« The HITECH Act One Year Later: Real Healthcare Reform? Part III | Main | The HITECH Act One Year Later: Real Healthcare Reform? Part V »

February 25, 2010

The HITECH Act One Year Later: Real Healthcare Reform? Part IV

Calendar What is the state of the HITECH enforcement regime?

What Constitutes a Good Faith Effort?
 

 

We are certain that all of our readers will be happy to hear that HITECH's enforcement regime is alive and well, thank you very much. We don't enjoy (per se) being the bearer of "bad news" but here's a news flash: Privacy and Security regarding PHI will remain of paramount importance going forward!

There is simply NO WAY that either the Federal Government (read HHS and the FTC), and the tech giants who are "ramping up to seize the moment" can tolerate anything less than the security standard set by the online banking community: 1) the former because tolerating less is bad public policy; and 2) the latter because tolerating less is bad PR (news travels fast on the Internet 24/7 365).

We have yet to see the new sheriff flex her muscles, but rest assured that Doc Holiday and Wyatt Earp will be riding your way any day now. The HITECH sections labeled Improved Enforcement and Audits are a harbinger of things to come. This article does a good job at getting at some of the "willful neglect" issues that will trigger the biggest fines.

What Does Clueless Mean?

OK, here's our "cliff notes" version of what "willful neglect" means in unambiguous English: willful neglect means "clueless." Here are some examples that illustrate our definition:

  • Your organization is simply unaware; just dusting off your old HIPAA documentation will no longer suffice (the ONLY reason you believe that you are currently in compliance now is because HIPAA was a paper tiger that was never enforced). In short, you are clueless if the world has changed and you don't know it. It's like missing the invention of the telephone and the Internet.
  • You are clueless if you don't have any processes in place to support your policies and procedures. Having well written (and current) policies and procedures in place will not help you much if you can't show that you are following them. The only way to ensure compliance is to have a process in place that enforces it.
  • You are clueless if you are a CE that does business with a number of BAs and have no contracts in place with them, or if you are still using your old contracts.
  • You are clueless if you are a BA and have no contracts in place with third parties that touch the PHI that has been entrusted to you by a CE.
  • You are clueless if, as a CE or BA, you think you can outsource liability by doing business with partners that are not directly subject to U.S. law, and assume therefore, that those partners need not comply (while arguably true you are still on the hook for having contracts with said partners).

OK, here's the bottom line: if you can't show visible demonstrable evidence (over time) ("VDE") that you are in compliance then you are clueless. If you know that you are not in compliance and don't have a plan in place to get into compliance, you are clueless. Forget about all the legal niceties that may distinguish "reasonable cause" from "willful neglect." Without VDE  (and a strategic plan) there is not a lawyer on the planet smart enough to help you. You (and your lawyer) will need both VDE and a plan to make a "good faith" argument to a federal agency or a court of law. Period.

We can assure our readers that most of you are not in compliance because, for the most part, you have NOT figured out (yet) what that really means. Remember, whatever you have in place now is probably inadequate. It was never subjected to an audit and therefore never validated. HHS is going to have a field day handing out fines once it figures out its methodology for conducting the audits that are mandated under HITECH.

Your CEO is not likely to be a happy camper if you end up on HHS' publicly available list of organizations that have experienced a breach, especially if said breach was not handled well and/or you were found to be in willful neglect. On the other hand, you are not going to be able to make much process unless the compliance budget supports the initiative(s). We don't have any empirical data but would venture a guess: most compliance budgets are nowhere near sufficient to meet HITECH's requirements today.

HITECHLooking for a best of breed HIPAA Training?

To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.

If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?

 

Posted at 04:18 PM in HITECH Act |

Technorati Tags: , , , ,

My Photo

About

NEWSLETTER


  • Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon
    Sign up for a FREE
    HITECH / HIPAA
    Compliance Newsletter

    Enter your email address

Hot off the Press

Categories

Greatest Hits

Blog Roll

CC

Tools

  • Google Analytics

Become a Fan

EHR Tools

EHR Collateral


Become a Fan

Essays and Such

  • HIPAA Survival Guide (PDF)
    Read the HSG in PDF format.
  • HIPAA Survival Guide (online)
    Practical advice for health care practitioners.

  • Search, KM & the Practice of Law

  • Silicon Stories eBook

  • Dirty Little Secret

  • Competitive Advantage

  • Process Patterns

  • Movie Making and Software Development

  • The Missing Factory

  • Architecture: Shack, House or Skyscraper?

  • The Talent Wars

  • Knowledge Management and Infotainment

  • What comes after what comes next?

Silicon Stories Online

February 2012

Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29      

Archives

More...