2010 HIPAA Requirements, The HITECH Act

The American Recovery and Reinvestment Act of 2009 (ARRA/Stimulus Bill), enacted on February 17, 2009, substantially revised the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements regarding Protected Health Information (PHI). HIPAA regulates the means by which covered entities and business associates access, transmit, store and disclose PHI.

Effective February 22, 2010, ARRA requires HIPAA policy and procedure revisions; enhanced notification obligations in the event of a breach of unsecured PHI and significant administrative, physical and technological safeguards. Such requirements, among others, are included as The Health Information Technology for Economic and Clinical Health Act (HITECH Act).

Please click HERE for detailed information regarding the HITECH Act, including definitions, exceptions and recommendations.

In addition to the enhanced notification and procedural requirements, HIPAA requirements now apply directly to business associates. Previously, covered entities
(i.e., health care providers, health care plan and health care clearinghouses) were directly subject to HIPAA enforcement and penalties, and the impact on business associates was limited to contractual remedies.

Business Associates are persons or entities that perform functions requiring access and use of PHI on behalf of covered entities, and as of February 17, 2010, rules apply to business associates to the same extent as to covered entities.

Covered entities should review their existing business associate agreements to verify compliance with the HITECH Act. The business associate agreement must appropriately describe the roles and responsibilities of each party with respect to the breach notification requirements. Plan sponsors may also wish to request confirmation that their business associates are now operating in accordance with HIPAA’s security provisions.

In response to the HITECH Act, Oswald Companies is partnering with ZIX Corporation (“ZIX Corp”) to implement a new email encryption system to identify sensitive data, such as social security numbers, account numbers and other confidential information. Implementation of this system will ensure Oswald is compliant with data security regulations.

Our new email encryption system will begin deployment on February 18, 2010. However, to provide notification as well as to establish expectations, Oswald Companies will include a disclaimer within e-mail signatures that emails will soon be encrypted to ensure the protection of personally identifiable and sensitive information.

To comply with federal data security laws, the contents of e-mails will be encrypted and the recipient will receive an e-mail with a link to a secure portal (ZIXPort) to view the message. Clicking on the link will allow the recipient to create a password (including a “remember me” feature for convenience) and read the secure, encrypted e-mail message.

If the recipient is a ZIXCorp client, the e-mail will arrive in e-mail inboxes directly without the link to the portal. ZIXCorp has over 19,000,000 members.

To learn more about e-mail encryption from ZIXCorp, please click HERE . For a list of Frequently Asked Questions, please click HERE.

Protecting confidential information in electronic communications is a value to our clients, as well as a legal requirement to comply with data security laws in 2010. ZIXCorp has developed a solution to help protect our clients and business partners with minimal disruption to our processes and operations.

Please direct any questions regarding HIPAA and the HITECH Act to
Kurt Meinberg; 216.658.5034 or Andrea Esselstein; 216.658.5012
and regarding email encryption processes to Sharon Petrella; 216. 658.5020