HHS hasn't released any significant news around HIPAA regulations since its draft guidance on unsecure protected health information April 17, but that does not mean it is time to sit idle.
Major regulations surrounding breach notifications on PHRs by the Federal Trade Commission and unsecure PHI by the Department of Health and Human Services are due in August.
However, now is the time to start thinking about a few things when it comes to HIPAA and the new laws in the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Know your business associates. The HITECH Act says your BAs must comply directly with the HIPAA Security Rule and the use and disclosure requirements of the HIPAA Privacy Rule. As long as a company handles PHI, it's a business associate, according to CMS.
So get to know them better. Or, better yet, get them to know HIPAA better. Section 13401 of the HITECH Act includes the new requirements for BAs. The Act also says civil and criminal penalties for violations of the HIPAA and compliance audits apply directly to BAs. As a covered entity, you must incorporate these additional requirements in your agreements with the BAs, according to the new law.
"I've done over 150 business associate security and privacy program reviews, and one of the most common answers I get from business associates is that, 'Well, HIPAA does not apply to us,'" says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. "They can't say that anymore. They can no longer argue that they don't have to have safeguards in place."
Know the players. As HITRUST Central pointed out this month, the mainstream media is jumping onboard HIPAA news.
Forbes recently produced a piece aimed at the consumer about medical breaches. Some interesting facts out of Forbes:
- Breaches within healthcare account for 12% of all breaches, according to www.DataLossDB.org
- That site also reported 10 breaches in June alone, totaling nearly 600,000 records
- There have been 260 million security breaches since 2005, according to Privacy Clearing House
Track audit logs on EHRs. Whether or not your facility has moved to EHRs, it's going to have to by 2014. And it must comply with certain patient requests on accounting of disclosures per the HITECH.
A good place to start–as reported in HCPro's recent HIPAA white paper is to document your uses, disclosures, and storage of PHI with EHRs or any other system or data repository. Keep audit logs of who accessed records, and what their role is, says Chris Apgar, CISSP, president, Apgar & Associates LLC, in Portland, OR. Besides the future requirement to track and make available PHI disclosed from an EHR, the HIPAA Security Rule requires the generation and review of audit logs. Use a database to ensure all uses and disclosures are tracked as required by the HIPAA Privacy Rule and plan to maintain similar information related to disclosures when the future EHR accounting of disclosure requirements become reality.
Privacy development. Are patients getting more control over their records? New technology and companies want to shift responsibility for decisions about who can use PHRs for research or other purposes from hospitals to patients, says Richard S. Dick, founder of You Take Control, Inc., an electronic consent management company in Alpine, UT, and co-author of the book, The Computer-Based Patient Record: An Essential Technology for Healthcare.
"Researchers are willing to pay thousands of dollars for this information, so why not let the patients benefit from that money, too," Dick asks.