4

Has anyone heard of the new HITECH Federal Act? I understand that it is an underscore of the HIPAA Federal Act but am unclear of the requirements that they are requesting.

It targets companies that deal with the storage or movement of medical and financial files, which targets the small business that I work for. We want to ensure we are following these regulations as to not have penalty fines.

THE QUESTION: What does the Act outline and what steps can we take to ensure we are following it?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Anthony Miller
  • 257
  • 1
  • 8
  • I'm having a little trouble determining exactly what you're asking us for. Would you care to clarify, and maybe get a bit more specific on your question? – Scott Pack Dec 06 '11 at 19:24
  • @ScottPack is my question acceptable? – Anthony Miller Dec 06 '11 at 19:30
  • 1
    Most likely to be answered at [HealthcareIT.se](http://healthcareit.stackexchange.com) – Jeff Ferland Dec 06 '11 at 21:31
  • 2
    Do you have a copy of the act? I have just had a quick look online and it seems to explain the privacy additions to HIPAA quite clearly. Can you revise your question to list what you don't understand in the act? – Rory Alsop Dec 07 '11 at 15:15
  • Rory can you provide a link to what you read online? When i tried searching for HITECH in the HIPAA act on the federal website, it returned nothing for me. – Anthony Miller Dec 07 '11 at 17:24
  • 2
    That's because HITECH is a different law 12.5 years newer than HIPAA. Title XIII of Division A of the American Recovery and Reinvestment Act of 2009 (the "stimulus bill") states that "the HITECH Act" refers to that title and Title IV of Division B. – minopret Mar 09 '12 at 04:14
  • 1
    For those who come across this: check out (1) http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__learn_about_hitech/1233 – Eric G Aug 29 '12 at 03:41
  • @JeffFerland That SE has been closed down. This would be a good fit for the [Healthcare Industry](http://area51.stackexchange.com/proposals/41370/healthcare-industry?referrer=0FgbVsKaId7Z_15aCbzplg2) one, though – Oleksi Oct 09 '12 at 19:43

1 Answers1

3

The first question you have to ask is "Does HITECH (and by extension HIPAA) affect my company?" Do you store files with protected information in them? Do you move files with protected information in them? If the answer to either of those questions is YES, then you must examine the security of your organization. Make sure physical and digital access to files/data is logged and is audit-able. Make sure the files/data reside on physically and digitally secured storage (on an encrypted drive with proper ACL's on a server in a locked rack, where physical access to server is logged and audit-able). If the data is in a database, are you using column encryption on personally identifiable data (think last name, address, dob, ssn, etc.)? If you're moving the files/data, make sure that you use an encrypted/secure connection to move them, i.e. HTTPS, SFTP, FTPS, etc., and that all moves are logged and audit able.

Meet the above basics first, then worry about digging in to more detail of the actual legislation.

Josh
  • 456
  • 4
  • 4