Five Steps for Addressing HITECH Requirements

Data breaches can hamper an organization’s credibility and carry enormous medical and financial risks to the people whose data is lost. The HITECH Act increases the stakes for a data breach. Organizations often think first of IT security measures to protect personal data, but we have found through working with healthcare organizations that most data breaches are linked to human error or process failure.

Examining all aspects of PHI (Protected Health Information) security and data breach readiness is of utmost significance with breach incidents on the rise. Recommended below are five steps to all healthcare organizations for addressing HITECH compliance.

·         Conduct a risk based review

In any incident response plan, the first step is to conduct a comprehensive risk based assessment of the practices associated your PHI assets and their lifecycle. This should include creating a precise inventory of the PHI data contain all the internal and external workflows where the information is used. It also needs to not only identify the PHI-specific risks in your IT systems, but should identify the same in the organizational policies and processes.

·         Go by the guidelines and secure PHI

With your risk-based assessment and PHI stock in hand, it is necessary to make certain that the information  is secured or protected any technology that is specified by the Secretary of Health and Human Services (HHS) pursuant to the Healthcare regulatory compliance. This includes “de-identification” of personal data (i.e., ensuring that you provide only as much data as is required for each business process or function).

·         Address contracts and processes

The HITECH Act expects a contract with business associates to authorize and define the use of the PHI that is shared with them. Business associates include healthcare organizations, industry service providers, suppliers or any other organizations. The legal team will be able to prioritize contract revisions post a risk-based assessment and ascertain the associates that pose the highest breach risk.

·         Prepare for Breach Detection

Under the HITECH Act, it is necessary to provide a notification within 60 days when PHI in any form is breached, not just electronic records. The definition of “breach” now includes even incidental loss or exposure of single records or small amounts of personal information. The new rule states that a breach is officially discovered on “the first day it is known & or should reasonably have been known.” Earlier, data breaches have been discovered months or years after the victims began complaining of identity theft. These days, failure to detect a breach can trigger penalties up to $1.5M. Aggressive, ongoing monitoring programs that range from IT audits to checking patient health records for inconsistencies recommended ensuring early breach detection.

·         Plan for Breach Response

To meet HITECH requirements, it is necessary to have a detailed breach response plan in place. Under HITECH, notification requirements are more specific, and notification is essential even for small-scale data breaches. It is also important to consider vendors who provide turnkey notification services, including call centers and postal mail. Remediation services for breach victims will help preserve public trust in your organization.

HITECH compliance is likely to affect every aspect of your operations: business and healthcare processes; IT data security, retention, and monitoring; contracts and business relationships. Ultimately, a better understanding of the IT Compliance process will prove beneficial to the patients, employees and business.

Processing your request, Please wait....