| There's no denying that electronic health records | | | | wait later than 60 calendar days after you |
| may cut costs and reduce errors, but they can | | | | discover that unsecured electronic health |
| also increase your compliance risks as well as | | | | information was improperly accessed or disclosed. |
| security from the feds. | | | | There has been an enforcement shift as well. For |
| You will be accountable for compliance even if a | | | | the first time, ARRA extends liability for HIPAA |
| third party installs and maintains your records | | | | violations directly against business associates and |
| system. Providers will still be responsible for | | | | forces them to comply with the same security |
| ensuring the same privacy protections as if they | | | | standards as providers. As a result, you will need |
| had their own IT department. | | | | to modify your business associate agreements. |
| The American Recovery and Reinvestment Act | | | | But everyone you do business with does not |
| (ARRA) has intensified HIPAA requirements and | | | | qualify to be an associate. |
| the Congress has allocated more HIPAA security | | | | That apart, you will be required to curb all |
| compliance enforcement dollars to the CMS and | | | | third-party protected health information (PHI) |
| the HHS OIG. You can use the following | | | | disclosures to a ‘limited data set' or the |
| breakdown of the new HIPAA regulations to | | | | ‘minimum necessary', inclusive of those |
| update your policies and procedures. | | | | disclosures you make to health plans. |
| Now under ARRA's HITECH provisions, you must | | | | The stimulus bill brings about new restrictions on |
| notify patients without delay and you should not | | | | the sale of PHI and marketing practices as well. |