Importance of HITECH Compliance
HIPAA has been enforced to safeguard the confidential personal health information of medical patients. It has strict guidelines making regular security monitoring and assessment mandatory and recommends encryption as an essential security parameter.
With a rising number of security breaches there is a lot at stake for both patients as well as healthcare organizations. The HITECH (Health Information Technology for Economic and Clinical Health) Act came about as an extension of HIPAA extending itself to business associates such as those offering legal, IT or accounting services, those providing financial support or those involved in marketing etc.
The new rule also requires healthcare entities to give specific notification to patients about data breaches. Business Associates and healthcare providers have to undergo audits from time to time to ensure overall HITECH compliance. Non-compliance can result in heavy penalty up to $250,000 while for repetitive and non-rectified violations the penalty can go up to a maximum of $1.5 million. Therefore in order to ensure that all their security parameters are in tandem with HITECH requirements, healthcare organizations need to take care of certain vital elements:
1. Assessment of Risks – The healthcare providers need to conduct an extensive analysis on existing practices that are related to personal health information to assess risks in data breaches. Maintaining a PHI inventory with accurate information can help in identifying risks in policies and procedures as well as in IT systems. Identifying business associates with accessibility to PHI is also vital.
2. Secured Metrics– Healthcare organizations need to ensure that risk assessment information is secure by following the HITECH guidelines. The amount of personal data revealed should be only as per the requirement of any business process. Encryption of information systems is the ideal approach to reduce risks of data breaches and to tackle data breach notification requirements.
3. Contract Scrutiny– As per HITECH law all business associates have to clearly state the utilization of personal information that they have been allowed to access. An assessment of procedures provides an insight on which associates pose the highest threat. As a result healthcare organizations can make changes in the contract and initiate processes for negating high risk contracts.
4. Breach Detection Plan – According to HITECH Act a notification must be provided within 60 days in the event of any data breach. This includes minor losses or revelation of either single records or any amount of personal information. If an organization is reported to be incapable of detecting a breach it would mean fines up to $1.5 million.
5. Breach Response Plan – Notification of the smallest data breach is mandatory according to the HITECH Act. A record of every breach has to be submitted to the Department of Health and Human Services.
Healthcare organizations have to shoulder immense responsibilities in providing security to their patients’ data. Hence it is important for them to invest in competent and aggressive HITECH compliance management software that can detect breach early and maintain IT audits to check for irregularities in patient records.