Health Information Management

HIPAA compliance questions regarding HITECH

HIM-HIPAA Insider, February 22, 2010

As a HIPAA covered entity, you should watch HITECH closely.

But HITECH compliance is really about HIPAA privacy and security rule compliance.

So as your organization works to comply with breach notification regulations and sets up a “harm threshold” risk analysis team, per HITECH, it should also go back to HIPAA security 101.

“HITECH did include significant changes, but the bottom line is, and what especially security officers need to do, is make sure they actually comply with the HIPAA Security Rule,” says Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, OR.

BAs had to comply by February 17 with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule. In reality, Apgar says BAs should have been compliant since 2003 for privacy and 2005 for security, by contract.

“Yes, the new requirements [especially breach notification] need to be addressed, but the bottom line is many covered entities and business associates have consistently failed to comply with the HIPAA Security Rule,” Apgar says. “I find this over and over when conducting compliance audits.”

Read the full story on HIPAA Update.

Most Popular