HIPAA-HITECH-Contingency Plan Webinar Overview
The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, significantly modified and strengthened many aspects of the HIPAA Security Rule (and Privacy Rule), including the penalties that the US Department of Health and Human Services (HHS) could impose for violations of the HIPAA rules. Primarily due to decentralized oversight and enforcement, the original version of the HIPAA Security Rule was essentially ignored since its inception. However, all of that has changed as a result of the updates included in ARRA and more specifically HITECH. Oversight has been consolidated under HHS and the Office of Civil Rights, and penalties are now collected and utilized by a single agency HHS. One huge change driven by The HITECH Act is that Business Associates are now statutorily obligated to comply with all relevant sections of the law. If you are a Business Associate or Covered Entity its time to get serious, the deadline for full compliance with these new rules was February 17, 2010. In this live session, attendees will: •Learn How The HITECH Act raises the ante for HIPAA Security •Review The HIPAA Security Final Rule •Cover the significant changes driven by The HITECH Act •Review the Contingency Plan Standard in detail •Understand the Specific Data Backup and Data Recovery requirements •Learn How Online Data Backup Solutions May Help This presentation will help you …
August 2nd, 2010 at 3:58 pm
Business associates need to know that HHS expects them to be compliant with the terms of any BA agreements they have signed, now. Here is the pertinent section from the NPRM:
9. Business Associates and Covered Entities and Their Contractual Relationships.
The proposed rule would extend liability for failure to comply with the Privacy and Security Rules directly to business associates and business associate subcontractors in a manner similar to how they now apply to covered entities. The proposed rule would subject business associates to many of the same standards and implementation specifications, and to the same penalties, that apply to covered entities under the Security Rule and to some of the same standards and implementation specifications, and to the same penalties, that apply to covered entities under the Privacy Rule. Additionally, business associates would also be required to obtain satisfactory assurances in the form of a business associate agreement from subcontractors of any protected health information in their possession. If the business associate learns of a pattern of activity or practice of a subcontractor that constitutes a material breach or violation of the contract, the business associate would be required to make reasonable attempts to repair the breach or correct the violation. If unsuccessful, the business associate would be required to terminate the contract, if feasible. In addition, a business associate would be required to furnish any information the Secretary requires to investigate whether the business associate is in compliance with the regulations.
In the absence of reliable data to the contrary, we assume that business associates’ compliance with their contracts range from the minimal compliance to avoid contract termination to being fully compliant. The burden of the proposed rules on business associates depends on the terms of the contract between the covered entity and business associate, and the degree to which a business associate established privacy policies and adopted security measures that comport with the HIPAA Rules. For business associates that have already taken HIPAA-compliant measures to protect the privacy and security of the protected health information in their possession, the proposed rules with their increased penalties would impose limited burden.
We assume that business associates in compliance with their contracts would have already designated personnel to be responsible for formulating the organization’s privacy and security policies, performed a risk analysis, and invested in hardware and software to prevent and monitor for internal and external breaches of protected health information.
We expect that most business associates make a good-faith effort to follow the terms of their contracts and comply with current security and privacy standards.
For those business associates that have not already adopted HIPAA-compliant privacy and security standards for protected health information, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with the privacy and security standards. Up to this point, the consequences of failing to meet the privacy and security standards were limited to a business loss in the form of a terminated contract. In the context of the business associate’s overall business, the risk of losing the contract may not be a sufficient incentive to warrant investing in added security or establishing privacy policies potentially at significant expense. There may be other more benign reasons such as ignorance of potential threats or lack of knowledgeable personnel on staff. Regardless of the reason, to avoid the risk of the far more serious penalties in this proposed rule, we expect that business associates and subcontractors that have been lax in their complying with the privacy and security standards may now take steps to enhance their security procedures and strengthen their policies for protecting the privacy of the protected health information under their control.
September 8th, 2010 at 6:38 am
Thanks. this fixed my issue on the job! I cannot wait to browse more!