Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions

HiTech Act Rule Poses New Privacy Risks for Healthcare Industry

 HiTech Act Rule Poses New Privacy Risks for Healthcare IndustryFinal Rule Under the HiTech Act Brings Added Privacy Exposures for Healthcare Providers, Business Associates

In January, the Department of Health and Human Services (HHS) announced the issuance of the final rule from the Health Information Technology for Economic and Clinical Health Act (HiTech), to become effective March 26, 2013. Compliance will be required by September 23, 2013.

The rule implements changes made to the HIPAA Privacy and Security Rules under the HiTech Act, in addition to expanding the liability of business associates of hospitals, physicians and other HIPAA-covered entities if they release data in ways that violate a patient’s privacy. It clarifies when breaches of information must be reported to the Office for Civil Rights and establishes new rules on the use of patient-identifiable information for marketing and fundraising.

The rule also restores a limited right of consent to patients to control the release to their insurance company of records about their treatment if the pay for that treatment is out of pocket. And it spells out how the increased penalties for privacy and security violations under the American Recovery and Retirement Act are to be applied.

When it comes to the expansion of direct liability to business associates of hospitals and physicians and other HIPAA-covered entities, included is a provider’s healthcare data-miners and health information technology service providers. So, for example, if a medical practice or hospital uses a third-party service to store patient records in the cloud, the company storing the files has an increased obligation in protecting that information, and could be found responsible for a breach along with the medical practice or hospital. Under the rule, there is an increase in the penalty cap to $1.5 million for business associates depending on level of culpability.

To meet the compliance deadline of September 23, 2013, covered entities and business associates should implement these steps, if they haven’t already done so.

  • Update breach notification policies and procedures to reflect the changes to the risk of harm determination;
  • Identify which types of Protected Health Information (PHI) are “unsecured” and evaluate whether unsecured PHI can be made secure using approved technologies and methodologies (e.g., encryption);
  • Consider the impact that state laws may impose with respect to breach notification;
  • Ensure that business associate agreements include clear language regarding responsibility and liability for breach notification obligations; and
  • Train workforce members on the revised policies and procedures.

Moreover, be sure you have a Privacy & Network Security insurance policy in place in the event of a data breach. A cyber liability insurance policy help pay damages and other expenses, such as those associated with notification and legal defense, forensic investigation costs, remediation expenses, and public relations. Policies also have a regulatory component of the coverage, which will cover defense and pay fines and penalties as a result of regulatory action; in the case of the healthcare industry, for example, from HIPPA or the HITECH Act.

At Axis Insurance Services, LLC, we specialize in Privacy & Network Security and can help you with your policy needs in addition to providing assistance in mitigating losses with effective risk management. Give us a call at: (877) 787-5258.

Comments

comments

Blogged on: March 11, 2013 by Mike Smith
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions