Then came the HITECH Act, passed by Congress as part of the 2009 American Recovery and Reinvestment Act, known to many as the "Stimulus Bill." HITECH changed the game dramatically by expanding the reach and scope of HIPAA. In fact, the original HIPAA requirements pale in comparison. Here are the most sweeping changes:
• Violation enforcement — hefty increases in civil and criminal penalties combined with active enforcement.
- The maximum fine per violation has been raised from $100 to $50,000. Lack of knowledge is no longer a defense.
- The annual cap for all violations of a specific provision has been raised from a maximum of $25,000 to $1.5 million.
- Criminal penalties now range from $50,000 to $250,000, and up to 10 years imprisonment, depending on culpability.
• Health records access — a new regulation that entitles patients to their PHI in an electronic format.
• Business associates — extends HIPAA provisions directly to your BAs, who must now also prove compliance.
• Annual assessments — mandates detailed annual self-assessments for healthcare organizations and their BAs.
Addressing regulatory healthcare compliance will have to be a top priority for healthcare organizations in the year ahead.
Additionally, HITECH requires all healthcare organizations and their business associates, regardless of size, to be audited. HHS has already begun auditing as of November 2011. Several preparatory steps must be taken now. Most industry experts urge demonstration of the following as good faith efforts:
- Establish a PHI privacy and security committee.
- Complete an updated evaluation of safeguards for PHI.
- Conduct a risk analysis of threats and vulnerabilities.
- Complete a self-assessment of HIPAA compliance.
- Document and act upon a corrective action plan.
- Prepare a detailed report on compliance.
Beyond the regulatory requirements, low-cost automated compliance solutions can actually help protect you from unnecessary financial and legal risks while increasing the value of your healthcare business. The bottom line from industry experts: don't just take the risk and hope for the best.
Recent media coverage on PHI breaches has increased patient sensitivity to the issue of privacy and security. Healthcare organizations that recognize this and rise to the challenge using new technology to meet HITECH's requirements may realize a valuable competitive advantage. For a helpful summary of the HITECH Act of 2009, click here.
Bill Currier is a Healthcare GRC Specialist with SYNERGY Technology Partners, an Oregon-based provider of automated healthcare compliance solutions including eGestalt Technologies SecureGRC. He can be reached at firstname.lastname@example.org.
More Articles on HIPAA:7 Steps for Hospitals to Run Effective HIPAA Risk Assessments
9 Ways Hospitals Should Prepare for HIPAA Audits
HIPAA/HITECH Risk Assessments: Are the Standards Being Met?