ready – set – go (HIPAA countdown)

With funding to approach the 800 BILLION DOLLARS, American Reinvestment and Recovery Act (ARRA) is imposing compliance timelines...so basically you have till February 17, 2010 beforeHIPAA (and Centers for Medicare & Medicaid Services) audits:

• February 2009 – ARRA Civil monetary penalties are placed
• April 2009 – HHS (Health and Human Services) guidance on Securing EHR (Electronic Health Record) published
• August 2009 – HHS and Federal Trade Commission (FTC) interim security breach notification to be released
• December 2009 – HHS to release adaption of initial prioritized set of standards
• January 2010 – Deadline for complying with accounting disclosure rules
• February 2010 – HHS will begin auditing (of HIPAA entities) including requirements for implementation of Business Associate Agreements; as well as enforcement of rights of electronic access of records

Like California breach legislation SB1386, it will be federal law regarding PHI data breach notification; and tagged with a criminal offense pursuant to provisions related to the Social Security Act.
To patients, this means we are entitled to be notified of PHI disclosure and have the option of prohibiting disclosure of PHI to insurers and other Business Associates if treatment is paid out-of-pocket. To covered entities and business associates, this means rendering the PHI indecipherable or unusable resulting in an optional safe harbor from the new data security breach notification requirement. Unreadable PHI primarily translates to encryption and/or destruction either “at rest” or “in motion”; and destruction pertains to shredding either paper or electronic media; and both references National Institute of Standards and Technology (NIST) for clarifications.

That said, if your data is “PHI secured”, then its actually exempt from breach notification requirements (not to mention HHS cases involving less than 500 people affected). Things that make you go...hummm

Some parallelism mentioned with other existing security and breach requirements and even implementation of the requirements draws similarities with PCI compliance and risk-based approach—see Security Rule. Nothing new there but a line is starting to be drawn in the sand much like PCI...as well as the extended grace period for compliant.

...a continuation of my prior post on HIPAA and HITECH; as well as some light reading onAmerican Recovery and Reinvestment Act of 2009; better yet more on this later Medicare Section 111. Moreover, reducing the compliance efforts can result from integrating and standardizing the number of claims and payment systems or simply (but not always practical) reducing the sourced data.