New HIPAA/HITECH Rules Implementation Sept 2013 Deadline
Do you work with PHI in your business? Do you work with or support any companies that are in healthcare? Then you need to be aware of the looming deadline for HIPPA/HITECH rules for protecting data.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. The HITECH Act requires HIPAA covered entities to report data breaches affecting 500 or more individuals to Health and Human Services (HHS) and the media, in addition to notifying the affected individuals.
We want to concentrate this particular posting about the Ominbus rules that were adopted on March 26, 2013 and compliance with most of the law is required by September 23rd, 2013.
Covered entities must bring all of their Business Associate Agreements (“BAAs”) into compliance with the Rules; the new Rules also apply this requirement to Business Associates’ agreements with their covered subcontractors
So what do you need to know? First, The Act has expanded the definition of what qualifies as a “Business Associate” to include any parties that “create, maintain or transmit” personal health information (PHI). This new broad definition includes many subcontractors not previously covered by The Act. These newly covered “business associates” will be held to the same compliance regulations as the company that delegates their work with regard to electronic PHI. What’s more daunting is that this compliance travels from the top, down. Therefore, a subcontractor’s subcontractor is held to many of the same compliance requirements as that of the original business associate.
The final rules move HIPAA enforcement away from the previous voluntary compliance framework and toward a penalty-based system. The tiered penalty structure has penalties ranging from $100 to $50,000 per violation, depending on the level of culpability, with a $1.5 million cap per calendar year for multiple violations of identical provisions, and criminal penalties of up to 10 years’ imprisonment. Willful neglect is at the top of the scale, and even where there is merely a possibility of a violation due to willful neglect, HHS can impose civil monetary penalties without exhausting informal resolution options.
- Consult with a Cyber Security Attorney
- Have strong, signed contracts in place with vendors, business associates and contractors/subcontractors regarding data transmission, data storage, privacy, encryption and locking down of data.
- Require everyone you work with to provide an up to date declarations page of both a Technology Errors & Omissions and Cyber Liability Policy (and a Business Owners Policy if there is Equipment involved) as a condition of working with you and your clients. For those of you who are startups, this is not handled by your home/auto insurance agent. This is specialty coverage handled by a technology coverage broker/consultant
We'll be discussing in detail at our upcoming seminar at the Colorado Technology Association Headquarters Thursday August 1, 2013 Cyber Liability and Health Care Reform Strategies for Small Technology Companies 4:00pm-6:00pm http://denvertech-hcr-cyber.eventbrite.com