Posted on February 19th, 2010 No comments
While many of the changes to HIPAA contained in the HITECH amendment, such as increased fines, Attorney’s General enforcement, and Health Data Breach notification came into effect already, February 18th, the law’s one year anniversary, marks a number of significant HIPAA/HITECH milestones.
Here is a sample of some that could affect the secure destruction service provider . . .
- Application of rules to, and accountability for, Business Associates. (No longer are BAs solely tied to HIPAA by the BA contract with the Covered Entity, but now, in some respects, operate essentially with all the requirements applied to Covered Entities.)
- Requirement for HHS to begin conducting mandatory audits.
- Clarification regarding which entities are required to be business associates. (Both HHS and the FTC have already identified secure destruction services as BAs in earlier guidance publications. It would difficult to see this changing)
- HHS and FTC study on privacy and security requirements for PHR vendors and applications (PHR vendors are a new type of Covered Entity under FTC jurisdiction who maintain or process health-related data as a result of offering Internet based services.)
- First annual guidance on the most effective and appropriate technical safeguards for health information. (This could go either way. When HHS issued guidance on security measures to avoid data breach, they inadvertently caused many Covered Entities to apply the wrong particle size specification. If guidance is promulgated in this new document with a similar type of reference, it will make life a bit more complicated for secure destruction services)
- HHS to implement a health information privacy educational initiative
- Clarification regarding the ability to impose criminal penalties against individuals