Breach Notification: Here Comes the Enforcer
After years of lax enforcement of the Health Insurance Portability and Accountability Act's privacy and security rules, HITECH spells out several tough enforcement measures, including designating the Office of Civil Rights within the U.S. Department of Health and Human Services to enforce HITECH's beefed-up breach notification rule.
Under the breach notification rule, hospitals, clinics, insurers and others must prepare a detailed plan for how to deal with a breach if one should occur, says Dan Rode, vice president for policy and government relations at the American Health Information and Management Systems Society, Chicago.
Given the looming Feb. 22 enforcement deadline, and HHS' other efforts to beef up HIPAA-enforcement, the time to enhance information security is now.
The plan should spell out who will be involved in notifying patients of a breach, how the organization will conduct an analysis of why the breach occurred and what steps should be taken to prevent future breaches, he says.
Unfortunately, many hospitals still have a long way to go when it comes to HIPAA and HITECH compliance.
A recent survey by the Healthcare Information and Management Systems Society found that only half of hospitals had a plan in place for responding to a security breach as of late last year.
Given the looming Feb. 22 enforcement deadline, and HHS' other efforts to beef up HIPAA enforcement, the time to enhance information security is now.
In addition to breach notification rule enforcement, HHS will conduct periodic audits of healthcare organizations and their business associates to ensure they are complying with HIPAA.
Plus, state attorneys general can now bring civil actions for HIPAA violations. Connecticut's attorney general recently became the first to file such a suit.
Under HITECH, penalties for breaches of personal healthcare information or other HIPAA violations now range up to $1.5 million per violation. These are separate from any criminal penalties that might apply.
Plus, penalties can now be levied against individuals within a healthcare organization as well as the organization itself.
The prospect of steep fines could prove to be a powerful incentive for more healthcare organizations to make information security enhancements a priority.
Here's hoping that most organizations don't procrastinate until the auditors come knocking at the door or the subpoena arrives from the courthouse.