HITECH Act: One Year Later, Are you Ready for Compliance?

David Ting
Feb 03, 2012

On Feb. 17, 2009, the HITECH Act was enacted, giving birth to new tiered civil monetary penalties for data breach violations, new powers to state attorney generals (AGs) for class-action pursuit and new guidelines for technology and methodologies that render data “unusable, unreadable or indecipherable.” While we previously covered how HITECH will make available $2.0 billion in grant money for organizations to transition to electronic medical records (EMRs) and deploy appropriate security measures, the time is now upon us for full compliance. Otherwise, organizations risk significant penalties from the department of Health and Human Services (HHS)/ Office of Civil Rights (OCR).

The Healthcare & Technology blog has a good, quick post with some useful resources:
HIPAA Survival Guide: an overview of HITECH Act and HIPAA, minus the legalese
HITECH Act Effective Dates: a calendar of key dates you need to know

Beginning Feb. 18, 2010, one year later, civil penalties and settlements will now be enforced, and HHS will be required to begin conducting mandatory audits. Key take-aways are:
• Data Breach Notification: A significant focus of the HITECH Act and its related penalties is around data breach notification requirements for unauthorized uses and disclosures of “unsecured PHI.” Whether intentional or accidental, patients have the right to know if their data has been compromised, and HITECH outlines a variety of penalties and disclosure parameters.
Broader Definition of “Business Associates” bound by HITECH Mandates: The definition of business associate as it applies to HIPAA/HITECH is critical to understand: in short, any person or entity who is involved with the use or disclosure of individually identifiable health information. Make sure you know who your business associates are to avoid unforeseen violations!

These about links and online resources provide a good, easy-to-read overview of the act, important dates and repercussions for non-compliance. With the first anniversary of the HITECH Act mere weeks away, this should serve as a vivid reminder that healthcare organizations now need to ensure patient data security with the appropriate levels of user authentication both within the walls of the organizations -- as well as those of their business associates.

--David