ITAA: Industry faces rough road complying with health rules

The health care sector carries substantial risk for companies unfamiliar with the Health Insurance Portability and Accountability Act, the Information Technology Association of America said today.

Failure to navigate the minefield of rules and regulations that HIPAA poses to the health care community could have a dramatic negative impact on IT solution providers, including failure to attract new customers, a loss of existing customers and even an increase civil or criminal liability from improper handling of health information.

Companies that provide technology for health care systems should make HIPAA requirements a central focus of new software and solutions, according to the ITAA.

In a white paper, "HIPAA and its Legal Implications for Health Care Information Technology Solution Providers," the group provides an overview of the law's legal implications for health care IT solution providers, such as software vendors, application service providers, outsourcing companies and systems integrators.

"Health care providers are increasingly turning to technology to enhance their effectiveness and efficiency and manage administrative and regulatory burdens," said ITAA President Harris Miller. "To best serve their customers, health care IT solutions providers must address the developing concerns of their potential customer base."

HIPAA imposes harsh penalties for noncompliance. Although health care IT solution providers are not expressly subject to HIPAA unless they are "covered entities," every health care IT solution provider must be concerned about potential liability. Some scenarios for liability include:

*Covered entities may seek indemnification from a health care IT solution provider for any HIPAA violations that occur as a result of the provider's actions.

*Aggressive plaintiffs' lawyers may bring civil lawsuits stemming from the increased focus on health care privacy and security.

*Companies that agree through "business associate" contracts related to HIPAA compliance may subject themselves to potential criminal prosecution in certain situations for violations of the law.

To guard against these legal threats, ITAA recommends that health care IT solution providers make a concerted effort to understand and address HIPAA and its implications in all of their projects.

HIPAA was enacted in 1996 as part of a broad congressional attempt at incremental health care reform. The law required the Health and Human Services Department develop standards and requirements for the maintenance and transmission of health information. The subsequent rules and regulations focus on four primary areas: privacy, security, transaction standards and code sets, and unique identifiers.

The white paper is available at http://www.itaa.org/isec/docs/hippawhitepaper.pdf.