Monday, September 13, 2010

Is really after HIPAA now HITECH act is bothering healthcare professional

Nothing to bother about it first of all some let’s identifies some of the good points of HITECH Act. Under HITECH Act Medicare and Medicaid bonus payout scheme, a physician who can demonstrate “Meaningful Use” of an EMR (Electronic Medical Records) in 2011 would be eligible to receive US$ 18,000 from Medicare for the first year and US$44,000 total through 2015. These incentives will be reduced for adoption after 2012. Physicians whose practice feature a high volume of Medicaid patients can qualify for up to UD$65000 in incentives.

Wow! Isn’t? Quite a good bonus. Let’s figure out what is it ?

HITECH (Health Information Technology for Economic and Clinical Health) Act was signed into law in Feb 2009 as a part of ARRA to protect the PHI (Protected Health information) stored electronically from the potential data breaches. It also help regulators to strengthen enforcement and penalties associated with wilful violation of HIPAA. Guidance is issued specifying technologies and methodologies that render PHI unusable, unreadable or indecipherable to unauthorised individuals. HITECH Act also defines the notification, response and handling of incidents in case of breach detected. Which is after 30 Days and not later to 60 days from the day breaches occurred. Law is applicable for all HIPAA Covered entities, their business associates, third parties including those operating outside the US.
If breach of PHI is affecting more than 500 individuals annually it mandates the media and HHS notification. HITECH Act applies to vendors of personal health record that provides online repositories and to the people who can keep track of their health based on the information present in these repositories. Eg. Application which uses the blood pressure cuffs, pedometer whose reading can be uploaded on online personal health records.

What needs to be done to make my practice in compliant with HITECH Act?
1. Implement Data Classification Policy Approved and communicated by management.
2. Implement a process to detect any potential data breaches and initiate timely incident response activities.
3. Implement the risk assessment and analysis method to identify the significance of risk (financial, reputational or any other harm of potential breaches to the individuals)
4. Implement notification process.
5. Implement policies, process and procedure to file complaint to ensure compliance.
6. Last but not the least Encrypt data at rest and in transit in any form.

For more details refer Federal register part 2, Department of Health and Human Services

No comments: