placeholder

Get Ready Now for Toughened HIPAA/HITECH Act Privacy and Security Rules and Enforcement, and Big Noncompliance Fines

On February 17, 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted as part of the so-called stimulus package known as the American Recovery and Reinvestment Act (Public Law 111-5). Enhanced privacy and security provisions—including extension of requirements to business associates of covered entities, specification of breach notification requirements for unsecured protected health information, and substantially increased penalties for non-compliance—were included in the HITECH Act. These provisions have been encapsulated in notices of proposed rulemaking and interim final rules. The federal government has indicated that Final Rules for Privacy, Security, Breach Notification, and Enforcement will be published in the Federal Register simultaneously—no later than the end of 2011, and expected in September as noted by the Office of Information and Regulatory Affairs at the Office of Management and Budget (OMB), with HDM Breaking News on July 7, 2011, reporting that the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) “confirms that anticipated timetable.” If so, and with compliance required for privacy and security changes 240 days following publication, compliance would be required most likely in May 2012. Note, that as interim final rules, breach notification requirements and enforcement penalties, already require compliance or are effective, respectively. Again, if your organization has not already done so, it is time to start or review your risk assessment, with guidance available from the National Institute of Standards and Technology (NIST), prepare your required policies and procedures for safeguarding protected health information based on risk assessment outcomes , and provide privacy and security safeguard training your workforce members on those policies and procedures Final rules will be out soon and the time to achieve compliance–240 days from publication–is short. We recommend that you start now.