Filter by Category

The Challenges HIPAA and HITECH Compliance Bring IT Professionals

Outside of the finance industry, healthcare is one of the most regulated industries in the U.S. As the healthcare policy debates rage on, one issue on which most Americans can agree is the need to keep personal healthcare information confidential and secure.

Major regulations such as HIPAA and HITECH have been passed into law to increase the security of our personal health information. For better or worse, a major portion of the burden to comply with the regulations and all of their revisions falls upon the IT professionals.

HIPAA and HITECH: A Brief OverviewHITECH, data security, compliance

While HIPAA (Health Insurance Portability Accountability Act), passed in 1996, has received the most attention, the more recently implemented HITECH law is quickly having an impact.

HITECH (Health Information Technology for Economic and Clinical Health Act) was passed into law in 2009. The goal for HITECH is to strengthen the civil and criminal enforcement of already existing HIPAA regulations that require health organizations and their business partners to report data breaches. HITECH also increases the penalties for security violations, and implements new rules for tracking and disclosing patient information breaches.

Data Breach Notification

Under HITECH rules, all data breaches of PHI (protected health information) must be reported to the individuals whose data was compromised. This includes reporting files that may have been hacked, stolen, lost, or even transmitted in an unencrypted fashion.

If such a breach--or potential breach--affects 500 people or more, the media must also be notified. Breaches of all sizes must always be reported to the Secretary of Health and Human Services (HHS), but if fewer than 500 individuals' records are affected, healthcare organizations can report the breach via the HHS website on an annual basis. Larger breaches must be reported to HHS within 60 days.

Penalties for Data Breach

The HITECH Act implements a four tier system of financial penalties assessed based on the level of "willful neglect" a healthcare organization demonstrated resulting in the breach. Fines range from $100 per breached record for unintended violations all the way up to $50,000 per record (with an annual cap of $1.5 million) when "willful neglect" is demonstrated.

Access to Electronic Health Records (EHRs)

HITECH requires that the software that a health organization uses to manage its EHRs must make a person's electronic PHI records available to the patient and yet remain protected from data breach by encrypting the data and securing the connection.

Not surprisingly, email is not considered a secure method of data transmission.

Business Associates

Before HITECH, business associates of healthcare organizations were not held directly liable for privacy and security under the HIPAA rules, even though they had access to PHI. HITECH now requires that all business associates with access to PHI are subject to the HIPAA rules and must maintain Business Associate Agreements with the healthcare organization that provides the PHI.  Business associates are also required to report any data breaches and are subject to the same penalties as their healthcare business partners.

Need to meet HIPAA and HITECH compliance?

 

Comments (1)

  1. LinkedIn Password Hack Should Motivate Action:
    Jun 21, 2012 at 02:45 PM

    [...] may have been compromised can result in some steep financial penalties.  If fines associated with violating regulations like HIPAA or state privacy laws don't get you, potential lawsuits [...]

Add a Comment

Allowed tags: <b><i><br>

Latest Posts


What is FTPS?

December 4, 2018

Whether you’re looking to upgrade from your current FTP file transfers or have new requirements from a trading partner or customer, you might be wondering what FTPS is. How does it work, you…


Need an Alternative to AMRDEC SAFE’s File Service? Start Here

November 29, 2018

AMRDEC SAFE Shut Down Due to Security Issues Bad news for the U.S. army: AMRDEC SAFE, the Army Aviation and Missile Research Development and Engineering Center Safe Access File Exchange service that…


How 3 Financial Institutions Solve File Transfer Needs with MFT Software

November 26, 2018

On a scale of 1-10, how would you rate the efficiency of your file transfers right now? If you use manual scripts, legacy software, or a myriad of free tools to balance your encryption, automation,…


Recent 2018 Data Breaches in Healthcare (and How to Avoid Them)

November 14, 2018

Phishing attacks, malware, and employee errors. These are three of the most recent causes for healthcare data breaches in 2018, with more certainly to come. The year isn’t over yet. For anyone…


Which is Better: SFTP vs. MFT?

November 6, 2018

SFTP, or MFT: that is the question. Even though we’re not all famous poets like William Shakespeare, many IT professionals will ask this question at some point or another. Should they use an…