HITECH Survey: Providers Remain Concerned About HIPAA Breach Notifications

Dom Nicastro, February 19, 2010

Editor's note: This is the third of a three-part series this week focusing on expert advice on complying with HIPAA and preparing for HITECH regulations. The HITECH compliance date for business associates to comply with the security rule was Wednesday, February 17.

HITECH compliance for business associates (BAs) has come and gone. The date for BAs to comply with the HIPAA Security Rule and the use and disclosures provision of the privacy rule was February 17. Further, breach notification enforcement begins February 22.

So where does your organization stand? Are you ready? Your BAs?

We can give you a pretty good idea after seeing the results of HCPro's HIPAA and HITECH survey that was rolled out the past two weeks. It attracted nearly 600 respondents, including mostly HIPAA compliance officers and HIM directors.

For starters, if your organization has done something with its HIPAA compliance program in light of the HITECH, you're in the majority: 89% said they've responded.

And exactly what have they done?:

  • Rewrite policies and procedures: 74%
  • Revise or draft new business associate agreements: 71%
  • Conduct additional training: 65%
  • Conduct an internal audit to evaluate your organization's program: 36%
  • Purchase resources to educate yourself on changes to the law: 28%
  • Hire a consultant to evaluate your organization's HIPAA compliance program: 6%

One respondent said they created a breach notification action response team, which seems to be a good idea when you consider the interim final rule on breach notification took effect last summer.

Those regulations require:

  • Notice to patients alerting them to breaches "without unreasonable delay," but no later than 60 days after discovery of the breach
  • Notice to covered entities (CEs) by BAs when BAs discover a breach
  • Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
  • Notice to next of kin about breaches involving patients who are deceased
  • Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE's response
  • Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records

"Breach notification" earned the No. 1 spot to our survey's question, "Which provision of the American Recovery and Reinvestment Act of 2009 do you feel is the most challenging?"

It took top honors at 39%, and only 29% said there were completely ready to comply with those requirements; 61% said there were "almost ready" to comply. Amending business associate contracts took No. 2 in terms of the most challenging aspects of ARRA/HITECH at 18%. Finishing third with 16% was "Patients rights to accounting on EHRs," which some told us earlier will be a logistical "nightmare."

Dom Nicastro Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.
Facebook icon
LinkedIn icon
Twitter icon