Federal stimulus bill contains new requirements for HIPAA Security and Privacy

The HITECH act, which passed as part of the federal stimulus package contains a number of new, important provisions regarding HIPAA.

The following web link is relatively short and provides a good assessment of what new developments HITECH brings to the HIPAA Security and Privacy rules.
http://www.wallerlaw.com/articles/2009/02/13/stimulus-bill-expands-the-reach-of-hipaa.8147

Here in the Indiana we're also likely to see new, related legislation in the form of HB1121, which will likely pass and go into effect July 1 of this year.

When HITECH is considered in conjunction with Indiana House 1121, a new more challenging landscape begins to appear for for healthcare providers.

Some of the key elements of the two pieces of legislation are:

HITECH Act (contained within the stimulus bill):
1. Expands enforcement and penalties for HIPAA non-compliance. (Up to $50k/incident + investigation and court costs)
2. Enables State attorney general’s to enforce HIPAA through “private cause-of-action” suits.
3. Requires notification to the Secretary of Health and Human Services (HHS) for any breach involving 500 or more patients.
4. Requires HHS to publish a list of breaches and offending institutions on their web site.
5. Establishes greater requirements for Business Associates who work with patient data on our behalf (encryption, breach notification, etc.)
6. Establishes HIPAA as the new “low bar” for security and privacy legislation. Individual state laws can only exceed those minimum standards.
7. Heightens requirements for restricting access to patient records and accounting for all access/disclosure upon patient request.

Indiana HB1121:
1. Creates an Identity Theft task force within the Indiana Attorney General’s office which can investigate and prosecute identity thieves and non-compliant businesses.
2. Requires greater notification of breaches (and suspected breaches) to Indiana Attorney General.
3. Expands encryption requirements for databases.
4. Expands requirements for data destruction when computers and media are disposed.
5. Imposes civil penalties for non-compliance (Up to $5k/incident + investigation and court costs)

Even in this time of economic challenges, healthcare organizations will need to significantly ramp up their security and privacy risk management efforts in order to stay compliant and avoid the growing risks of breaches.