Friday, March 20, 2009

HITECH, common sense and where's my bailout?

Full disclosure, I am not a lawyer - and you should work with your legal cousel to determine proper courses of action.

If you haven't been following the ARRA (American Recovery and Reinvestment Act of 2009) and the provisions within it you should. Even there you'll find a focus on increased information technology in human services, cybersecurity and consumer rights.

Signed into law March 17 2009, the ARRA includes the HITECH (Health Information Technology for Economic and Clinical Health) provisions which serve to not only urge physicians to adopt the use of electronic health records, but also tweak the original language of HIPAA. Some of these tweaks are good for consumers, as it provides them more control over their private information while at the same time work intensive for health IT professionals, vendors and Business Associates. The latter is so because the HITECH provisions now require an accountability for all disclosures of PHI. This means that any disclosure or use of PHI now must be accounted for within treatment, payment and operations , whereas before the information could be shared without account for these purposes.

While this may seem trivial, the original language providing for unaccountable exchange of your information, allowed EHR vendors or Business Associates to develop and operate systems without the features needed to provide a full account of every disclosure. While the legislation does not kick into force until 2014, patients will be able to request an accounting of disclosures for up to the last three years - read you might need to be ready by January 1, 2011.

Also updated are the breach disclosure provisions which will now require practices to post information about security breaches if a breach affects 10 or more patients. If a larger security breach occurs, one affecting 500 or more patients, practices must notify all of their patients, a local media outlet, and the HHS secretary. This now brings HIPAA regulations in line with many state's legislation regarding breach disclosure.

And then there's the money. HITECH/ARRA also calls for increased enforcement rules and a new fervor in leveeing financial penalties. Fines for security breaches start at $100 and can go as high as $1.5 million. In addition, the legislation empowers state attorneys general to enforce some HIPAA elements and gives them the authority to bring class action suits.

While there are obvious implications for practices small and large - the affect will be felt throughout the health IT community for years to come. If you or the company(ies) you support work at all with medical information (covered entity or not) you should take the time to review this new legislation, audit your systems and review your policies and procedures.

No comments: