Some of the changes that HITECH will mandate, in regards to privacy requirements, include:

• Definition of Personal Health Information (PHI) expanded
• Stronger data breach notification requirements
• Increased penalties for HIPAA violations and more aggressive enforcement, including criminal cases
• Subjects business associates to civil and criminal penalties for violating HIPAA requirements
• Defined guidelines on how to protect PHI

In terms of data breaches, HITECH will require that individuals be notified if their PHI has been accessed and that information was unsecured, unencrypted or not deleted from a computer using an a method that meets the standard (such as the Computrace Data Delete feature). The act requires that vendors notify the individual of the breach even if identity theft is not probable, which is a much stronger requirement than many State notification requirements.

Though the effective date for HITECH is not until February, 2010, in August of this year the US Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) will synchronize their respective regulations and issue interim final regulations.

Healthcare organizations will need to address these new HITECH requirements by strengthening their data security measures. Computerworld has put together 5 Steps to HITECH Preparedness that’s very worth the read.

Image: clipart