Increasing Risk to Health Care Organizations and Their Business Associates
Recent enforcement actions and significant amendments to the HIPAA Privacy Rule compel employers to revisit their HIPAA compliance efforts. The American Recover and Reinvestment Act (ARRA) requires that the Department of Health and Human Services conduct periodic compliance audits of entities subject to regulation under HIPPA.
Some call it HIPAA II. Technically, it’s the Health Information Technology for Economic and Clinical Health or HITECH Act. It spells out more rigorous data security requirements for all health care organizations as well as their business associates. One of the more significant security provisions, the security breach notification rule, is now in effect, requiring individuals to be notified as well as breaches of more than 500 individuals to be reported to the Department of Health and Human Services (www.hhs.gov
) where they are posted for the public.
ARRA also encourages the adoption of Electronic Medical Record (EMR) technology to achieve efficiencies in the care and treatment of patients. Health Care organizations will be challenged to implement these EMR systems in ways that both allow access only to authorized individuals and also not unduly inhibit time critical access for patient treatment and clinical services.
Increasingly, personal health information has become the target for criminals seeking to commit fraud. Health information frequently contains identity information used for identity theft. Also, cases of medical identity fraud are on the rise, where an individual’s stolen health insurance information is being used to fraudulently obtain medical services. There are even cases where stolen medical information is held hostage to extort ransom from a medical institution.
The HIPAA privacy and security rules now apply directly to business associates such as banks, claims clearing houses, health information exchanges and billing firms as though they were healthcare organizations. Previously the HIPAA rules pertained only to “covered entities”. Many more organizations are now facing increased compliance and reputational risk due to this rule change.
Here are some actions that HIPAA Covered Entities and Business Associates can take to manage these new risks. See our Services page for more information on how Assurance Point can help.
• Conduct a Risk Assessment which will review your privacy and security policies, standards and procedures against the threats to protected health information.
• Consider broader use of encryption technology to protect both stored and “in flight” data. HITECH states that organizations don’t have to report breaches of properly encrypted data.
• Create detailed breach notification plans and include your business associate vendors in these plans.