In the age of big data, data protection laws are among the most important pieces of regulation for IT companies and independent consultants who work in technology fields. This month marks a major milestone for data protection laws in the U.S. because, as of the 23rd, new data security standards take effect for all businesses that work with HIPAA-covered entities - that is, any company involved with healthcare and so regulated under the Health Information Portability and Accountability Act of 1996.
Here's a look at what you need to know about those data security standards (which were updated by HITECH, the Health Information Technology for Economic and Clinical Health Act) and how to make sure your business is ready to meet them by the September 23 deadline. (For more on data security and data breach issues, check out "Data Security Remains Top Concern about Cloud Computing Options.")
What Is Data Security under HIPAA and HITECH?
Under HIPAA rules, protected health information (PHI) must remain confidential. This means that HIPAA-covered entities that collect and store PHI (e.g., doctors, psychologists, counselors, and hospitals) must protect it with various physical, administrative, and digital barriers so that only authorized parties can access it.
In addition, HIPAA requires that covered entities share PHI with patients within 30 days of receiving a written request for that information. It also outlines certain financial penalties for covered entities that violate the data protection standards.
HITECH, a part of the American Recovery and Reinvestment Act passed in 2009, updates HIPAA's data security standards in the following ways:
- It expands the definition of a "covered entity." Now, any company, contractor, or consultant that works with a HIPAA-covered entity must comply with the data security standards of HIPAA and HITECH.
- It increases the penalties of data security breaches. Under HITECH, businesses that improperly reveal PHI (whether by disclosing it to non-authorized parties or by permitting a data breach because of insufficient data safeguards) can face up to $1.5 million in penalties each year. (Read more about new cyber security fines in "$1.2 Million HITECH Fine Highlights Risks for IT Contractors Working with Healthcare Clients.")
- It requires HIPAA-covered entities to switch to electronic records and demonstrate "meaningful use" of those records to serve patients.
What Small IT Firms Need to Do to Comply with the HITECH Data Security Law
When the government starts enforcing the new HITECH data security standards later this month, small IT and tech firms that work with HIPAA-covered entities (whether as consultants, programmers, designers, or in other capacities) will be responsible for complying with HIPAA's data security guidelines in addition to any state-level data security laws.
If you count even one HIPAA-covered entity among your clients, it's important to make sure that your company is also compliant with HIPAA's and HITECH's data protection standards. If you haven't yet reviewed those standards, here's what you can do to make sure your business complies...
- Complete a risk analysis for any electronic PHI your company handles or stores.
- Name someone to act as Security Official.
- Establish or revise HIPAA protocol for each HIPAA requirement you're responsible for meeting.
- Make sure your agreements are up to date with your HIPAA-covered clients. While they might be the ones who need to issue a new agreement, you can protect your business by contacting any HIPAA-covered clients who haven't yet done so. Also, if any contractors or subcontractors you employ work on projects for your HIPAA-covered clients, be sure to update the contracts you have with those subcontractors.
- Train your team to adhere to the new data protection guidelines.
In addition to meeting HIPAA-mandated data protection guidelines, many of your clients in healthcare may require you to carry Errors & Omissions Insurance to demonstrate that you're able to financially handle any data breach event that occurs.