HIPAA AND THE HITECH ACT
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) along with the HITECH ACT (2009) were enacted, in part, to ensure that personal information stored, accessed or processed adheres to a set of guidelines or security rules. We are HIPAA Certified and support our health care clients in preventing data breaches. Security is as strong as your weakest link. Health care, in particular, is rich in identifiable data which makes it very attractive to the criminal. In 2007, on the black market, a social security number was valued at $5, credit card #’s were valued at $4, and a bank account number sold for a whopping $400.
HITECH Data Breach Requirements
Previously, covered entities were not mandated to notify patients if a breach of their Individually Identifiable Health Information (IIHI) was disclosed. With the HITECH Act, both covered entities* and business associates** that hold, use or disclose “unsecured patient health information (PHI)” have a legal duty to notify certain parties in the event of a “breach.”
A breach is defined as the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an authorized person to whom such information is disclosed would not reasonably have been able to retain such information.
As a direct result of the HITECH Act, if a breach occurs, a covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed. Business associates of covered entities must, after discovery of a breach, notify the covered entity of the breach and let the covered entity know the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed.
A breach is considered to be “discovered” as of the first day on which the breach is known by any member of the workforce. Typically, written notice describing the breach must be made “without unreasonable delay” and it must occur within 60 days of the discovery of the breach.
Whether you are a covered entity or business associate, Wilson Technology Group will help you meet the HITECH Act requirements. You can also go to the following website for more information www.hhs.gov/ocr/privacy
*Covered entity: generally health care payers, providers and clearinghouses.
**Business Associate: performs a function for a covered entity that involves the use of protected health information (PHI). Wilson Technology Group is a business associate for our health care clients who process health care records electronically (EHR).