The symposium focused on many topics, but specifically an
impactful presentation on the changes in the HITECH Act. The HITECH Act is the Health Information Technology for
Economic and Clinical Health Act, which “seeks to improve American health care
delivery and patient care”. The HITECH Act specifically lists IT standards and
requirements for security and safety.
In attendance, Stephen Etter, Telamon Medical Solutions
Technical Writer, captured the following summary changes in the HITECH Act that
is important for service provider and IT companies to understand:
Final Rule:
HITECH Increased Enforcement:
- Reasonably Unaware: $100.00 per violation; $25,000 max per year
- Reasonable Cause: $1,000 per violation; $100,000 max per year
- Willful Neglect - $10,000 per violation; $250,000 max per year; $50,000 violation; $1.5 million per year if not corrected in 30 days
OCR Recent Enforcement:
Affinty Health Plan - 1.2 million
Wellpoint - 1.7 million
Business Associates:
BA and subcontractors now have direct liability and will be
subject to HIPAA Audits.
BA must have Risk Analysis and Policy/Procedures for
security safeguards per the final rule.
Breach Notification:
New breach notification procedures and policies went into
effect. BA or Health Organizations have to tell the individual even if there is
a minimal risk to their data. Acquisition, access, use or disclosure of
unsecured PHI is not permitted by the Privacy Rule unless there is low probability
the PHI has been compromised based on risk assessment. Standard of 500 +
patients must require notification to the media and notification to the
Secretary.
Risk Factors:
1. Nature and extent of PHI involved, including types of
identifiers and likelihood of re-id
2. Unauthorized person who used PHI or to whom disclosure
was made
3. Whether PHI was actually acquired or viewed
4. Extent to which risk to PHI has been mitigated