HIPAA, HITECH, and Privacy Regulations
With the passage of the Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA, federal regulations governing the privacy of personal health information were imposed on virtually every health care provider. The 2009 Health Information Technology for Economic and Clinical Health Act, commonly referred to as HITECH, added significant emphasis on the security of electronic information and significantly expanded civil and criminal penalties for providers who do not comply with these very complex rules for storing and transmitting health information.
Other federal regulations govern many aspects of health information privacy for health care providers. The Privacy Act of 1974, Common Rule provisions governing research information, and specific rules found in the Occupational Safety and Health Act (OSHA) are a few examples. In addition to these federal regulations, most states now have provisions governing patient records, and state laws governing breach notification are growing rapidly.
Internal Audits and Policies and Procedures
The number and complexity of these overlapping rules and regulations, and the significant civil and criminal penalties for violations, make it vital for all providers to have policies and procedures based on privacy and security audits and tailored to the specific services offered by the provider.
Having a Notice of Privacy Practices is not enough. We assist clients with developing or refining an overall privacy and security compliance program.
Responding to Investigations
In addition to providing audit and policy development services, we assist providers in responding to investigations and enforcement actions from the CMS Office of Civil Rights, the primary enforcement agency for health information privacy violations. Understanding the rules federal surveyors and investigators follow, as well as knowing the options for negotiating a favorable resolution, requires specialized knowledge and experience. We provide that in assisting clients who need to respond to federal investigations.
Security Breach Notification
We also assist in internal investigations of potential breaches, and providing notifications required under state and federal law for those breaches. Providers face separate penalties for failure to provide proper notification of a breach and should have experienced counsel.