HITECH HIPAA — It’s Only Just BegunApril 11, 2012
George Thomas, CPA
Doesn’t it seem like HIPAA has been around forever? It has been nine years since the HIPAA privacy act was enacted in April 2003 and seven years since the HIPPA security act was implemented. From the regulators’ perspective, the compliance results from those acts were less than favorable, so the government followed up with HITECH HIPPA regulations in 2009. The interim final rule for HITECH HIPPA was effective November 2009 and stated that civil penalties would be enforced for non-compliance beginning February 17, 2010. The rule confirmed the data breach notification requirements for entities which lost protected health information and indicated that additional rules would follow. Those additional rules were proposed in July 2010 and included four key measures:
The expansion of individuals’ rights to access their healthcare information and to restrict certain types of disclosures of protected health information to health plans.
A requirement for business associates of HIPAA-covered entities to comply with the same rules as the covered entities. (Certain benefits do exist for having "Business Association Agreements" in place before the date the final rule is issued.)
Setting new limitations on the use and disclosure of protected health information for marketing and fundraising.
- Prohibition on the sale of protected health information without patient authorization.
It was expected that these proposed rules would be finalized by March 2011 and the Department of Health and Human Services had indicated that the enforcement of these regulations (except for data breach circumstances) would not occur until after the final rule is enacted. To date the final rule has not been enacted, but it is expected that these rules will be finalized in 2012.
These rules will not be simple or straightforward, but should be taken seriously. Non-compliance could result in your organization incurring fines or penalties. The Department of Health and Human Services has hired KPMG for $9.2 million dollars to perform HITECH HIPPA audits throughout the country. We recommend that providers should work with their legal counsel to understand how the HITECH HIPAA rules could impact their organization and develop a related timeline in order to ensure their compliance.