HIT administrators in for rough ride under tough new HIPAA rules

The coming months will be a difficult time for HIT administrators. Even those with good security policies in place will doubtless be forced to perform a hard-nosed reassessment of their technical and administrative strategies, take a tough look at how they work with partners and subject any vendors hosting HIT applications to a rigorous security check-up.

As you know, federal data breach notification rules for entities covered by HIPAA kicked off last week. The move significantly expands the exposure those entities face when personal health information gets loose, and ups the ante considerably in extending coverage to "business associates" of HIPAA-covered entities. That term can cover a very wide range of contacts, including HIE partners, third-party administrators, claims processors, attorneys, accountants and software providers.

Under the rules, HIPAA-covered entities such as hospitals, doctors and health plans have to inform victims of unauthorized releases of their private data that their PHI has been compromised. The new rules also allow for criminal and civil penalties, effectively giving HIPAA's existing sanctions a shot of steroids.

The rules do leave room for some loopholes. For example, if the breached data is encrypted, making it unreadable, unusable or indecipherable, covered entities don't need to notify anyone. Another, far broader exception allows providers to skip the notification process if the breach doesn't pose a major risk of financial or other harm to an individual--and lets the provider decide whether the possible harm meets the disclosure standard.

To learn more about these rules:
- read this Federal Computer Week piece
- read the HHS rules

Related Articles:
Stimulus bill sets new HIPAA rules, but will it make a difference?
HIPAA privacy rules not enough, IOM says
Providers, states still struggle with HIPAA

Post a comment