Providers Not Ready for HITECH Compliance

Andrew E. Blustein, Esq., responded quickly when asked what he came away with after talking to providers at last week's 17th annual HIPAA Summit at the Wardman Park Hotel in Washington, DC.

"People are shell-shocked," says Blustein, partner and co-chair of Garfunkel Wild & Travis, PC's Health Information and Technology Group in Great Neck, NY, and Hackensack, NJ.

Blustein and David A Mebane, Esq., senior vice president for legal affairs at Saint Barnabas Health Care System in West Orange, NJ, teamed to present on breach notification at the event.

HHS released its interim final rule on breach notification August 24 calling for greater—and more swift—notification requirements when there is a breach of unsecure PHI.

It's one requirement among many in the HITECH Act that has providers worrying about compliance. The HITECH Act, signed into law February 17, 2009, calls for increased HIPAA enforcement, stiffer monetary penalties for privacy and security violations, and more patient rights on their medical records.

"I think that people are just a little overwhelmed," Blustein says.

Providers have a tough enough time complying with HIPAA's Administrative Simplification Act, Blustein says.

"They're very complicated," he says. "They're like a puzzle."

Times have changed at the HIPAA Summit. In the days shortly after the HIPAA law passed in 1996, providers buzzed at the conference and showed some spark about compliance.

"People were excited," Blustein says. "They were getting amped up about things like 'minimum necessary.'"