Healthcare Services and Health Plan Administrators are in the cross-hairs of federal regulators from the Department of Health and Human Services. February 17th was the moment… the tipping point… because after that, the enforcement penalties found in the new Health Information Technology for Economic and Clinical Health Act, also known as the HITECH Act, came into effect. The HITECH Act now requires both healthcare providers AND their business associates to comply with Health Insurance Portability and Accountability Act (HIPAA) Security Rules. The HITECH Act also added enforcement for the requirements with higher fines and stricter breach notification for HIPAA violators.

Enforcement of the new rules comes from the Office of Civil Rights (OCR) within the HHS. HIPAA security rules mandate that appropriate administrative, technical, and physical safeguards be used to protect the privacy and security of Protected Health Information, or PHI for short. Protected health information includes items such as the name, social security number, address and patient insurance account numbers. The HITECH Act also permits state Attorney General’s offices to pursue civil charges on behalf of victims, in addition to fines for HIPAA violators of up to $1.5 million per year. Connecticut Attorney General Richard Blumenthal hasn’t wasted any time in using his new powers. In early January, Richard Blumenthal sued Health Net of Connecticut over the loss of a hard drive last spring containing data for 450,000 Health Net enrollees. His office said the lawsuit was the first under HITECH Act provisions for health data breaches. Check out the Rapid7 Recon Reporter Podcast to hear tips on how healthcare service providers and their business associates can comply with the HITECH Act: http://www.rapid7.com/resources/podcasts.jsp