In a continuing series on the new push for implementation of health information technology (HIT) and the concerns that HIT has raised, DOTmed spoke with Wayne J. Miller, of the Compliance Law Group in Los Angeles, CA. Mr. Miller has had a 26-year career specialty as a health care law attorney and he frequently conducts audioseminars on legal and regulatory issues for health care providers through Audioeducator.com. A recent Audioeducator presentation described in detail the substantive changes in HIPAA privacy and security requirements imposed by the American Recovery and Reinvestment Act (ARRA) and the substantially increased costs in the event of non-compliance.

HIPAA presents some compliance problems for HIT, Millers says. "The new HIPAA laws added by the ARRA present several additional burdens for implementing and maintaining electronic medical records. First, the law extends more stringent obligations on contractors that disclose or use electronic records on behalf of health care providers. This ranges from technology companies, to managers and professionals like lawyers and accountants. It's widely believed that these companies have not been as closely scrutinized as traditional health care providers with respect to HIPAA compliance. Traditional providers and their business partners may need to do compliance audits to see how well these contractors live up to privacy and security standards for electronically maintained records."

Miller points out the new law also "beefs up" standards specific to disclosure and security of electronic records. Systems will have to adopt new standards to be developed by the Centers for Medicare and Medicaid Services as to what is the appropriate "minimum necessary" material to be released as required by the law. "Also, the law requires providers and business associates using electronic systems to keep track of every disclosure of information for each patient (previously only unauthorized disclosures needed to be logged). In addition, the new law imposes a mandated procedure to follow if there is a breach of electronic information security, which includes tracking down and notifying those that are affected, as well as evaluating the damage caused by the breach.
"These requirements are likely to add to administrative headaches and costs for both planning and implementation," Miller said. "Added to that are increased costs if mistakes happen. "Now up to $1,500,000 in penalties could be assessed for violations that are not fixed and are found to be caused by negligence."

More Industry Headlines