Risk Advisory Services Blog

HIPAA/HITECH Compliance: Rules You Should Be Following to Stay in Compliance

In summary, the HIPAA HITECH rules cover the following areas of compliance:

  • Privacy Rule
  • Security Rule
  • Breach Notification Rule
  • Enforcement Rule
  • Unique Identifiers Rule

The primary focus for most organization’s required to comply with HIPAA HITECH  is to ensure compliance with the privacy and security rules.  The major goal of these HIPAA regulations is to ensure that any identifiable Personal Health Information (PHI) is kept secure, confidential, and only accessed by authorized personnel.   These rules also apply to vendors who “could” have access to PHI. 

These regulations can be met by a combination of policies, training, and technology tools and services (such as password protection and e-mail encryption) designed to secure this information.

Certain components of the security rule are not required (referred to as “addressable” in the rules).  However, an organization may only choose to no implement an addressable standard if it clearly cannot do so and can document why it is unable to do so.

Overview of the New Rules (2013)

Significant changes to these rules include:

  • The expansion of the definition of business associates to include subcontractors that access PHI
  • The imposition of direct liability under the rules on business associates for compliance with certain HIPAA privacy and security rule requirements (previously, liability only rested with the covered entity)
  • Additional and revised provisions that covered entities and business associates must include in their business associate agreements
  • A deadline for all business associate agreements to comply with the new rules by September 22, 2014.
  • Additional disclosures in covered entities’ HIPAA privacy notices, including language that informs individuals of their right to be notified of breaches of their PHI
  • Substantial lowering of the threshold for notification of affected individuals in the event of a breach of PHI, and a requirement to conduct a documented risk assessment in the event notification is not provided in reliance on the harm threshold
  • An expansion of individuals’ rights to access their PHI.

For more information on our Technology Partners HIPAA Compliance services, contact Brian Rosenfelt by leaving a message below, or by calling 440-449-6800.

This entry was posted in Risk Advisory Services. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Both comments and trackbacks are currently closed.
© Copyright 2016 Skoda Minotti | Privacy Policy | Disclaimer | Remote Support
Cleveland 440-449-6800 | Akron 330-668-1100 | Tampa 813-288-8826
Website designed and developed by Skoda Minotti Strategic Marketing