The recently-enacted Stimulus Bill (aka American Recovery and Reinvestment Act) was intended to help alleviate some of the problems associated with the current economic crisis. Early indications are that at least some of these provisions in it are having some positive effect, as we see early signs of a turnaround in the economy.

But, there is a somewhat less visible component of this Bill that could have a significant and longer-term impact on many companies. The regulation is called the Health Information Technology for Economic and Clinical Health Act (HITECH) and it will cause major changes in the way that HIPAA compliance is defined and enforced, and the breadth of companies that are covered by it. But, first, let's back up a little.

HIPAA has been around for several years, its requirements are relatively well-known, and its benefits are fairly widely acknowledged. Yet, speaking as someone who only observes HIPAA compliance from the sidelines (I go to doctor's offices and sign the forms, but otherwise I have no official HIPAA function or expertise), my impression is that HIPAA compliance has been sporadic, and enforcement has been somewhere between weak and non-existent. (And, it looks like a number of industry analysts agree with me, based on this recent SearchCompliance.com story. ) Well, the new Bill may put an end to that!

This new regulation impacts HIPAA compliance in three main areas:

1) Increased penalties for non-compliance

As a result of HITECH, civil penalties for HIPAA violations have gone up a lot, potentially up to $1.5 million a year. In addition, unwarranted (i.e., for non-valid reasons) disclosure of personal health information (PHI) could result in criminal prosecution and potential jail time.

2) Security breach notification

A security breach that results in PHI being compromised must now be disclosed, and each effected individual must be notified. If more than 500 users are impacted, the event must be reported to the Dept of HHS.

3) Expanded coverage of HIPAA compliance

In the original HIPAA Bill, there were three types of people: covered entities (such as healthcare providers and insurance companies), their business partners, and everybody else. HIPAA covered only the first group in terms of compliance requirements. Business partners had to have contracts with the providers to ensure that PHI was protected, but in general (and this is not a legal opinion), it was the providers who were primarily subject to the penalties imposed by HIPAA. The new regulation expands that to Business Partners, so that if they handle PHI, they must meet the same requirements as the Providers, and are subject to the same criminal penalties.

This has the potential to impact a large number of companies. My hunch is that the trail of handlers of PHI as it moves around the healthcare ecosystem is large, and now all of them must ensure that they can meet the key requirements of HIPAA. This might imply a detailed review of all their business processes that are in any way involved in the handling of PHI, and possibly some redesign of IT controls to ensure that this information is protected.

These additional requirements may cause changes in the way the general public interacts with these companies also, although these changes will be much less noticeable than the ones for Business Partners. Specifically, as Partners are subject to much more stringent requirements for protecting PHI, they will likely move to stronger security mechanisms (such as more stringent user authentication) to prevent inappropriate access to that information. Get ready to spend more time proving that you are who you say you are!

I'm sure many organizations are trying to sort through how best to meet these requirements, particularly when it comes to new levels of securing personal data and being able to prove it was kept secure. If you fall into that camp, there's an organization that may be a good resource for you called the Health Information Trust Alliance (HITRUST) that is focused on developing a standard IT security framework for healthcare information. CA is one of the founding members; you can check out some additional news coming out of the group this week here.

The deadline for compliance is in early 2010, but given the penalties involved, and the potentially large impact on many companies, expect to see lots of increased activity around HIPAA compliance as we approach 2010.