Recently, both state and federal regulators have tightened regulatory action around the Health Insurance Portability and Accountability Act (HIPAA). New federal mandates could lead to fines of up to $1.5 million for violations. In addition, the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act (ARRA) authorized state attorneys general to enforce HIPAA violations.
Under the ARRA provisions, business associates, such as attorneys, third-party administrators, regional health information exchanges, data analysts, claims processors, and billing benefits managers for health care providers, must also comply with 32 security standards, as well as additional privacy standards depending upon their access to protected electronic health information through the services they provide to covered entities, such as a health care provider or health plan.
The ARRA provisions also include civil and criminal penalties, which require organizations to provide training on the various penalties, the fine amount and under what circumstances they apply. In addition, ARRA has specific guidelines expanding the enforcement powers of State Attorneys General. Under the new regulations, State Attorneys General have the authority to work on behalf of their state’s residents to bring civil actions, stop violations, or obtain monetary damages. Although state action is limited while federal action is pending, this applies to all covered entities, business associates and individuals, with access to private patient information.
These expanded state enforcement powers were first applied on January 13, 2010 when Connecticut Attorney General Richard Blumenthal filed suit against Health Net, alleging the health insurer failed to secure the patient medical records and financial data of 446,000 members or promptly notify customers of the security breach. While Attorney General Blumenthal’s suit was the first, it certainly won’t be the last.
Even with the increased regulatory pressure, many health care organizations, including health care providers, insurance companies, and clearinghouses, don’t seem to be prepared. The majority of organizations who provide services to the health care organizations and have access to patient information now qualify as business associates, as a result of HITECH, and appear unaware of their obligations.
According to a national survey conducted by HIMSS Analytics, 87 percent of health providers were aware of the need to meet new HIPAA security requirements, but just one-third of their business associates were aware. Due to HITECH, these business associates, which can include information technology providers, have significantly more liability than ever before. The survey also stated that 50 percent of large hospitals experienced at least one data breach in 2009, and 68 percent felt that the HITECH Act's expanded breach notification requirements would result in the discovery and reporting of more such incidents.
Certainly no organization deliberately breaches patient privacy. However, as HIPAA enforcements become more stringent, organizations need to be aware of the standards and modifications, not only to avoid monetary fines, but also to avoid exposure to litigation and damage to their reputations, as well as, relationships with individual health care providers, provider networks, and consumers.
For those seeking to protect their organization and consumers from such consequences, there is help. Independent, third-party HIPAA accreditation, such as the comprehensive HIPAA Privacy and HIPAA Security programs offered by URAC, help health care organizations, including health care providers, health care clearinghouses, health plans, and their business associates, navigate the complexities of the HIPAA regulations. Unlike specific information technology certifications, such as SAS and ISO, URAC HIPAA accreditation is focused specifically on personal health information standards.
URAC’s HIPAA accreditation programs help organizations meet quality standards that align with the stringent HIPAA requirements and help simplify the compliance process. The accreditation standards are updated regularly to reflect changes in state and federal regulations, such as the ARRA guidelines.
Some of the benefits health care organizations see with URAC HIPAA accreditation include the following:
Assurance that controls and policies for data security are working. – URAC accreditation provides continuous assessment of an organization’s health data environment and identifies potential vulnerabilities to stop problems before they start.
Evidence of control over information assets for auditors. – Accreditation may support audit requirements for an independent evaluation of health data security controls and policies. It delivers an irrefutable audit trail of the evaluation information privacy and/or security program which includes controls (e.g., assessments, training, contractual obligations).
Compliance with HIPAA and other regulations that demand the protection and privacy of data. – URAC accreditation covers a myriad of requirements found in the Privacy Rule and/or Security regulations that require data integrity, security, and privacy. The only way an organization can reasonably be sure that it is in full compliance with laws and regulations is by operating a good records management program, which takes responsibility for regulatory compliance while working closely with the Office of General Counsel. Failure to comply with laws and regulations could result in severe fines, penalties or other legal consequences.
Baseline measurement for developing an information data privacy and/or security compliance program. – Accreditation delivers cost effective and sustainable compliance by reducing the preparation time needed for Privacy and IT Security departments to develop audit tools and mechanism through the implementation of industry developed standards. These standards ensure compliance with HIPAA Privacy and Security requirements. This process will allow organizations to redeploy valuable resources to core IT work.
Hands-on evaluation of entire compliance program including detailed instructions on how to remediate any issue. – In the accreditation process, an organization’s program is evaluated by a URAC reviewer who is skilled in the evaluation of HIPAA Privacy and/or Security compliance programs. This individual will provide advice on issues discovered during the course of the accreditation review.
Tangible savings to the organization’s bottom line. – Accreditation can identify potential risks that may possibly affect the organization’s bottom line. It is well documented that after a sensitive data breach, organizations incur costs (e.g., loss of reputation, loss of customers, and mitigation costs).
Minimized litigation risks. – Business organizations undergo accreditation in order to demonstrate compliance with their regulatory requirements. This can reduce the risks associated with litigation and potential penalties. Continuously maintaining accreditation can reduce the liabilities associated with non-compliance.
Assurance that vital information is secure. – The accreditation process works to ensure that the privacy and/or data security program in place is sufficient to protect the integrity of the organization’s vital records and information as required by the HIPAA Privacy Rule and Security requirements. Incorporated as part of the overall compliance program, accreditation can serve as a vital part of an organization’s compliance strategy.
Support for better decision-making. – Management requires data to make decisions critical to the operations of the organization. The information gained from an accreditation review supplies senior executives with the information needed to make critical decisions pertinent to the organization’s survival.
Reinforcement of the organization’s commitment to required compliance. – URAC Accreditation will reinforce management’s commitment to adherence to the organization’s privacy and security requirements. Management’s commitment to maintain workforce adherence can possibly avert a potential breach.
Mark of quality for purchasers and consumers. – The accreditation seal shows both purchasers and consumers that an organization has met stringent independent, third-party evaluation of its processes to ensure they meet measurable quality benchmarks.
Presently, several organizations have earned, or are in process to achieve, URAC HIPAA accreditation. To learn how your organization can benefit, visit booth #7567 during the annual HIMSS conference, or visit the URAC website at www.urac.org.
About the Author
Christine G. Leyden, RN, MSN is a Senior Vice President, General Manager of Client Services and Chief Accreditation Officer for URAC, the nation’s leading health care accreditation and education organization. To contact Ms. Leyden, go to www.urac.org.
Subscribe to our FREE Ezine and be eligible for Health News, discounted products/services and coupons related to your Health. We publish 24/7.
We videotape Press Conferences, produce Satellite MediaTour's, B-rolls, PSA's, - all with distribution: HealthyTelevisionProductions[email protected]