HIPAA Compliance: What Has Changed and How Will It Impact Healthcare Providers?

When Congress adopted HIPAA in 1996 there was a great deal of commotion surrounding the new information-handling rules. Healthcare organizations spent considerable time and money on training. This was followed by significant changes in office procedures and policies.  

There was never any question that healthcare organizations wanted to protect patient health information, but the shear number of new rules in HIPAA was overwhelming, making full compliance a daunting challenge. It took years for most offices to make the necessary adjustments.

Then came the HITECH Act, passed by Congress as part of the 2009 American Recovery and Reinvestment Act, known to many as the "Stimulus Bill." HITECH changed the game dramatically by expanding the reach and scope of HIPAA. In fact, the original HIPAA requirements pale in comparison. Here are the most sweeping changes:

•  Violation enforcement — hefty increases in civil and criminal penalties combined with active enforcement.

  • The maximum fine per violation has been raised from $100 to $50,000. Lack of knowledge is no longer a defense.
  • The annual cap for all violations of a specific provision has been raised from a maximum of $25,000 to $1.5 million.
  • Criminal penalties now range from $50,000 to $250,000, and up to 10 years imprisonment, depending on culpability.
•  Breach notifications — imposes public notification requirements for unauthorized uses and disclosures.

•  Health records access — a new regulation that entitles patients to their PHI in an electronic format.

•  Business associates — extends HIPAA provisions directly to your BAs, who must now also prove compliance.

•  Annual assessments — mandates detailed annual self-assessments for healthcare organizations and their BAs.

Addressing regulatory healthcare compliance will have to be a top priority for healthcare organizations in the year ahead.

Additionally, HITECH requires all healthcare organizations and their business associates, regardless of size, to be audited. HHS has already begun auditing as of November 2011. Several preparatory steps must be taken now. Most industry experts urge demonstration of the following as good faith efforts:

  • Establish a PHI privacy and security committee.
  • Complete an updated evaluation of safeguards for PHI.
  • Conduct a risk analysis of threats and vulnerabilities.
  • Complete a self-assessment of HIPAA compliance.
  • Document and act upon a corrective action plan.
  • Prepare a detailed report on compliance.
The additional requirements imposed by HITECH may seem intimidating. Fortunately, unlike past HIPAA compliance drudgeries, recent software developments to automate the process of achieving compliance have greatly simplified and streamlined the task.

Beyond the regulatory requirements, low-cost automated compliance solutions can actually help protect you from unnecessary financial and legal risks while increasing the value of your healthcare business. The bottom line from industry experts: don't just take the risk and hope for the best. 

Recent media coverage on PHI breaches has increased patient sensitivity to the issue of privacy and security. Healthcare organizations that recognize this and rise to the challenge using new technology to meet HITECH's requirements may realize a valuable competitive advantage. For a helpful summary of the HITECH Act of 2009, click here.

Bill Currier is a Healthcare GRC Specialist with SYNERGY Technology Partners, an Oregon-based provider of automated healthcare compliance solutions including eGestalt Technologies SecureGRC. He can be reached at bill.currier@traco.us.

More Articles on HIPAA:

7 Steps for Hospitals to Run Effective HIPAA Risk Assessments
9 Ways Hospitals Should Prepare for HIPAA Audits
HIPAA/HITECH Risk Assessments: Are the Standards Being Met?

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars