Industry Update: HIPAA/HITECH - Audits, Notifications, and Penalties

By Bill Jenkins, Senior Security Engineer, Coalfire

Those in the healthcare industry (both covered entities and business associates), and anyone receiving healthcare services, are familiar with the Healthcare Insurance Portability and Accountability Act (HIPAA) enacted in 1996.  HIPAA opened the door to increased exchanges of healthcare information in an effort to improve care and reduce costs.  The Act also included new provisions for protected health information (PHI) – the Administrative, Privacy, and Security Rules.  Most entities covered by HIPAA addressed the new requirements and have moved on to the next challenges.  But since there was only a limited review and enforcement effort, the effectiveness of the implementations has remained an open question.

In 2009 we saw many waves of change in the healthcare industry on several fronts.  In particular, the Health Information Technology for Economic and Clinical Health Act (HITECH) portion of the American Recovery and Reinvestment Act of 2009 (ARRA) contained four significant changes.  First, HITECH extended the scope of the original HIPAA Rules to include the business associates of previously covered entities.  Second, efforts were renewed to push the adoption of Electronic Health Records (EHRs).

HITECH also provides billions in incentive funding for the "meaningful use"(1)  of EHRs.  To validate "meaningful use" claims and implementations, The Department of Health and Human Services (HHS) established a certification program for EHR modules and systems.  Vendors that are developing new capabilities must submit their products to approved third parties to receive official certification for their specific product and version.  While the EHR products are reviewed for their compliance with the HIPAA Rules, it does not mean that use of certified products can guarantee you will pass a HIPAA audit.  Much like auto safety testing does not guarantee you will survive a crash or get a certain MPG result.

Third, a Breach Notification Rule was established that provides stiff penalties(2) and publication(3) of PHI exposure incidents, holding the covered entity responsible for the actions (or inactions) of their associates.  Finally, HITECH provided direction and funding for audits of HIPAA compliance(4).

Fines associated with a breach or audit failure are particularly harsh for those guilty of Willful Neglect(5), not acting or knowing when a reasonable person should have.  Since the enactment of the Breach Notification Rule, over 250 breaches have been reported impacting more that 10 million people.

HITECH alone would have been enough change for the healthcare industry to absorb, but there were other changes.  Also in 2009, the CMS(6) issued requirements for electronic healthcare transactions to move from the existing standard (ICD-9) to a new one (ICD-10) and to have the conversion completed by the end of 2013.  Many of these transactions deal with verification of coverage, payments, and claims that also impact business associates and can involve PCI and other related compliance requirements. And then in 2010, Healthcare Reform was passed.  Its impacts and ramifications are still being vetted, contested, and understood.

Confused and perplexed?  You are not alone.  Over the next several months, Coalfire will continue to publish articles regarding healthcare privacy and security in an effort to clarify and simplify the challenges being faces by our friends and clients.

For more information about data security and compliance issues that affect the healthcare industry, click here to view our recent webinar, "HIPAA Modifications & HITECH Rules: What are the Security Essentials?".

1 The criteria defining meaningful use includes over 25 elements for Stage 1 and will be revised annually by HHS.
2 Thousands per violation
4 Likely to begin in 2012
5 Tens of thousands per violation
6 CMS --- Centers for Medicare and Medicaid Services