Health Information Technology for Economic and Clinical Health Act (HITEC) points to some substantial changes in the rules relating to the minimum necessary disclosures of personal health information, imposes additional notice requirements in the case of security breaches and grants new enforcement powers to the states.
The Health and Human Services Department, which enforces HIPAA security and privacy laws, recently released guidance on what counts as “unsecured” information and a request for comments on breach notification under HITECH.
For employers whose health plans must comply with HIPAA privacy and security rules, HITECH means they will have to review and update contracts with business associates to ensure that the documents reflect the new privacy and security laws.
The changes introduced by HITECH will have enormous consequences for third-party vendors, such as benefits brokers and consultants, that act as business partners for self-funded group health plans and large, experience-rated insured plans.
Such vendors will need to take steps to conform to the substance of the HIPAA security standards. Compliance will, at a minimum, entail the adoption of physical, administrative and technical safeguards. This will include implementing security polices and procedures.
In the case of business associates, HITECH makes the following changes:
• Business associates are now subject to the substantive provisions of the HIPAA security rules generally in the same manner and to the same extent as covered entities;
• Business associates must now enter into and abide by a business associate agreement (previously, the burden was on the covered entity to identify business associates and to obtain the necessary business associate agreements);
• Business associates are now subject to civil and criminal penalties for violation of these rules; and
• HHS is required to conduct periodic compliance audits of business associates as well as covered entities.
Remember, the Red Flags Rule ammendment to FACTA also calls for changes in the contracts with service providers and third party vendors. Under law the changes must include an understanding of that vendors’ policy concerning information security and identity theft prevention. A lot of companies are not used to this kind of oversight, and might not understand their responsibility regarding sensitive information policy.
On August 1 of 2009 the FTC will begin the enforcement phase of the Red Flegs Rule meaning that since the law went into effect on January 1st of 2008, different industry sectors have been on notice to implement a program to address identity theft and how to respond in the event of a breach of information. Now enforcement in the form of audits and possible fines and prosecution will begin for businesses who have ignored or skirted the law as it applies to them. For more information on the Red Flags Rule see the link in my column to the Red Flags Rule.
When a medical facility, Human Resources contractor, or benefits broker applies the newest rules of HITEC with regard to medical information security they will not be precluded from adherence to FACTA as well. HIPAA and its initiatives only address the security of medical data not other types of personally identifiable information such as employee files or financial information. A recent case in January of this year involving the theft of 30,000 personnel files from the Kaiser Medical facilities in Oakland California points out graphically that compliance with one law doesn’t necessarily cover the business regarding the other, even though both laws address information security. Compliance for both inititiaves do have common ground however. A written policy is essential as a starting point to establish the culture of security from the Board down. Training, as I mention here as often as I can is next. I can’t over emphsize the importance of onging training of all staff. Contractor oversight is another common point. Without that the system cannot work effectively. It isn’t as important for one company to adhere to a good security program as it is for all the companies that share the information to do so.
It has also come to my attention that enforcement of the HITEC initiatives will be transferred to the FTC, and not be enforced by HSS as previously thought. Although oversight will remain with HSS, the FTC has a track record of enforcement of consumer protection regulations.