HHS issues interim rule affecting enforcement provisions of HITECH Act
The U.S. Department of Health and Human Services Office for Civil Rights last month issued an interim final rule that affects enforcement provisions of the HITECH Act. The interim final rule, which is effective Nov. 30, was adopted pursuant to new HITECH penalty provisions that apply to violations occurring after Feb. 17, 2009.
Part of increased privacy and security protections under the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health Act expands upon HIPAA's privacy and security protections for individuals' health information. The rule regulates when and how to notify patients if health care information has been exposed in a security breach.
This interim rule follows up with monetary penalties associated with breach notification. Hospitals, doctors and other health care organizations covered under the Health Insurance Portability and Accountability Act of 1996 are covered by the new rule and subject to the rule's penalties.
The rule is indicative of a tougher stance on regulatory enforcement with regard to patient privacy, electronic health information security and enforcement methods. If covered dentists (those who use electronic transactions) have not assessed the dental practice's risks and ensured that their compliance program is complete, "now is the time to do it to avoid the potential for penalties if a breach does occur," advises Dr. Robert Faiella, 1st District Trustee and ADA Board of Trustees liaison to the council.
HITECH and HIPAA privacy and security changes include:
- Notification—If personal health information is breached a risk assessment needs to be done to determine if there was an actual risk of harm to an individual(s) whose information was exposed.
- Enhanced enforcement and increased penalties—documentation requirements are necessary to meet compliance.
- Business associates and their employees must now comply with HIPAA.
HITECH breach notification guidance is available to members free of charge at www.ada.org/goto/hipaa. The guidance was created to help dentists determine applicability of the new breach notification rules in a number of likely scenarios. It assists members and their employees who have questions about their current security needs, including encryption. Included is a discussion of proper media and records disposal.
The HIPAA Security Kit is available in eBook format from the ADA Catalog.
A revised HIPAA implementation guide covering HIPAA privacy, security and HITECH breach notification will also be available from the ADA Catalog in January 2010. Entitled the Complete HIPAA Compliance Kit for Dentists, it will include a three-year update service assuring a resource that covers pending changes. Visit the ADA Catalog at www.adacatalog.org.To read the HITECH enforcement interim final rule, visit the HHS Office for Civil Rights Web site.