Five Things Health Insurers, DM Need to Know About HITECH
3. HITECH imposes breach notification requirements on HIPAA covered entities AND business associates
HITECH requires business associates to comply with the same obligations and face the same potential penalties as covered entities.
This means violations are not merely a problem that will be handled through the business associate agreement, but the feds could take action, too.
Covered entities and business associates will have to notify the proper people/entities within 60 days of discovering security breaches. They will also need to provide detailed information about breaches and what steps individuals should take to protect themselves.
4. HITECH increases enforcement of and penalties for HIPAA violations. Business associates who violate the new regulations will not merely need to deal with covered entities, but may face hefty fines from the feds and states, too.
Critics, including the Office of Inspector General, have charged that Health and Human Services enforcement of HIPAA regulations has been lax. HITECH tackles both the limited enforcement issue and speeding-ticket sized HIPAA fines.
HITECH created a tiered penalty that stretches to as much as $1.5 million for violations. All civil money penalties will go to the Office of Civil Rights to fund future investigations.
HITECH requires HHS to formally investigate any complaint of a HIPAA violation if preliminary investigation shows possible violations. The new law also allows state attorneys general to bring civil actions in federal court on behalf of state residents (and state AGs love to take on large healthcare companies).
"A security breach can be a disastrous event for many organizations because the adverse consequences can be enormous, from class action lawsuits to regulatory action. One of the major components of HITECH is to really create new stringent security breach obligations for HIPAA-covered entities," says Hirsch.
5. Prepare for the changes now
Hirsch says business associates will need to:
- Revise business associate agreements to incorporate the new privacy and security requirements and remove amendments from contracts that are no longer necessary under HITECH
- Implement written policies and procedures that address each HITECH security rule standard
- Create a security awareness and training program for employees
- Designate a security official
- Conduct a security risk analysis
As part of this process, the business associates will need to track, store, and compile information so there is an audit trail in case of breaches.
"Because the security standards are fairly broad and general, the security risk analysis is key because that's how an organization decides how to prioritize and justify the decision they make in implementing all of these broad and general standards. A formal, thorough security risk analysis is critical to that process," says Hirsch.
While many large business associates already have a comprehensive security compliance program, smaller companies will need to create their own. This may force some companies to decide the added work and regulations are too much. Hirsch suggested smaller business associates, especially those that work in areas beyond healthcare, may bow out of the industry rather than invest the money, time, and manpower to create procedures to follow HITECH regulations.
As the above action points show, managed care companies need to prepare for these changes—and realize that more revisions are coming. HHS will issue clarifications over the next year before HITECH goes into effect next February.
This is an exciting time for healthcare, but with that excitement comes many changes. Instead of waiting to get started, managed care companies should start work on its game plan now.
Les Masterson is senior editor of Health Plan Insider. He can be reached at firstname.lastname@example.org.
Note: You can sign up to receive Health Plan Insider, a free weekly e-newsletter designed to bring breaking news and analysis of important developments at health plans and other managed care organizations to your inbox.
- Two-Midnight Rule Must be Fixed or Replaced, Say Providers
- Don't Underestimate Emotional Intelligence
- The Secret to Physician Engagement? It's Not Better Pay
- Care Coordination Tough to Define, Measure
- Yale New Haven Health Partners with Tenet Healthcare in CT
- Physicians Take SGR Repeal Message to Washington
- Size Matters in Antibiotic Overuse
- CDC Warns of Antibiotic Overuse in Hospitals
- SCOTUS Review of NC Board Case 'A Very Big Deal' to Providers
- 4 Reasons PCMH Principles Aren't Going Away