Like many insurance sales professionals I too suffer from ADHD when it comes to paying attention to lots of details.
To date we have tried HIPAA HITECH 101, HIPAA HITECH Cliff Notes and now are launching HIPAA HITECH for Dummies to try and simplify and focus your efforts even further to help you get compliant and stay compliant.
One thing that has become abundantly clear to me over the past month as I have talked with brokers and BA’s from all over the country is that they fundamentally do not understand what HIPAA HITECH requires of them.
My unscientific stats tell me that 75% of you are totally or relatively clueless as to what is required of your organization. This is not trying to blame anyone but simply state a fact.
What All Brokers and Consultants Must Do To Be HIPAA HITECH Compliant
What is HITECH: The Health Information Technology for Economic and Clinical Health Act (HITECH) significantly expanded the reach of the HIPAA Privacy Rule and Security Rule, along with the corresponding penalties.
What does HITECH Do?
- HIPAA now applies to HIPAA to covered entities (CE) business associates (BAs) directly.
- HITECH includes a statutory obligation for BAs to comply with HIPAA.
- HITECH also requires PHI breach notification, which was not part of the original HIPAA rules.
- HITECH also substantially increased the penalties for HIPAA violations
Why HITECH Applies to You – Brokers/agents are BA’s if they have BA agreements with any insurer and/or receive, create, transmit or maintain personal health information (PHI). Census, enrollment, claims info et al are PHI.
Compliance Overview - A broad overview (detailed plans follow on pgs 2-4) of work that needs to be done by all BA’s, regardless of size:
- Appoint a chief privacy/security officer
- Do a full risk assessment of you business, get a gap analysis and focus on those areas to fix
- Privacy and Security Policies Documented and in place
- Implement all HIPAA security administrative, technical and physical safeguards
- Get encryption in place for all PHI your organization handles and communicates
- Update/establish business associate agreements with your clients and vendors
- Conduct privacy and security workforce training
- Comply with new notification rules for breach of unsecured PHI
New Breach Rules – HITECH establishes mandatory federal breach reporting requirements for HIPAA CE’s and their BA’s, as well as a new “Tattle” rule which requires BA’s to report their CE’s breaches. It also requires local media notification as mandatory if a breach involves 500 or more lives in one state.
New Enforcement and Penalties – State Attorneys General to can now take legal action on HIPAA privacy/security violations. CT took the first action against Health Net last month. BAs that violate the security and privacy provisions of HIPAA are subject to the same new and beefed up civil and criminal penalties as a covered entity:
| Violation | Penalty/Violation | Maximum per Year |
| Tier A – Did not Know | 100 | 25,000 |
| Tier B – Reasonable cause, not willful neglect | $1,000 | 100,000 |
| Tier C – “Willful Neglect”, corrected | $10,000 | $250,000 |
| Tier D – “Willful Neglect”, uncorrected | $50,000 | $1,500,000 |
Compliance Deadline – Was 2/17/2010.
Failure to be compliant will likely be viewed as “willful neglect”. There is no such thing as partial compliance. It is all or nothing for all CE’s and BA’s, not just you.
