Thursday, August 13, 2009

Hipaa Arra Requirements

A patient's information should be securely kept.


The American Recovery and Investment Act 2009 (ARRA) has made several changes to the Health Insurance Portability and Accountability Act (HIPAA). HIPAA, which was limited in 1996 when it was launched and fully implemented in 2003, was created not only to make sure people between jobs enjoyed access to health care coverage, but to protect a patient's confidential information. ARRA made changes to the HIPAA privacy and security rules, mandating the Health and Human Services (HHS) to issue a new set of regulations.


Breach Notification


The ARRA has a provision for the implementation of the Health Information Technology for Economic and Clinical Health (HITECH). The regulation requires health care providers and other HIPAA-covered organizations to immediately inform an affected individual, the HHS secretary and the media in cases involving more than 500 individuals. If the affected number of people is fewer than 500, only the HHS and the affected people have to be informed. A health worker with access to confidential patient information, also known as a business associate, will have to report his organization or an associate who has breached information. The regulation is meant to ensure accountability by organizations and staff directly linked to patients' information.


Business Associates


The law previously only applied to covered entities. These included health plan and health care providers. A staff was supposed to sign a business associate agreement as a company representative. But under the HITEC Act, the rules apply directly to business associates, including penalties. This means the business associate is held accountable as an individual where there is a breach. The law also affects vendors who provide data transmission services related to PHI who are now classified as business associates and required to sign a business associate agreement that they will diligently protect information.


Disclosure, Sales and Accounting of PHI


Under the HITECH Act, there are no exceptions to the disclosure rules. Previously, organizations used the broad exception to use and disclosure rules to sell PHI for health related purposes. Covered organizations asserted that their use of PHI was a health care operation that did not require an individual authorization. The HITECH Act has banned that. Each organization should seek authorization before using PHI. State attorney generals are empowered to use violators.







Tags: business associate, health care, ARRA made, associate agreement, business associate agreement