HIPAA Solutions, LC    

Comprehensive Resources for HIPAA Compliance

February 1, 2010 - HIPAA Alert

HIPAA & HITECH Stronger Enforcement Environment  

"Secondary Enforcement" & Civil Litigation Create New Worries for CEs & BAs   

Reducing the risks of non-compliance with new rules enacted under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009 (ARRA), means that every Covered Entity (CE) and Business Associate (BA) should take a hard look at their current levels of compliance with HIPAA on an enterprise-wide basis.

In the past, when questions arose about the right of an individual to sue using HIPAA, the quick answer was usually, "No - a person cant sue using HIPAA."  While that answer has been widely accepted and spread on the internet for years, the enforcement arena has changed.  

So, why should anyone worry about litigation and individual lawsuits now if your organization is either a Covered Entity (CE) or a Business Associate (BA)? There's a simple answer . . . the HITECH Act is the new HIPAA "sheriff" in town and HITECH has changed the face of enforcement with serious penalties for non-compliance. 

Of more than passing interest is the fact that HITECH allows "Class Action" lawsuits as a method of enforcing HIPAA.  The excerpts in this newsletter from recent health sector publications by the AMA and Health Data Management point out some of the pitfalls waiting for those who take compliance lightly. 

The Attorney General of the State of Connecticut has just initiated the first class action lawsuit against related to the new regulations.  While the purpose of this HIPAA Alert is not to re-iterate what can be found on the Internet concerning the first HIPAA class action lawsuit, the articles provide a basis for providing some practical tips on what it can mean to your organization.

A recent amednews.com headline gives the bad news for non-compliance . . .   

"Connecticut sues Health Net over data security breach."  
 
The article gives the following details . . .  "The insurer becomes the first plan sued under a new law allowing attorneys general to enforce HIPAA privacy laws..."

In addition, Connecticut Attorney General Blumenthal warned . . ."Sadly, this lawsuit is historic -- involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA." 
 
Another article on the Health Data Management website also described the lawsuit in the following manner . . . . "Blumenthal is seeking a court order blocking Health Net from further HIPAA violations and requiring encryption of all protected health information on portable electronic devices. He also seeks civil fines."
 
So, from a practical standpoint, what does this really mean for other CEs or BAs and how does this impact your organization?  The following tips explain how you can avoid some of the risks associated with the trend towards stronger enforcement. 
 
Practical TIP #1:  No matter how many times you have heard the phrase - "HIPAA will never be enforced," or ,a personal favorite, "You have a better chance of getting struck by lightning than being audited under HIPAA," . . . Audits and Enforcement are here to stay.  That means it's a good time to take a serious look at your full compliance process in both privacy and security and consider an audit or assessment to identify areas that need improvement. Using software tools such as the HIPAA ComplyPAK© to assist with managing the compliance process can also be a positive step towards achieving compliance. 
 
Practical TIP #2:  Accurately track all portable devices in your organization in accordance with all appropriate Privacy Regulations.  That's right, if you're going to make the effort to track your portable devices, then follow all Privacy Rule regulations relating to this activity.  If you have any question on what this means, you can contact HIPAA Solutions for a more thorough discussion.

 
Practical TIP #3:  Make sure that you are complying with all parts of the "old" HIPAA regulations, including both privacy and security . . . AND comply with all parts of the HITECH Act.  That means you should make a real effort to ensure that your compliance process is up to date with all changes in the law.  Please note, the HITECH Act adds a lot of new compliance  issues, including the need for conducting Risk Assessments in the event of a breach of unsecured PHI.

If you need to discuss how an audit of compliance status or using compliance software tools can assist you in achieving and maintaining compliance, contact HIPAA Solutions, LC.