New federal HIPAA laws are here. Anxiety at hospitals is not.
That wasn’t the case in 2003, when providers scrambled for answers to comply with the new privacy and security rules of HIPAA.
Then, many even had trouble even getting the acronym right (admit it, we’ve all written "HIPPA" at one time or another).
Here we are today, six years later, and with a Congress eager to move the industry to EHRs by 2014—and even more eager to protect patients’ privacy in the process.
Now that Congress (finally) strengthened HIPAA enforcement and toughened compliance requirements through breach notification processes and accounting of disclosures on EHRs, what’s the reaction in the industry?
Well, picture this. It’s kind of like the Boston Celtics just signed Larry Bird. Not Larry Bird, the NBA Hall of Famer, three-time NBA champion and three-time NBA Most Valuable Player of the 1980s.
We’re talking about Larry Bird today—the 52-year-old, out-of-shape president of Basketball Operations for the Indiana Pacers.
If you’re the rest of the league, you’re not really sweating it.
Analysis: HITECH Gives HIPAA New Teeth
HITECH Act will impose stricter HIPAA requirements and stiffer penalties for violations. But at this point, the changes aren't worth losing a lot of sleep over. —Elyas Bakhtiari
That’s kind of the sense we get in the field from HIPAA privacy and security officers. Yes, they know the Health Information Technology for Clinical and Economic Health (HITECH) Act is here, and they are familiar with its provisions. But they’re not worried about it. At least not now.
"I'm afraid that at this time we are not moving too quickly with any changes in our practices," one privacy officer told us. "The corporate direction we have been given does not have us moving immediately to revise applicable policies/procedures. As we both know, once a bill is signed there are timetables by which compliance will be required and that, generally, allows organizations sufficient time to bring their practices up-to-date. We are, merely, digesting all the material that is coming out with respect to this Act."
That’s the Cliff’s Notes version of our research at this point. The key phrase here is reluctance—not ignorance.
Hospitals certainly plan to do something in light of security provisions in the HITECH Act. In fact, 98% of respondents in our HITECH survey of 300 privacy and security officers said they plan to revisit their HIPAA compliance and training programs.
"One thing I do see is people taking their policies off the shelf and revisiting them to see how they will need to be amended to accommodate those requirements and definitions which are soon to be established by those governmental entities as identified within the HITECH Act," says Frank Ruelas, MBA, the creator of www.hipaabootcamp.com who is based out of Scottsdale, AZ. "Sometimes it takes an event such as the passage of new legislation to serve as the tipping point to get folks to take action."
So why the reluctance now?
Our feedback tells us hospitals don’t want to move too much with regulations that have yet to be defined. And there are a host of them, including:
- The definition of "unsecured protected health information"
- What must be included in an accounting of disclosures in EHRs
- When the Secretary of HHS will conduct audits of organizations
- What "meaningful user" means on EHR
And in a shocker, hospitals said they just can’t invest money right now.
Furthermore, some providers told us they’re more worried about the Red Flags Rule deadline—May 1. Hospitals considered to be creditors must set up a policy and procedure that helps them identify "red flags" on identity theft, prevents them and corrects them through self-audits (the FTC last week came out with some nice guidance to help comply).
So where is your organization on the HITECH Act? Is the panic button a 2 or 3, or is it up to a 9 or even a 10?
If you’re like most of the industry it’s probably the former. And essentially, those hospitals with a strong HIPAA compliance and training program in place should be fine with the new regs. If you are confident your facility won’t have a breach, then you need not worry about federal auditors or breach notification requirements.
But for those who don’t have a policy in place—and perhaps those who have suffered a breach of privacy at one point (see: CVS)—then, well, maybe your panic level should be a 10.
Because after all, federal law is federal law. Just like Larry Bird is Larry Bird.
Dom Nicastro is a senior managing editor at HCPro, Inc. in Marblehead, MA. He edits the Briefings on HIPAA and Health Information Compliance Insider newsletters. E-mail him at dnicastro@hcpro.com.