Organizations should act prior to the implementation of the new Health Insurance Portability and Accountability Act (HIPAA) compliance guideline changes for 2010 and consistently monitor their facilities in order to make an easier transition and avoid the extended penalties that are now being proposed, said HIPAA privacy and security consult Grant Peterson during a Jan. 13 Webinar on the guidelines.

The Webiner was hosted by Open Health IT Exchange (OHITX).

During the Webinar,  Peterson reviewed steps that providers can take to assure that they are and will continue to be HIPAA compliant, and discussed the updated breach notification and expanded business associate guidelines.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted by the Obama administration last year as part of the stimulus package to encourage the adoption of EHRs, has had an effect on HIPAA policy changes for 2010, noted Peterson.

Of the changes, Peterson mentioned 11 sections of the HITECH Act (13401-13411), which will be changed throughout the course of 2010 or have changed effective immediately.

In 2010, both covered entities and business associates will see new requirements, including changes in breach notification. The HIPAA guidelines for 2010 state that in the event of a breach of an individuals’ personal health information (PHI), the covered entity must make the notification without unreasonable delay and in any event within 60 days of discovery (or within 60 days of the date the breach should have been discovered), and the notification must be made by first-class mail, or by email "if specified as a preference" by the individual.

For business associates, the covered entity must be notified of a breach whenever "unsecured" PHI is breached. Notification should be made without unreasonable delay and within 60 days of discovery (or within 60 days of the date the breach should have been discovered). Further, the notice must identify each individual whose unsecured PHI is breached.

In addition to the breach notification changes, covered entities can also note changes in marketing restrictions and individuals' rights.  This newly issued guideline, effective Feb. 17, states that organizations maintaining EHRs must provide an individual upon request with a copy of the information in the EHR in an electronic format.

Accounting for disclosures is another change for business associates that Peterson noted is “quite a departure from what we have had in the past.” The proposed guideline states that an individual must be provided upon request with an accounting of disclosures of the information in his/her EHR over the last three years, including disclosures made for the purpose of treatment, payment or healthcare operations.

Peterson said that extended penalties for HIPAA compliance violations to business associates will become effective Feb. 17, and civil penalties currently applicable to covered entities will be made effective immediately.

In order to remain HIPAA compliant under the soon-to-be issued policies, Peterson said that healthcare organizations should be aware of the changes and constantly monitor their programs.

“In providing audits to healthcare organizations, the one area that I see that needs the most attention is for the organization to create some sort of a framework for managing risk,” said Peterson.

Organizations should also consider amending current agreements with its business associates, concluded Peterson, adding that new policies and procedures should be created, especially in covering breach notifications.