The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, includes the requirement to protect the privacy and security of health information of individuals, defined as “protected health information” (PHI). The HIPAA regulation applies to “covered entities,” which include healthcare providers, health plans, and healthcare clearinghouses. The HIPAA privacy and security regulations also extend to “business associates” (including third-party administrators, pharmacy benefit managers for health plans, claims processing companies, and persons performing legal, accounting and administrative work).
The 2009 American Recovery and Reinvestment Act includes a section called the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act promotes adoption of “electronic health records” (EHRs) to improve efficiency and lower healthcare costs. Anticipating that the widespread adoption of EHRs would increase privacy and security risks, the HITECH Act introduced new security and privacy related requirements for covered entities and their business associates under HIPAA.
The HITECH Act requires covered entities to notify the affected individuals and the Secretary of the U.S. Department of Health and Human Services (HHS) in the event of a breach of “unsecured protected health information”. The regulation defines unsecured protected health information (PHI) as PHI that is not secured through the use of a technology or methodology to render it unusable, unreadable, or indecipherable to unauthorized individuals. The notification requirements vary according to the amount of data breached. A data breach affecting more than 500 people must be reported immediately to the HHS, major media outlets and individuals affected by the breach. Also, the HHS secretary is required to post on an HHS website the list of covered entities that have reported breaches. A data breach affecting fewer than 500 people must be reported to the HHS secretary on an annual basis and to the individuals affected by the breach.
If a business associate is responsible for the data breach, then it must notify the covered entity, which is then expected to take the appropriate action.
The fines for non-compliance with the HIPAA privacy rule have increased significantly with the introduction of the HITECH Act. An organization can now be fined up to $1,500,000 per calendar year for each violation. In addition, individuals who have been affected by a HIPAA data breach can now receive a percentage of a civil monetary penalty or monetary settlement.
In addition to fines, an organization that has a data breach will incur monetary expenses associated with notifying people affected by a breach. Once emails, first-class mailings, toll-free numbers, media outreach, work-hours and more are tabulated, a breach can quickly turn into a multimillion-dollar issue that could have been avoided.
There is now a greater degree of electronic interaction between covered entities, business associates and individuals, which is only expected to increase further as a result of the ARRA stimulus plan.
The HITECH Act also requires the issuance of technical guidance on the technologies and methodologies “that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.” The guidance specifies data destruction and encryption as actions that render PHI unusable if it fell in to the wrong hands. PHI that is encrypted and whose encryption keys are properly secured would provide a “safe harbor” to covered entities and would not require them to issue data breach notifications.
The safeguards of data integrity, confidentiality and security that HIPAA and HITECH mandate are familiar territory for Creative Marketing Programs (CMPkc).
In fact, we've been building and maintaining databases with these ideals in mind since 1985. Utilizing sound business practices and the highest ethical principles have guided us in the creation of extremely successful healthcare marketing programs for our clients.
CMPkc's HIPAA certification attests that we are compliant with the Act's requirements relating to privacy, confidentiality and security of PHI.
The strict mandates of this sweeping legislation are very complex, and have great bearing on your relationships with business associates who help you market your products and services. Because of these mandates, and the resulting ramifications on your healthcare operations, you will be in a better legal defensive position if your business associate possesses a certification of HIPAA compliance.
CMPkc's unique expertise in healthcare customer relationship and data management, along with our sophisticated information systems technology, has prepared us well to adhere to the HIPAA guidelines, including:
Creative Marketing Programs can help you maximize the impact of your healthcare marketing, while complying with all of the latest HIPAA and HITECH regulations. To maintain successful ongoing prospect and patient relationships, you can't afford not to have a partner like CMPkc.
Contact Us to find out more about how you can benefit from Creative Marketing Programs' expertise.
Copyright © 2010 - 2013 Creative Marketing Programs, All Rights Reserved.