We have found that some are unfamiliar with the Information Technology for Economic and Clinical Health Act also known as “HITECH”. Therefore, we hope this article provides helpful information. HITECH was enacted as part of the American Recovery and Reinvestment Act in 2009 (the “Stimulus Funds”). HITECH expanded the privacy and security rules under HIPAA, including extending liability for security and privacy breaches to the business associates of covered entities under HIPPA. As such, third parties who receive protected health information from a covered entity must execute a written agreement confirming its responsibility to appropriately protect health information from data breaches. The term business associate is broadly defined to include any third party who creates or receives protected health information from a covered entity. Thus, a business associate may include IT specialists, management consultants, accountants or attorneys. Under HITECH the penalties for noncompliance are also more severe than under the original enactment of HIPPA. Finally, HITECH is known for its incentives and penalties regarding electronic medical records and its meaningful use requirements. Requirements of HITECH were implemented on January 17, 2013 under the Omnibus Final Rule. For more information, please contact our office at firstname.lastname@example.org.
It is no longer sufficient to simply have a compliance program. Today’s federal enforcement landscape places higher demands on Privacy and Compliance Officers not envisioned in years prior. For example, a more expansive application of HIPPA now includes severe penalties of up to $1.5 million for violations of the same HIPPA provision within a calendar year. Also, under the Omnibus Final Rule, covered health organizations can be liable for business associates that violate privacy rules under HIPPA or the HITECH ACT. Increased responsibilities of Compliance Officers reasonably include:
- Internal Audits of Privacy, Security and Data Transfer Policies and Procedures
- Review of Potential Data Transmission Vulnerabilities
- Oversight of Business Associate Relationships and Business Associate Agreements
- Management of Training and Educational Programs on privacy and security requirements under HIPPA and HITECH
- Overseeing Enforcement of HIPPA and HITECH policies and procedures
Unfortunately, the responsibilities resulting from the Final Rule under HIPPA are in addition to the time required for proper review, analysis and compliance enforcement of rules concerning EMTALA, Fraud, Waste and Abuse, the False Claims Act, Stark, the Anti-Kickback statute, Conflict of Interest policies and other regulatory requirements. For this reason, health organizations should explore cost effective alternatives such as outsourcing compliance needs to legal consultants. The advantage of outsourcing compliance not only includes cost efficiency benefits, but also the ability to protect sensitive client communications through the attorney/client privilege. Legal compliance firms are better equipped to provide the evaluation and training required under constantly changing regulations such as HIPPA. For more information regarding HIPPA and HITECH please contact our legal compliance firm at email@example.com.
There is a rising effort to protect personally identifiable information (PII). For instance, the OMB provided new guidance under 2 CFR Chapter Part 200 which requires entities receiving federal grant funds to take reasonable measures to safeguard such information. The new reforms define PII as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that can be linked to a specific individual. However, there is no silver bullet with respect to whether any given information is in fact PII. Certain instances will require a case-by-case analysis based on the facts and circumstance of the situation. All in all, these newer requirements on grantees may require grantees to implement tighter controls.