A new law was enacted on February 17th of this year that expands the HIPAA privacy rule to include “business associates” of health care providers. This law also sets a new requirement for notifying individuals in the event that their private health information (PHI) has been compromised and gives State Attorneys General new powers to prosecute persons or organizations that fail to comply with HIPAA privacy and security requirements. This law is called the Health Information Technology for Economic and Clinical Health Act (HITECH), and is a part of the new American Recovery and Reinvestment Act of 2009.
What this means is that a number of different organizations that process or use PHI on behalf of a HIPAA “covered entity” must now also comply with the HIPAA security rule just as the covered entity is required to. This includes the need to develop or alter policy and procedural documents, conduct risk assessments and gap analyses, apply appropriate encryption and secure transmission methods to PHI and more. And the security breach notification rule comes into effect just one month from today on August 16th!
Now, this gets a little complicated, so first let’s look at what “covered entity” and “business associate” means in terms of HIPAA and HITECH. A “covered entity” is basically defined as:
- A health care provider that conducts certain transactions in electronic form
- A health care clearinghouse
- A health care plan
A “business associate” is basically defined as a third party that performs or assists in the performance of: A function or activity involving the use or disclosure of individually identifiable PHI, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing and more.
A third party person or organization that provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services for a covered entity or wherever the provision of services involves disclosure of individually identifiable PHI to a business associate.
In other words if you process or have access to PHI from a covered entity, then you can be pretty sure that this law applies to you! So what do you need to do if you find that this new law does indeed apply to you or your organization? Well, the best thing you can do is encrypt all of your PHI data for both transmission and storage. This has to be done according to Department of Health and Human Services requirements which in turn means that it has to be done according to standards found in NIST 800-111 and FIPS 140-2 (Also see 45 CFR Parts 160 & 164). If you do meet these standards, you have suitably rendered PHI information “Unusable, Unreadable or Indecipherable to Unauthorized Individuals” and therefore do not need to develop the elaborate information security breach notification measures that are specified in the new law.
And not having to deal with breach notification is something most people and organizations should definitely want to avoid! Not only does it just make good sense to properly encrypt and protect private information from a best practices standpoint, a breach could do you or your organization real harm. For example, under the new law if you have a security breach that reveals the PHI of 500 individuals or more, there is a MANDATORY requirement to notify the news media! What affect would THAT have on your reputation and bottom line!? And remember, even if you do suitably protect PHI in motion, at rest, while in use and when being disposed of, you need to have a suitable written information security program in place that details the administrative, physical and technical security measures you will use to protect PHI. And these measures must be strong enough to meet HIPAA Security Rule requirements. If your organization does not meet the specified data encryption standards, then you also need to develop written policies and procedures around the new Security Breach Notification Requirements found in HITECH.
In a nutshell, here are some of the steps you or your organization should be taking to ensure compliance with HITECH:
- Find out if you or your organization is a covered entity or business associate under the new law
- Perform risk assessments and/or gap analyses as needed to see if you meet HIPAA Security Rule and HITECH standards or not. (If not, you will need to develop a roadmap detailing what you will do to meet these standards in the future)
- Update or develop your information security, privacy and HIPAA policies and procedures as needed to meet the HIPAA Security Rule
- Update any relevant Notice of Privacy Practices documents you have in order to meet the new standards
- Develop or update your Breach Notification Policies and Procedures to comply with HITECH and any State counterpart law
- Update and/or expand your business associate agreements to include the new security and notification requirements
Remember, if your organization willfully or through ignorance or inattention does not meet these new requirements, the penalties have been strengthened against you. Civil monetary penalties have been increased and for the first time, this law authorizes State Attorneys General to begin pursuing civil actions for HIPAA privacy and security violations that have threatened or adversely affected residents of their respective States. Also, starting early next year, entities using electronic health records will be required to track any disclosures of patients’ medical information, including disclosures made for treatment and payment.
So, don’t get caught short by HITECH! Consider implementing proper encryption and information protection measures now. Strengthen and update all of your information security policies and procedures. The need to do so will only increase in the future anyway. And if you need help developing policies and procedures or performing risk assessment and gap analyses, MicroSolved has the experience and expertise needed to get the job done. Give us a call!