Update
HITECH AND THE NEW MASSACHUSETTS PRIVACY LAWS -
THE C-WISP
March 2010
NEW PRIVACY AND SECURITY LAWS THAT EFFECT YOUR CLINICAL PRACTICE...
This includes The Health Information Technology for Economic and Clinical Health Act (HITECH or "The Act") and The Comprehensive Written Information Security Program (C-WISP, effective March 2010) Any business that owns or licenses personal information must "develop, implement, and maintain a comprehensive information security program" to secure and protect records containing personal information that is written in one or more readily accessible parts (a "C-WISP").
HITECH is part of the American Recovery and Reinvestment Act of 2009 (ARRA). HITECH Act also widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for more enforcement. Specifically it includes the following:
Enforcement The consensus view is that HIPAA has not been rigorously enforced in the past. Under HITECH, mandatory penalties will be imposed for "willful neglect." Civil penalties for willful neglect are increased under the HITECH Act. Finally, HHS is now required to conduct periodic audits of covered entities and business associates.
Notification of Breach The HITECH Act now imposes data breach notification requirements for unauthorized uses and disclosures of "unsecured PHI." Under the HITECH Act "unsecured PHI" is "unencrypted PHI." In general, the Act requires that patients be notified of any unsecured breach.
Electronic Health Record Access In the case where a provider has implemented an EHR system, the Act provides individuals with a right to obtain their PHI in an electronic format. An individual can also designate that a third party be the recipient of the e-PHI. The Act specifies what fees may be charged for an electronic request.
Business Associates The HITECH Act now applies certain HIPAA provisions directly to business associates. Formerly, privacy and security requirements were imposed on business associates via contractual agreements with covered entities. Under the HITECH Act, business associates are now directly "on the compliance hook" since they are required to comply with the safeguards contained in the Security Rule (SR).
C-WISP
The Comprehensive Written Information Security Program is state specific and became effective March 2010. Any business that owns or licenses personal information must "develop, implement, and maintain a comprehensive information security program" to secure and protect records containing personal information that is written in one or more readily accessible parts). The program must "contain administrative, technical, and physical safeguards that are appropriate to" (a) the size, scope, and type of the business, (b) the resources available to the business, (c) the amount of stored information, and (d) the need for security and confidentiality of both consumer and employee information.
Back to News and Updates
MOVING THE QUALITY OF HEALTHCARE FORWARD