| HIPAA compliance requirements have been | | | | - Encryption of all electronic files. The HITECH Act |
| greatly changed with the American Recovery and | | | | has made the use of encryption the one thing |
| Reinvestment Act (ARRA) and its Title XIII called | | | | that provides a "safe harbour" for not having a |
| the HITECH (Health Information Technology for | | | | breach. Data that is not encrypted is considered |
| Economic and Clinical Health) Act. With the | | | | unsecured according to the law. While you may |
| introduction of this new law, business associates | | | | already be using encryption for data transfers, |
| are now accountable for the privacy and security | | | | this law also requires that information be |
| requirements that previously were required only | | | | encrypted while "at rest." This may require that |
| by covered entities. In addition, a business | | | | you add encryption to all electronic files that are |
| associate is now subject to civil and criminal | | | | stored anywhere on your system. If you are in |
| penalties. This also includes a provision that lets | | | | medical transcription, remember that this will also |
| patients receive financial compensation for a | | | | include the voice files stored on any dictation |
| violation of their privacy. | | | | system. The Secretary of HHS will review these |
| This new federal law has added strength to the | | | | standards annually for any changes. |
| enforcement portion of the law. The significant | | | | - Breach notifications. While HIPAA has always |
| changes include: | | | | required that a business associate notify their |
| - Employees and other workforce members, | | | | client of any breaches of information, the law |
| including independent contractors, are now subject | | | | now makes you responsible for being sure the |
| to civil penalties. This means that individuals are | | | | notification is done. A breach is defined as |
| also now accountable legally. | | | | acquisition, access, use or disclosure of unsecured |
| - There is a requirement for HHS to formally | | | | PHI that is not permitted under HIPAA and that |
| investigate any complaints and to impose civil | | | | compromises the privacy or security of the |
| penalties for violations of the rules if the violation | | | | information. Remember that unsecured data |
| is due to "willful" neglect. | | | | means unencrypted. Documentation of breech |
| - The law requires that any civil monetary | | | | notifications must be kept for six years. |
| penalties or monetary settlements as a result of | | | | - Be sure you are compliant with both the privacy |
| a violation of the rules be sent to the Office of | | | | and security rules. There are many points to |
| Civil Rights (OCR) for enforcement of the privacy | | | | consider in these rules. You must have written |
| and security rules. | | | | policies and procedures. You must have a written |
| - Civil monetary penalties now have a tiered | | | | risk analysis done. You also must have a |
| system ranging from $100 to $50,000 depending | | | | contingency plan in place for any kind of business |
| on the offense. | | | | disruption. Your systems also have to provide |
| - The Secretary of HHS is required to conduct | | | | audit trails for who accesses protected health |
| periodic audits to be sure that covered entities | | | | information. |
| and business associates are compliant with the | | | | - Realize you are responsible for the actions of |
| new rules. | | | | your workforce. The rules require training of the |
| - The State Attorneys General now have the | | | | workforce, which must be done and documented. |
| authority to bring suit in district courts for any | | | | If you have remote workers, this can be more |
| violation on behalf of the residents of their state. | | | | of a challenge, but it is possible. |
| What Steps Should a Business Associate Take to | | | | - Another significant change is that business |
| be sure you are Compliant? | | | | associates are now responsible for trying to stop |
| The first step is being sure you are properly | | | | any violations by the covered entity (their client). |
| classified. For example, if you are an independent | | | | This includes things even up to canceling your |
| contractor working for a service and not directly | | | | contract with a client who refuses to fix a |
| contracting with a covered entity, that probably | | | | violation or prefers to ignore the law. Both parties |
| means you are not a business associate, but an | | | | are responsible for doing this for the other, and |
| agent or subcontractor of a business associate. It | | | | this could very well change some of the |
| is important, however, for independent | | | | relationships you currently have with your clients. |
| contractors to understand if your contract is | | | | - Documentation. Remember, it's all about being |
| directly with the covered entity, that makes you | | | | sure you have things documented. Use the rule of |
| a business associate and all of the new laws do | | | | thumb that says "if it's not documented, it wasn't |
| apply to you. | | | | done." It is no longer acceptable to just say you |
| Some things you need to consider include: | | | | are compliant. You must have written |
| - Assigning responsibility for compliance to one | | | | documentation to show that you have done all of |
| person. While you can have a team working on | | | | the required steps. |
| compliance issues, one person must be named as | | | | The changes that have come as a result of the |
| the compliance officer and be responsible. This | | | | HITECH Act certainly have a big impact on |
| does not have to be an employee and you can | | | | business associates. The date for compliance is |
| use a consultant if that works best for you, | | | | past. If you haven't taken the required steps, |
| however, it is critical that you have this person | | | | now is the time to do it. |
| identified. | | | | |