Before delving into the changes, it's important to understand that under HIPAA there are three general groups of organizations: covered entities, business associates and everyone else. Covered entities are generally health care organizations or health insurance companies (though this gets complicated with companies that self-insure). Business associates are organizations that support covered entities and handle protected health information (PHI), such as online backup providers, billing agencies and organizations that support eHealth products, and everyone else is, well, everyone else.
HIPAA requires covered entities meet specific criteria to be certified compliant; if they do not, those entities are subject to fines. As a result of HITECH, civil penalties for HIPAA violations have gone up significantly, potentially to the tune of $1.5 million per year in fines. Additionally, deliberate disclosure of PHI for non-legitimate reasons can now lead to criminal prosecution. HITECH specifically allows state attorneys general to file civil suits as well as criminal charges, though for many states this was already the fact due to CA 1386 and other state data breach-notification laws.
If your organization is classified as a business associate, this is the time when you will consider panicking. Prior to the changes, HIPAA requires business associates to have contracts with the covered entities enforcing the appropriate privacy and security controls of individuals' PHI. Now the requirements for business associates have been significantly expanded. Under HITECH, business associates are subject to the same civil and criminal penalties as covered entities, as well the disclosure requirements outlined above.
Members of the final category, everyone else, will likely see some changes as well, though this will depend on the final decisions of the Secretary of Health and Human Services around business associates. The most likely change will be that consumers must identify themselves more strongly to business associates in order to be granted access to information. Similarly, companies that provide services to business associates will quite likely see more security and privacy terms in their contracts, especially if they have any dealings with systems that contain PHI.
HITECH (not to mention recent HIPAA enforcement activities) has shown that the government now takes the security and privacy of medical records far more seriously than it has in recent years. As a result, all covered entities and business associates should proactively review their security and privacy policies, processes and controls, and evaluate where they stand. Time flies, and February 2010 will be here much sooner than it may seem. There is always the option of taking a chance and choosing not to comply, though given that HITECH allows for both federal and state criminal and civil proceedings to be brought against non-compliant companies and their executives, you won't see me advocating that choice to anyone I work with.
About the author:
As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.
This was first published in April 2009