Hospitals face compliance problems with HITECH Act

Find opportunities — and win them.

Hospitals are coping with new privacy and security regulations for health information technology that went into effect Feb. 17.

New privacy and security requirements for health information technology contained in the economic stimulus law became effective Feb. 17, and providers are already reporting difficulties in complying with the new rules.

The Health Information Technology for Economic and Clinical Health (HITECH) Act sets rules for disclosure reporting, privacy monitoring, the limited use of personal medical data for marketing, and patients’ electronic access to their health information.

Nearly a third of the 200 hospitals polled in a recent survey said they are not ready to meet all the law’s privacy and security requirements by the deadlines, according to health IT solutions vendor FairWarning. The firm commissioned the survey from New London Consulting and issued a news release on the results today.

Covered entities, which include hospitals and doctors and their business associates, face new compliance regulations related to privacy and access to information, according to an analysis distributed by law firm Hogan and Hartson. However, portions of the regulations are unclear, the firm said.

“Many of the new obligations require significant resources for implementation (e.g., amending business associate agreements, adopting new systems for limiting disclosures to health plans and providing copies in electronic formats that can be securely delivered),” the Hogan and Hartson news release states. “Yet, the HITECH provisions are unclear in many places."

In addition to the new compliance challenges, medical providers face new and strengthened enforcement provisions and penalties related to the Health Insurance Portability and Accountability Act, which were included in the stimulus law.

In related news, the Government Accountability Office released a new report describing ways in which medical providers are fulfilling privacy and disclosure requirements for personal health data.