HIPAA Compliance: What You Need to Know About the New HIPAA-HITECH Rules
Counselors who have not already done so will need to update their policies and contracts to
comply with new HIPAA rules added by the Health Information Technology for Economic and
Clinical Health Act (HITECH). If you think HIPAA is no big deal or don’t have a clue what
HITECH means, this could be a wake-up call.
On January 17, 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil
Rights (OCR) issued the final omnibus HIPAA-HITECH rules (45 CFR Parts 160 and 164) with
an enforcement date of September 22, 2014.
Unfortunately, pleading ignorance won’t get you very far with HHS or the attorneys general of
your state. The term “did not know” is actually one of three penalty categories for violating the
new HIPAA-HITECH rules, along with “reasonable cause” and “willful neglect.” All of them come
with penalties. In the “did not know” category, a breach will cost you $100–$50,000 for each
personal health information (PHI) item.
If it has been a while since you brushed up on HIPAA-HITECH, you may be surprised to find
that PHI and electronic PHI (ePHI) includes any of the following pertaining to a client: first name,
last name, e-mail, ZIP code (yes, ZIP code), city, county, phone number, IP address and more
(18 items in all). But hey, at least there’s a $1,500,000 annual cap on penalties! Bottom line, it
would not be an overstatement to say these penalties would be devastating to a private practice
or one’s professional career. It is time to get serious about HIPAA-HITECH.
Enforcement is not just in hospitals anymore. HHS.gov cites several case examples of
enforcement in mental health centers and private practices.
Read the whole article at http://www.nbcc.org/assets/HIPAA_Compliance.pdf