Son of HIPAA Breach Notification Rules and Business Associate Requirements: Who's Ready?

HIMMS Analytics surveyed about 250 hospital and business associate representatives, and came up with some figures to back up what we all knew in our hearts:  Most hospitals are gearing up for compliance with the HITECH Act / Son of HIPAA data security and breach notification requirements, but many experience data breaches — about half of hospitals surveyed in the past year — and business associates lag behind hospital in awareness and preparedness for compliance with new business associate requirements.

Check out the full report on the HITECH Act's impact on privacy and security, and check out recent HealthBlawg posts on HITECH Act and Son of HIPAA issues here: HITECH Act security breach rules now effective; Comments on HITECH Act breach notification rule from Capitol Hill; and Son of HIPAA Breach Notification Rules. 

Anyone who needs to be convinced that attention must be paid to this issue need only check out the cautionary tale of the Virginia prescription record security breach or any of the many breaches detailed here or here.

The survey provides a handful of key take-away points:

• Risk assessments are common practice but alone do not mitigate breach risks.
• Large hospitals experience the most data breaches and are at the greatest risk for future incidents.
• Business associates are generally unprepared to meet the new data breach related obligations brought on by the HITECH Act.
• Health care organizations are prepared to sanction business associates that don’t comply with the regulations outlined in the HITECH Act.
• Inter-departmental disconnects between IT and Compliance on data breach policies and procedures leave hospitals at risk.

Bottom line: most health care provider organizations and most business associates (vendor organizations) have a great deal of work to do, not only in terms of conducting a through review of policies and procedures so as to come up with a gap analysis, but also in terms of implementing policies and procedures to fill the gaps identified, and to conduct appropriate trainings at all levels of the organization, including clear delineation of lines of communication regarding data security matters.

The Harlow Group network stands ready to assist provider and vendor organizations in preparing themselves for full compliance with the new HIPAA requirements promulgated in the HITECH Act and its regulations.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting