should continually train their staff on how to follow the right security protocols to ensure data integrity and security. • Buy medical products with security compliance and compatibility in mind. New equipment bought for a medical institution should be compatible with existing systems and should offer enough security features. Some medical equipment may offer enough security features but may be incompatible with existing systems or vice-versa. Thus, before making any major purchases enough review of the product should be done to ensure both security and compatibility. • Collaborate with affected parties. Changes which need to be made to bring about HIPAA compliance affect many people in the medical practice. Affected departments should be consulted when making changes to ensure all parties affected by the changes are happy with the changes.
HITECH ACT
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing:
• Four categories of violations that reflect increasing levels of culpability;
• Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and • A maximum penalty amount of $1.5 million for all violations of an identical provision.
It also amended section 1176(b) of the Act by:
• Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and • Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect. This interim final rule conforms HIPAA’s enforcement regulations to these statutory revisions that are currently effective under section 13410(d) of the HITECH Act. This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions.
La State Med Soc NEW PHYSICIAN’S GUIDE 29
Made with FlippingBook Digital Publishing Software