Hipaa Laws Explained

By Author: Samantha Dale
Total Articles: 610
Comment this article

How Did We Get Here, Wherever We Are?

The passage of The HITECH Act in 2009, subsequent guidance and Notices of Proposed Rulemaking (NPRMs) provided by Health and Human Services (HHS) and the Office of Civil Rights (OCR) make a several things very clear:

HIPAA Security is here to stay and more stringent than ever
Enforcement is being ramped up at Federal and State levels
Civil and Criminal Monetary penalties are significantly higher
Millions of businesses are now subject to the various security requirements

Remember, the HITECH Act is the Health Information Technology and Economic Clinical Health Act. Yes, the acronym includes TECH. Be assured, however, that the HITECH Act and it predecessor and, in many ways, companion 1996 Health Insurance Portability and Accountability Act (HIPAA) are not fundamentally about technology. There are about improving health outcomes in the US.

For certain, the HITECH Act includes large incentives for the adoption of Health Information Technology (HIT). But, these incentives are part of a much broader national and industry-wide effort to address ...
... longstanding people, process and technology issues in healthcare. At the end of the day, HIPAA and, specifically, HITECH include very specific health policy goals that highlight these desired outcomes:

1. Improving quality, safety, efficiency, and reducing health disparities.
2. Engaging patients and families in their healthcare
3. Improving care coordination
4. Improving population and public health
5. Ensuring adequate privacy and security protections for personal health information

HIT is seen as an important means to the end policy goals listed above. With the implementation of HIT comes the likely increased transmission, visibility and flow of electronic Protected Health Information (ePHI). With this increase, there will be an increase in the risk of unauthorized and impermissible uses and disclosures of ePHI. HHS and OCR are committed to improved health outcomes in the US and especially committed to protecting individuals' rights to privacy when it comes to their ePHI.

To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work. — Kathleen Sebelius, HHS Secretary, in announcing the Notice of Public Rule Making-Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under HITECH in July 2010.

When the Privacy and Transactions and Code Sets subtitles of HIPAA were enacted in 2003, most organizations worked to diligently to comply with the laws and implement required processes, technologies and policies. For a variety of reasons, even though all Covered Entities (Health Plans, Providers, Claims Clearinghouses) and their Business Associates were required to become compliant with HIPAA Security in various ways by April 2005, many did not. As a result, a large number of Covered Entities find they are non-compliant today. The HITECH Act makes Business Associates statutorily obligated to comply with the law, as of February 2010. Surveys find that most Business Associates are not even aware of their obligations under the law. A recent HHS NPRM proposes that all Covered Entity and Business Associate subcontractors be required to enter into Business Associate-type agreements obligating these subcontractors to effectively comply with relevant sections of the HIPAA Security Final Rule.

The ante has clearly been raised and it is time to act. No matter where you are in your HIPAA-HITECH Security Compliance journey, we may be able to help you...

Jump start your program
Revitalize your efforts
Update with HITECH Requirements
Independently benchmark your status

So, how does one get started on their HIPAA-HITECH Security Compliance Journey?
As any good clinician would do upon presentation of a new patient or a new case, we highly recommend a baseline assessment. Our HIPAA-HITECH Security Assessment ToolKitâ„¢ is designed to help organizations at all stages in their HIPAA-HITECH Security compliance program.

Organizations all over the US with whom we have worked have achieved all of the following when using our HIPAA-HITECH Security Assessment ToolKitâ„¢:

Determined where they stand right now
Established a progress / benchmark monitor for ongoing evaluation
Became informed and current with HITECH Act-driven changes
Built deep understanding of the regulations at the onset
Quickly identified low hanging fruit remediation items
Educated their HIPAA Security team on specifics of the law
Enhanced the productivity of the security or audit team
Launched remediation efforts while continuing other tasks
Created a formal program structure and measurement process
Related HIPAA Security - HITECH Act to business goals and risk management
Made security decisions in an informed manner
Raised awareness about and differentiate HIPAA Security from Privacy
Communicated seriousness of compliance program to the workforce
Developed a solid foundation for HIPAA Risk Analysis

One executive customer said We jump-started our Security Compliance program, started to address risk mitigation tasks within a matter of days and, through the detailed coverage of the law in the assessment tool, positioned ourselves well for the remaining phases of our security compliance program.

For more information about our HIPAA Laws, Security Risk Assessment and HIPAA Security Assessment ToolKitâ„¢, please visit http://www.HIPAASecurityAssessment.com today. Or View one of our brief instructional/overview videos at: http://hipaasecurityassessment.com/hsa-toolkit-videos/