in HIPAA bringing additional compliance standards to organizations involved with health care. HITECH requires healthcare organizations and business associates to apply “meaningful use” of security technology to ensure the confidentiality, integrity, and availability of protected personal data. It also mandates audits of companies to ensure they are complying with HIPAA and HITECH.
The detailed requirements for HIPAA and HITECH are managed by the Department of Health and Human Services (HHS) and enforced through audits, which can result in penalties from $50K to $1.5 million per calendar year for non-compliance and criminal prosecution in some cases. Notably, ignorance of the law is no longer considered a valid defense in non-compliance cases.
Cost of Non-Compliance
Non-compliance with HIPAA HITECH can result in costly fines and even imprisonment in some cases. In addition, companies will suffer from the damage to their brand and reputation, which will likely affect future sales and revenue, as well as the cost of legal fees and any remediation expenses.
It is also important to note that health care companies are not alone in facing the penalties of non-compliance. For example, your business associates such as your trusted IT partner can be held partially or equally responsible if an audit reveals non-compliance. This punitive measure incentivizes IT partners such as Network Depot even more to ensure that their clients are HIPAA HITECH-compliant.
Most Important New Requirements from HITECH
The Privacy Rule
The Privacy Rule restricts the use and disclosure of an individual’s PHI. PHI can be electronic (ePHI), paper, or oral and relates to the past, present, or future physical or mental health of an individual, the health care services related to an individual, or the payment for any health care services. Both the physician’s office and any business associates are responsible for maintaining HIPAA HITECH requirements to restrict access to private information to the minimum number of necessary users. Patients now have the right to access their PHI, restrict disclosures, and make complaints without fear of retaliation.
The Security Rule
This rule specifically requires health care organizations and their business associates to implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Requirements include firewalls, encryption protocols, user restriction and termination policies, and backup solutions that enable users to easily recover data after a security breach. Health care companies cannot afford any downtime when it comes to medical information affecting a person’s well-being.
Breach Notification Rule
If any ePHI is breached, the health care organization must notify any affected individuals. Any breach must be reported by the end of the calendar year. If more than 500 patient records are breached, the organization must report the situation to the HHS and the local media within 30 days. Some states have more stringent notification requirements.
Actions any HIPAA-Compliant Company Should Take
- Assign an internal HIPAA compliance officer at your company (or use an external expert such as Network Depot) responsible for understanding all aspects of HIPAA HITECH. Under their guidance, perform a self-assessment to ensure your company is meeting all requirements. Your company should also create and follow a comprehensive plan to mitigate security and privacy risks in the future.
- Identify all business associates who have access to ePHI and ensure they are HIPAA-compliant. If not, then replace them with a HIPAA-compliant company.
- Identify any state-mandated requirements that may be more stringent than federal requirements.
- Provide training along with written documented policies and procedures for all workers to follow when handling sensitive ePHI. A reliable IT partner, such as Network Depot, can help you formulate these important policies and procedures.
- Health care companies should have a comprehensive Business Associate Agreement with documented policies that specify the management of data by business associates during and after a business relationship.
Network Depot Can Help
Network Depot can assist your company in making sure you are HIPAA HITECH-compliant. For health care companies, we can implement, install, and support your Electronic Medical Records (EMR) system. We will make sure your company is HIPAA HITECH-compliant with all private patient information stored securely. For business associates of health care companies, we can assist you in performing a company assessment and advise on and implement any necessary changes to ensure you are HIPAA HITECH-compliant.
For assistance with HIPAA HITECH and any other IT-related requirements, please contact us here at Network Depot.