As we wait for the HITECH Act updates to HIPAA to be finalized, yet another article signals the administration’s intent to strengthen privacy protections for health data– http://www.nytimes.com/2011/05/31/business/31privacy.html
A Recent report from McKinsey & Company on the evolution of information technology focuses on health care as a sector to watch: “For instance, if US health care could use big data creatively and effectively to drive efficiency and quality, we estimate that the potential value from data in the sector could be more than $300 billion in value every year, two-thirds of which would be in the form of reducing national health care expenditures by about 8 percent.” Full report at http://www.mckinsey.com/mgi/publications/big_data/index.asp
It seems HHS is laying the groundwork for the issuance of the updates to HIPAA privacy and security rules under the HITECH Act. As reported May 16th in the Washington Post:
“The nation’s push to computerize medical records has failed to fully address longstanding security gaps that expose patients’ most sensitive information to hackers and snoops, government investigators warn.”
On August 19th, HHS issued new rules requiring HIPAA covered entities to notify individuals when their health information is breached. The breach notification rules implement provisions of the HITECH Act, passed as part of the federal stimulus legislation in February. A full copy of the new rules is available here.
The breach notification requirements will become effective on September 23rd, 2009.
Significant changes to HIPAA include:
- Notice must be provided to individuals within 60 days from discovery of a breach.
- The notice must contain detailed elements specified in the rules.
- For breaches involving more than 500 individuals, the notice must notify “prominent media outlets”, as well as HHS, within 60 days.
- All breaches must be reported to HHS on an annual basis.
- Covered entities must change policies and procedures as necessary to comply with these new rules.
- Workforce members must be trained about the impact of the new data breach requirements.
Note that the policy development and training requirements apply to all covered entities.
In addition, the regulations contain updated guidance on what it will take to adequately secure (whether through encryption or otherwise) health information in order to minimize the impact of the notification rules.
Health care organizations need to move quickly to ensure compliance with these complex new rules in an extremely compressed time frame.