|
As of Sept. 25, 2009, all HIPAA-covered entities, their business associates, vendors of patient health records and patient health record-related entities became subject to data breach notification requirements for patient health records. This requirement was put into place as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The impacts of the HITECH Act to health care organizations and their business partners are numerous and broad.
While state data breach notification requirements are prevalent, only two states (California and Arkansas) have specified medical information in the definition of "personal information." In addition, the HIPAA security standard only denotes encryption as "addressable," meaning HIPAA-covered entities need to evaluate encryption as a security option and document their decision.
As a result, thousands of healthcare-related businesses are finding themselves struggling to keep pace with the rapid implementation of the HITECH Act breach notification requirements and safe-harbor provisions. The Act itself is complex, with multiple references to multiple guidelines and rules in multiple copies of the Federal Register, leaving health care providers, insurance companies and their business partners working hard to find accurate information about what they must do.
Understanding your options
The HITECH Act was enacted in February 2009 as part of the American Recovery and Reinvestment Act. While the thrust of the legislation was to improve the health care system by providing federal support for moving to electronic patient health records, legislators were also careful to ensure that provisions were included to promote efforts geared toward ensuring confidentiality and privacy of patient health data. In addition to data breach notification requirements for all HIPAA covered entities, the HITECH Act also extended HIPAA requirements beyond the traditional covered entities of "payers, providers and clearinghouses" to their business partners.
|