What You Need to Know About the HIPAA Omnibus Rule/HITECH Act
If you caught my first post, “HIPAA: How We Got to Where we are Today (In Five Minutes)”, then you have a fairly good idea of all of the new rules and regs that are out there. So, what do they mean for you? These new rules and regulations mean that you absolutely must be sure that your organization is HIPAA compliant, period. The HITECH Act addresses five main areas of the HIPAA regulation with core changes to HIPAA, focusing on required disclosure to patients and breach of patient’s information to unauthorized persons. While all elements of this act are important, here are the top four to be aware of:
- Business Associates as well as subcontractors of business associates of covered entities are directly liable for compliance. This means virtually all businesses that you work with must be HIPAA compliant. IT services vendors, accountants, consultants –anyone who has to have access to your patients’ EPHI or has a role in supporting you—must be HIPAA compliant.
- New privacy requirements now exist for HIPAA covered entities and business associates, including new accounting disclosure requirements and restrictions on sales and marketing. These changes need to be reflected in all Patient Privacy Notices (PPN). HHS has a clear example of what they need to say on their website.
- There are new criminal and civil penalties for HIPAA non-compliance. Time to put those plans for compliance into action! Simply having a "plan" for compliance (and not acting on it) is no longer good enough. There are numerous examples of organizations being fined not because of a breach, but because they were not compliant.
- There is now mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates. This now mandates written notification to HHS and affected individuals within a 60-days of the breach. Also, media notification is mandatory if a breach involves 500 or more people. Breaches affecting less than 500 people are required to keep an annual log of any breaches and provide that log to HHS within 60 days of the start of the next calendar year.
The implications of ‘The Final Rule’ and The HITECH Act are serious and complex. If you do not feel that your current IT partner has the ability to ensure that you are complaint, or are uncomfortable with their level of experience in healthcare IT, you may need to bring in outside support to get them up to speed or look for an IT partner that specializes in healthcare. Whatever you do, don’t assume that your IT partner has everything under control. When it comes to compliance, the golden rule is “trust but verify”.