A couple of weeks ago I was surprised and concerned by a statement made in one of my many listservs by a lawyer commenting on HIPAA books and past advice given for HIPAA compliance…
She wrote that HIPAA advice and most of the HIPAA requirements “are rendered obsolete by the HITECH Act. Thus, even though these books may help provide background and a high level understanding of many issues, they do not reflect the current state of the law, and should not be trusted.”
I was amazed to see this statement. At the time I read this I was at a conference checking my emails with other CISOs and CPOs around me in a lobby area. I showed the email to some of the ones close beside me. They were all surprised and one said, “Did the HITECH Act replace HIPAA? You mean everything I’ve done so far is now obsolete and now I have to start all over?”
No, of course not. There are significant additional requirements to HIPAA as a result of the HITECH Act, but the bulk of all original HIPAA Security Rule and Privacy Rule requirements are still quite valid and should be followed. It would be dangerous not to do so. Not only from a compliance perspective, but also from an information security, privacy and risk management point of view.
I disagree with the lawyer’s opinion that “all past advice” is “rendered obsolete” by the HITECH Act. I agree that the HITECH Act has provided additional requirements. However, the bulk of the other requirements are also still there. I’ve written recently in several places, including several times within my blog here, here and here, and gave a podcast with Alex Howard at IT Compliance about the HITECH Act which you can hear here.
The lawyer actually indicated she had wrote a HIPAA book; I was not familiar with it. However, I know that mine, “The Practical Guide to HIPAA Privacy and Security Compliance” and probably some of the others out there, provide practical direction to help information security AND privacy practitioners to address HIPAA requirements within the realm of their organizations, based upon risk and explaining how to do risk assessment, along with other practitioner compliance responsibilities that still very much exist. My book is much more than just a delineation of the regulatory text.
I agree that updates to existing HIPAA-specific books should be done; in fact I’m already communicating an update with my co-author, Kevin Beaver, and my publisher.
If you do not already own a HIPAA-specific book I would agree that you may want to wait to invest in a book specifically about HIPAA until editions covering HITECH Act, and the related issues, have been published. However, what I’m hoping to result in what I’m pursuing with my publisher is to have an addendum published for the current book with all the information that privacy and information security practitioners need to address the HITECH Act changes, in addition to then putting out a second edition of the book soon after that.
But for this lawyer to say all advice and “all the books are rendered obsolete” is NOT a fair or accurate statement, especially considering she has not looked at or used any of the books other than hers. Perhaps her statement is true for her own book.
I’ve received a lot of great feedback since my book was published from practitioners who were struggling with realistically implementing an effective information security and privacy program that went beyond just the letter of the law. Many of them are still in touch and have told me that they still use it regularly. The practitioner guidance provided within is still trusted for all the requirements that still are in effect that were before the HITECH Act.
It is important for information security and privacy practitioners, along with business leaders, to remember these facts…
- HITECH Act did not replace all the HIPAA requirements. Put *quite simplistically* it augmented it and expanded the requirements, primarily adding breach response requirements and additional BA contract requirements for CEs, along with greatly expanding BA responsibilities for which existing guidance to CEs can be used by BAs. Many BAs are now effectively using existing HIPAA books for help in these areas. In addition to including direction for rendering PHI unusable. Not to mention the non-CE and non-BA requirements for breach response under the eye of the FTC.
- The majority of existing HIPAA guidance is still quite applicable, in addition to, yes, needing guidance for the new requirements as mentioned.
It is our responsibility as HIPAA compliance practitioners, and certainly for lawyers giving legal opinions, not to mislead those responsible for following rules to say that what used to apply no longer does; we don’t want covered entities (CEs) or business associates (BAs) to think that now the *only* things they have to do is what is stated in the HITECH Act to the omission of all the other requirements.
“Obsolete” is a dangerous word for someone giving practitoners advice to use.
Tags: awareness and training, HIPAA, HITECH Act, Information Security, IT compliance, IT training, patient privacy, policies and procedures, privacy training, risk management, security training