Electronic health records may cut costs and reduce errors, but they can also increase your compliance risks as well as security from the feds.
There’s no denying that electronic health records may cut costs and reduce errors, but they can also increase your compliance risks as well as security from the feds.
You will be accountable for compliance even if a third party installs and maintains your records system. Providers will still be responsible for ensuring the same privacy protections as if they had their own IT department.
The American Recovery and Reinvestment Act (ARRA) has intensified HIPAA requirements and the Congress has allocated more HIPAA security compliance enforcement dollars to the CMS and the HHS OIG. You can use the following breakdown of the new HIPAA regulations to update your policies and procedures.
- Now under ARRA’s HITECH provisions, you must notify patients without delay and you should not wait later than 60 calendar days after you discover that unsecured electronic health information was improperly accessed or disclosed.
- There has been an enforcement shift as well. For the first time, ARRA extends liability for HIPAA violations directly against business associates and forces them to comply with the same security standards as providers. As a result, you will need to modify your business associate agreements. But everyone you do business with does not qualify to be an associate.
- That apart, you will be required to curb all third-party protected health information (PHI) disclosures to a ‘limited data set’ or the ‘minimum necessary’, inclusive of those disclosures you make to health plans.
- The stimulus bill brings about new restrictions on the sale of PHI and marketing practices as well.