Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule

Posted December 23, 2011 07:46 AM by Jack Anderson CEO Compliance Helper    

One year it was a shiny red bicycle, which I got, another year it was a Red Ryder BB gun, which I did not, so I understand that Santa doesn't always deliver the goods.  This year it is "The Final Rule" and since we are only a few days before Christmas and I doubt anyone is working at HHS this week it looks like I will be disappointed again.

"The hearings also highlighted the need for a final rule to implement major provisions of the new HITECH Act, including those related to business associates and breach notification requirements.  Franken characterized the lack of final HITECH regulations as “a really big problem,” and questioned Rodriguez about when Congress can expect a final rule from HHS.  Rodriguez did not provide a specific timetable." (My emphasis)

This was the second panel of the Senate committee and followed up on the theme of the first, "Hurry Up".  With millions of patient records being exposed, the incidence growing 32% according to The Ponemon Institute study you would think HHS would have released this months ago.  Literally millions of business associates are delaying compliance because in February of 2010 HHS announced that they were "delaying enforcement".

Here is the link to the complete article:

The irony is that the law is actually in force and should the BA have a breach they must report the breach and are subject to punishment right along with the CE that trusted them with the PHI.  CEs must take greater responsibility for their BAs because they are in fact responsible should the BA breach. 

I highly recommend that you read an article being published in Compliance Today magazine entitled:

Effective practices for HIPAA and HITECH compliance measurements – By Rebecca Herold and Mahmood Sher-Jan
Metrics tied to an incident response lifecycle provide a defendable plan of action for data breaches and help restore trust. Page 30