3. HITECH imposes breach notification requirements on HIPAA covered entities AND business associates
HITECH requires business associates to comply with the same obligations and face the same potential penalties as covered entities.
This means violations are not merely a problem that will be handled through the business associate agreement, but the feds could take action, too.
Covered entities and business associates will have to notify the proper people/entities within 60 days of discovering security breaches. They will also need to provide detailed information about breaches and what steps individuals should take to protect themselves.
4. HITECH increases enforcement of and penalties for HIPAA violations. Business associates who violate the new regulations will not merely need to deal with covered entities, but may face hefty fines from the feds and states, too.
Critics, including the Office of Inspector General, have charged that Health and Human Services enforcement of HIPAA regulations has been lax. HITECH tackles both the limited enforcement issue and speeding-ticket sized HIPAA fines.
HITECH created a tiered penalty that stretches to as much as $1.5 million for violations. All civil money penalties will go to the Office of Civil Rights to fund future investigations.
HITECH requires HHS to formally investigate any complaint of a HIPAA violation if preliminary investigation shows possible violations. The new law also allows state attorneys general to bring civil actions in federal court on behalf of state residents (and state AGs love to take on large healthcare companies).
"A security breach can be a disastrous event for many organizations because the adverse consequences can be enormous, from class action lawsuits to regulatory action. One of the major components of HITECH is to really create new stringent security breach obligations for HIPAA-covered entities," says Hirsch.
5. Prepare for the changes now
Hirsch says business associates will need to:
As part of this process, the business associates will need to track, store, and compile information so there is an audit trail in case of breaches.
"Because the security standards are fairly broad and general, the security risk analysis is key because that's how an organization decides how to prioritize and justify the decision they make in implementing all of these broad and general standards. A formal, thorough security risk analysis is critical to that process," says Hirsch.
While many large business associates already have a comprehensive security compliance program, smaller companies will need to create their own. This may force some companies to decide the added work and regulations are too much. Hirsch suggested smaller business associates, especially those that work in areas beyond healthcare, may bow out of the industry rather than invest the money, time, and manpower to create procedures to follow HITECH regulations.
As the above action points show, managed care companies need to prepare for these changes—and realize that more revisions are coming. HHS will issue clarifications over the next year before HITECH goes into effect next February.
This is an exciting time for healthcare, but with that excitement comes many changes. Instead of waiting to get started, managed care companies should start work on its game plan now.