Understanding healthcare compliance requirements
It is common knowledge that Health Insurance Portability and Accountability Act (HIPAA), set the mechanism for the exchange, safety and privacy of healthcare-related data. Also another important element in healthcare compliance is the Health Information Technology for Economic and Clinical Health (HITECH) Act under which health data breaches have been taken more seriously. The HITECH act widens the meaning of HIPAA, whereby many healthcare enterprises that were earlier exempt from HIPAA privacy and safety rules will now have to abide by it. President Obama’s American recovery and reinvestment act (ARRA) of 2009 popularly known as the stimulus package extended the actual reach of HIPAA.
An HIPAA covered enterprise (legally called a ‘covered entity (CE) is any enterprise that handles personal health records (PHR) or personal health information electronically; therefore the enterprises that generally come under this are hospitals, doctors and health insurance enterprises including Health Care clearing houses. Generally Protected health information includes all the health-related information that might include different details – from visits to doctors or medical specialists, information about allergies, immunization and family health history, records of medicines consumed, surgeries or operations undergone etc. Healthcare enterprises need to meet compliance standards to be able to benefit from Medicare as well as Medicaid. This means that reporting will be an additional function that healthcare enterprises must get involved in, whereby these enterprises will have to report, explain and perhaps even reimburse an extra billing made. The new HITECH provisions includes rules pertaining to disclosing account related details and it sets limits on how PHR or PHI can be used for marketing or fundraising reasons. Under the HITECH, it is a complete no-no to sell protected health information. The act also states that every entity covered under it should necessarily review its information infrastructure and systems to be fully compliant.
Inability to abide as per these HITECH compliance standards or any privacy or security violations will mean severe penalties to be paid which will be collected by the Office of Civil Rights (OCR). Therefore any healthcare enterprise needs to notify data breaches within 60 days. Opting for a HITECH or HIPAA compliance management solution that assists you in complying as per the set guidelines would be a great idea for any healthcare enterprise. Failure to abide as per the rules and you could be looking at a fine as high as US$1.5 million per year and even criminal prosecution.