Information Security Blog

New HITECH Rules Are Here: Ready or Not?

These ISO 27001 links are part of a weekly series, Ethical Hacker Roundup, featuring recent information security and cyber security related articles that we’ve read over and thought worth sharing.

These articles were emailed to us, shared on Twitter @pivotpointsec and our Google+ page, and read in RSS subscriptions this week.

New HITECH Privacy and Security Update Final Rule Released

After years of anxiety across healthcare and other industries, the US Department of Health and Human Services (HHS) just released the Health Information Technology for Economic and Clinical Health (HITECH) modifications to the fifteen-year-old Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations.

Dubbed the most sweeping changes since HIPPA was first implemented, the new rules will strongly affect any third-party organization that stores or manages patient health records or supports workflow processes relating to them. It will go into effect on March 26, 2013, with a compliance date of September 21, 2013.

Among the many changes across the 563-page omnibus rule is the combination of what are actually four final rules, in an attempt to “reduce the impact and number of times certain compliance activities need to be undertaken by the regulated entities.” These are, in a nutshell:

  1. Modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by the HITECH Act, which were issued as a proposed rule in July 2010.
  2. Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil monetary penalty structure delineated by HITECH, which was originally published as an interim final rule in October 2009.
  3. A final rule on Breach Notification for Unsecured Protected Health Information under HITECH, which replaces the old “harm threshold” and supersedes the interim final rule published in August 2009.
  4. A final rule changing the HIPAA Privacy Rule to align it with the Genetic Information Nondiscrimination Act (GINA), which prohibits most health plans from using or disclosing genetic information for underwriting purposes (published as a proposed rule in October 2009).

A number of changes under the new final rule will directly affect third-party IT providers and other third-party service providers to the Healthcare industry. Perhaps most significantly, the new rules expand HIPAA requirements to include “business associates of healthcare providers, health plans and other entities that receive protected health information, such as contractors and subcontractors. That is, “business associates of covered entities are directly liable for compliance” with certain requirements.

Other key changes that will affect Healthcare service providers as well as the entire Healthcare provider sector relate to breaches of healthcare data. Since some of the largest breaches of PII ever reported have involved third parties, penalties are increased for noncompliance by third parties based on the level of negligence, up to a maximum of $1.5 million per violation. The new rule also strengthens the HITECH breach notification requirements by clarifying exactly when healthcare data breaches must be reported to HHS.

Not surprisingly, IT leaders view the new regulations as a further regulatory challenge. Healthcare providers and the vendors that serve them already are challenged to balance “protection with sharing” in addressing both HIPAA compliance and HITECH regulations.

For more information

  • Here is the news release announcement of the new rule by HHS: click here.
  • Here is the rule in its entirety in PDF format: click here.
  • And there’s also a new website on Privacy & Security Policy: click here.

ISO 27001 Consulting

It is the ability to certify the operation of an Information Security Management System (ISMS) that makes 27001 unique and makes it ideal to be used as a form of independent attestation to the design and operation of an Information Security program. Pivot Point Security can help your business achieve ISO 27001 certification. See how we can help.


Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

About the Author:

Marketing at Pivot Point Security

Add a Comment

Share This