As the healthcare industry continues to digest profound HITECH changes to HIPAA Privacy and Security rules, two observations already are apparent and indisputable for covered entities and their business associates. First, time and resources spent on a workforce that is well-trained on the Privacy and Security rules will be an investment of exponential value. Second, enforcement of those same rules will make negligent and uncorrected errors very costly. A well-trained workforce makes fewer mistakes, and identifies and fixes those that it makes. A workforce that violates the rules because it does not know them or does not care to know them makes an inviting target for HITECH’s new enforcement initiatives. The lesson seems clear: train on HITECH and re-train on existing HIPAA rules–or pay some new and onerous penalties for workforce mistakes.
Here are three hard truths about the HITECH amendments. First, after HITECH, penalties for each violation of HIPAA can now exceed civil penalties for violating the anti-kickback statute. Second, HITECH mandates much more enforcement by HHS, including compliance audits, and allows enforcement by state Attorneys General. Third, under the recently adopted breach notification rules, covered entities are required to submit annually logs of protected health information (PHI) breaches to the Secretary of HHS. Because by definition each of those reported “breaches” involves a violation of the Privacy Rule, covered entities also will be informing the Secretary of their Privacy Rule violations. You won’t have to worry about possible whistleblowers; you are the whistleblower.
One major piece of good news in HITECH is that Congress provided that unless a violation is caused by willful neglect, penalties for the violation may be avoided by taking corrective action within 30 days. This is where training comes in, and where training pays off. A vigorous training program enables the workforce of a covered entity to identify violations quickly because the workforce knows what are proper PHI uses and disclosures and what are not. For example, if workforce members do not understand the concept of “minimum necessary”, they will not know that sending an entire medical record to a third party payer is highly likely to violate the Privacy Rule. If workforce members know what is the “minimum necessary” disclosure, they will either avoid an improper disclosure or move to correct it within the thirty-day corrective action grace period.
As with so many other areas of HIPAA, HITECH introduces many new concepts. New regulations have been published on unsecured breaches and more regulations are coming on privacy, security, and enforcement. Making these rules comprehensible to your workforce members (including management) and applicable to your environment requires training—and some re-training on the existing HIPAA Privacy and Security rules and how they all fit together.