Is Your Practice HITECH Compliant?

If you think your practice’s policies and procedures from 2003 are compliant with current law, please keep reading.

As many health care providers know, on January 25, 2013, the U.S. Department of Health and Human Services (“HHS”) published the final rule outlining significant changes to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  The final rule went into effect September 23, 2013.  However, many health care organizations have not updated their policies and procedures.

On December 26, 2013, HHS announced its first settlement with a covered entity–Adult & Pediatric Dermatology, P.C., of Concord, Mass., (“APDerm”)–for not having policies and procedures in place to address the breach notification provisions of the HITECH Act.

“The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. ” Article.

Many practices believe that their old policies and procedures contained in a binder on a shelf are sufficient to withstand scrutiny from HHS.  This is simply not true.  If you haven’t updated your policies you practice will be subject to increased penalties in the event of a data breach and HHS investigation.

APDerm settled with HHS for $150,000 and agreed to a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.  Article.

Health care organizations must be proactive to continually review, update, and implement updated policies and procedures to attempt to prevent a devastating data breach.  Moreover, staff must be continually trained on applicable policies and procedures.

As the HITECH Act compliance date was September 23, 2013, please do not hesitate to contact us for assistance with reviewing and updating your organization’s policies and procedures, as well as assistance with training your staff.

Tell us how your organization stays compliant?   Share your ideas with us by clicking on the comment button below.  We’d love to hear from you.

Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.

Related Posts


Recent Posts

Legal Documents for Your Graduating Senior
January 26, 2023
Can I Terminate My Physician Employment Agreement?
January 24, 2023
Do You Worry About Your Parents’ Health?
January 19, 2023
How Do I Escape My Non-Compete Clause?
January 17, 2023
Reasons Not to Have an Estate Plan
January 12, 2023


Enter your email to subscribe now and receive your FREE HIPAA Risk Assessment book!

An essential tool for all healthcare providers, Easy Guide to HIPAA Risk Assessments breaks down the requirements of HIPAA so you can successfully complete your required risk assessment.


Get it now for FREE (an $8.99 value!)

One more step! Please check your email to confirm your subscription and receive your FREE book!