This page contains a Flash digital edition of a book.
“ Greater patient access and control over the flow of electronic information will boost consumers’ trust in health information exchange and electronic health records.”


27


rules represent a striking of the difficult balance between improving appropriate health information access and transfer with the necessary confidentiality and security of that same information or data, and the very important inclusion of patients and their guardians in these activities.” The proposed requirements and heavier penalties give


“teeth to a compliance regulation that people have been able to put on the back burner in the past,” according to healthcare consultancy Beacon Partners Inc. They released an advisory brief, HITECH and HIPAA: Missteps Will Cost You and Your Patients, on the enforcement rule. “HITECH is certainly not the old HIPAA we knew and


gave lip service to—not even close,” wrote Vice President of Professional Services Kathleen LePar and Senior Consultant Rachel Hudspeth, in the brief. “Even though we are still misspelling the acronym, the one thing that will not be misspelled is the healthcare organization’s name on the federal Department of Health & Human Services website or when given to the media when breaches are encountered.” Christopher Paidhrin, security and compliance officer


at Southwest Washington Medical Center in Vancouver, had an even simpler assessment of the proposed rules. They are, he said, a “no-brainer.”


Evolving Compliance,


Involving More Groups Perhaps the most significant effect the HITECH Act


has had on HIPAA compliance is within the structure of business associates and organizations that are considered covered entities. Under previous HIPAA regulations, business associates were governed by contracts with covered entities. Those entities—typically the providers and payers who handled PHI—were subject to HIPAA compliance. But now, a HIPAA business associate will be treated as


if it’s a HIPAA-covered entity, Paidhrin said. This is a big change for vendors and third-party companies that aren’t accustomed to paying attention to HIPAA regulations, but it makes sense to get everyone on the same page with patient data security. Without assurances that every organization handling PHI meets the providers’ compliance standards, “How can I trust that I won’t be held accountable?” he asked. New willful-neglect clauses in the HIPAA rules as


updated by the HITECH Act should spur healthcare providers to pay closer attention to HIPAA. “Now more than ever, they’re on the hook for institutional shirking of privacy rules,” said Amy Leopard, a partner at Cleveland law firm Walter & Haverfield LLP. Willful neglect generally can be described as knowing


HIPAA rules but not properly training employees—and now, business associates—in them. “It’s evolving. It’s


going to be like this for the next couple of years,” Leopard said about the proposed rules, as well as about HIPAA enforcement strategies now in their infancy.


Urgency to Get Patient


Data Security Right There is a nascent quality to the legal approach of


HIPAA because of the lack of enforcement in the last 10 years, according to Paidhrin. Business associate contracts cover common policies and procedures for securing PHI, but there used to be a lot of pushback from contractors in how those agreements were structured. “I’m seeing a lot of urgency in the community now,” he says. “Their attention has been grabbed.” And that attention is growing, even if the healthcare industry isn’t completely prepared to handle the new enforcement rules. Separate surveys conducted by the Ponemon Institute LLC and the analytics organization of the Healthcare Information and Management Systems Society (HIMSS) indicate that there is general awareness of the HIPAA changes under the HITECH Act. Most healthcare organizations nevertheless are waiting for more guidance from the federal government on implementing those changes before they alter their policies. Business associates in particular were less aware of


the ways the patient data-security changes affect them, according to the surveys. The Ponemon Institute survey of HITECH Act compliance readiness found 31% of business associates were “barely aware” they needed to take any HIPAA compliance action. That survey of 77 organizations, including 42 covered entities and 35 business associates, was released at the end of 2009. HIMSS Analytics’ HITECH Act security and privacy


survey, also released in late 2009, similarly indicated that more than 30% of business associates did not know the HIPAA privacy and security mandates had been extended to cover them. In addition, 47% of hospitals said they would terminate their business associate agreements because of patient data security violations. The urgency has certainly changed, said Larry Ponemon, chairman and founder of the Traverse City, Mich.-based research organization. “The HIPAA privacy rule came in with great fanfare nearly seven years ago but saw very little in terms of enforcement, so over time healthcare organizations came to believe they could cut corners and get away with it,” he wrote in an email. “Under the new rules we’ve already seen, with the recent action taken by the Connecticut attorney general against Health Net, there are consequences to any information security and privacy failure.”


CONNECTION


VOLUME 1 • ISSUE 3


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36