Jun 10 2009

How ARRA and HITECH provisions affect HIPAA compliance

Category: hipaaDISC @ 4:02 pm
HIPAA Compliant Seal

Image by Kestelnon via Flickr

HIPAA Plain and Simple

How ARRA and HITECH provisions will affect HIPAA compliance. We will highlight the changes to HIPAA due to these new provisions and discuss a possible solution, how to comply with these new HIPAA security and privacy requirements. American Recovery and Reinvestment Act of 2009 (ARRA) was signed into a law on February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA include important changes in Health Insurance Portability & Accountability Act (HIPAA).

2/17/210 applies to business associate – Covered Entity (CE) can apply the HIPAA provisions to Business Associates (BA) through business associate agreement. The HIPAA Administrative Simplification Security Rule “shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. With the change in the HITECH privacy provisions of ARRA, the business associate now has responsibility and liability directly for a breach. CE should revise their business associate contracts to reflect the changes before the deadline.

Civil Action & Penalties – State Attorney General can prosecute neglect and individual can receive monetary compensation. HIPAA now have teeth with monetary, civil and criminal prosecution.

Breach Notification – Notification to individual, HHS and media – Notification become more formal if the affected residents are more than 500. Use appropriate public media for cases involving more than 500 individuals. A breach requires notification, which is activated when there is an incident of “unsecured protected health information”.

Accounting for disclosure – CE is accountable for its BA disclosure of Protected Health Information (PHI)

Sale of Protected health Information – CE and BA cannot receive payment in exchange of PHI without an individual authorization. CE and BA are required to tell patients about disclosure of PHI for payment, treatment and administrative operation.

HIPAA compliance and how to manage your risks to healthcare assets:

HIPAA requires CE to have appropriate administrative, technical and physical safeguards to protect the privacy of health information. However HIPAA did not provide specific guidance as to what measure and controls will be appropriate.

ISO 27001 provides the basis to build an Information Security management System (ISMS), where organization can develop its own ISMS by applying controls from ISO 27002 code of practice. Only those controls apply which relate to its business objectives and the potential risks to the business. One document which is required to build ISMS is the Statement of Applicability (SoA) which explains why each of the 133 controls from ISO27002 is included in SoA and justification of the remaining controls which are not included. You can build ISMS suitable to your HIPAA needs, a healthcare organization could use its ISMS to ensure that HIPAA security standards required controls were selected from ISO 27002 and appropriately implemented. You need to certify ISMS (ISO 27001) to provide an ongoing assurance to HHS and healthcare business associates which can provide an edge in this downturn economy and more opportunities to enhance business worldwide.

5 HIPAA Rules Regarding Text Messaging

Resources:
CMS audit checklist
NIST guide for implementing HIPAA

Reblog this post [with Zemanta]

Tags: American Recovery and Reinvestment Act of 2009, arra, Health Insurance Portability and Accountability Act, hipaa, hipaa laws, hipaa privacy, hipaa security, hippa compliance, hitech, Protected Health Information

20 Responses to “How ARRA and HITECH provisions affect HIPAA compliance”

  1. How ARRA and HITECH provisions affect HIPAA compliance says:

    […] Original post by DISC Infosec blog […]

  2. Top 10 technologies for the next three years | Technology School at CityU of Seattle says:

    […] How ARRA and HITECH provisions affect HIPAA compliance (deurainfosec.com) […]

  3. Security controls and ISO 27002 | DISC InfoSec blog says:

    […] Comments Top 10 technologies for the next three years | Technology School at CityU of Seattle on How ARRA and HITECH provisions affect HIPAA complianceBlogger Make Money on Access to computers on saleBlogger Make Money on Security breach and […]

  4. liposuction says:

    Unless otherwise noted, the compliance deadline for the new HIPAA … The Effect on Business Associates: Business associates must comply with the … Change under the HITECH Act: Within six months of ARRA's enactment, … the violation is a criminal offense under HIPAA's criminal penalty provisions. …

  5. mesothelioma_lawyer says:

    Thanks for information, I'll always keep updated here!

  6. StevenTaylor says:

    So what's new? People shouldn't be very surprised because our politicians don't really care about law enforcing and health care. The medical system is getting worse and worse, but we do have some good news from the laws that will force health insurance companies to accept chronical ill people. That's all. But I need to mention that the law forcing health insurance companies is still to be discussed.
    ___________________________________________________
    No Prescription Online Pharmacy

  7. FreddySimpson says:

    Thanks for posting the resources because it gave me the opportunity of checking your data and it all seems quite accurate. This means our health reform is going down the hill.
    ________
    Canadian pharmacies

  8. Health Net healthcare data breach affects1.5 million | DISC InfoSec blog says:

    […] a loss of patient data demonstrating poor baseline security. They clearly are not ready for the new HIPAA provision ARRA and HITECH. Review my threats page and evaluate your current system to make sure this does not happen to you. […]

  9. UCSF laptop containing patient files stolen says:

    […] a loss of patient data demonstrating poor baseline security. They clearly are not ready for the new HIPAA provision ARRA and HITECH. Evaluate your current business and system risks to make sure this does not happen to you. […]

  10. liposuction financing says:

    Wow, this one is I'm looking for.

  11. watch the social network online says:

    Thanks for sharing the link, but unfortunately it seems to be down… Does anybody have a mirror or another source? Please answer to my post if you do!

    I would appreciate if a staff member here at blog.deurainfosec.com could post it.

    Thanks,
    Jules

  12. estate real tips says:

    Awesome info. We thank you for your effort.

  13. cosmetic surgery sydney says:

    how it affects small business like me?

  14. disc7 says:

    HIPAA applies to “covered entities” and “business associates” of covered entities. Covered entities generally include health care providers, health plans, and health care clearinghouses. Business associates of covered entities are those persons or entities that have access to PHI (protected health information) as a result of a contractual relationship with a covered entity to perform services that involve the use or disclosure of PHI.

  15. red tyke says:

    with the current buzz of mediocre drugs in the market, its no wonder legislation made this law

  16. bee pollen says:

    The increasing number of people patronizing alternative may be caused by
    the expensive meds or by the increasing awareness for natural solutions

  17. asian cosmetic surgery says:

    there are different health regulation laws imposed by government that limits the entry of new business in the industry.

  18. Hipaa arra | Honeste says:

    […] How ARRA and HITECH provisions affect HIPAA complianceJun 10, 2009 … How ARRA and HITECH provisions will affect HIPAA compliance. We will highlight the changes to HIPAA due to these new provisions and discuss … […]

  19. Tummy Tuck Scars says:

    Tummy Tuck Pictures…

    […]right here are a few links to websites which we connect to for the fact we feel they’re well worth checking out[…]…

Leave a Reply