Regulations and Implementation

In a paper (750-1,000 words), explain how the impact of HIPPA and HITECH
regulations will impact the implementation of various systems moving forward.
Consider impacts to and from federal, local, software vendors/users, hardware
vendors/users, infrastructure, and organizational standards. Papers must address
the following:
1) Clearly define impact of HIPAA and HITECH regulations on health care systems for
the future with mention to state and federal differences.
2) Define how the regulations will modify the implementation and ongoing use of
software systems that maintain patient data.
3) Discuss the changes and impacts to software and hardware vendors.
4) Clarify the changes and impacts to infrastructure and organizational standards.

Regulations and Implementation 

 The impact of HIPAA and HITECH regulations on health care systems for the future with
mention to state and federal differences
The HITECH Act introduced modifications to the traditional rules on the types of
disclosures and uses for treatment, healthcare operations and payment. The amendment to the
Act now mandates providers of health care who use an electronic health record system to ensure
that they, on request, submit an accounted report on all disclosures and uses including those for
health care operations payment and treatment which were done in the last three years.

REGULATIONS AND IMPLEMENTATION  2

The main areas in which HITECH impacts on the compliance to HPAA by companies is
in relation to the provisions for business associate and requirement for federal breach reporting.
Initially, HPAA provided for compliance with Privacy and Security Rules by covered entities.
However, the business associates were not required to comply. It was the duty of the covered
entities to ensure that the business associates acted in compliance with HPAA. The modification
of the HPAA has an impact on both the business associates and covered entities. With regards to
covered entities, the law requires the review of previous contractual agreements which required
the business associate to guard the protected health information shared with covered entities in
line with HITECH for determination of the language used in those contracts. Furthermore, the
legal changes now require the business associates to comply with HPAA. Consequently, they are
required to review their current control processes and controls in line with HPAA compliance
requirements and rectify any gaps between the HPAA requirements and their current processes.
Failure to comply with HPAA and HITECH requirements amounts to an offence attracting a fine
of up to $1.5 million. Non-compliance may also lead to untold damage to the reputations of the
parties involved. Thus companies and persons affected by the rules will strive to ensure that they
are at the safer side of the law and this will promote good health care practices with regards to
protection of individual information (Solove, 2013).
HITECH also requires both business associates and covered entities to design a breach
notification procedure which should be followed in case of a breach. HITECH uses particular
definitions of a breach and requirements for reporting in relation to the type and magnitude of
breach. HITECH also highlights exceptions to the requirements for reporting. Consequently,
business associates and covered entities are supposed to review their traditional incident response

REGULATIONS AND IMPLEMENTATION  3

and breach notification procedures to be in compliance with HITECH requirements. These
regulations are likely to cause medical centers and physicians to withhold data from individuals
who have right of access due to the heavy statutory penalties for violators. Another impact of the
regulations is with regards to costs of implementation. Medical centers are and will continue
facing the challenge of increased operational costs due to the need to seek “HIPAA consultant”
for familiarization with the laws, and the increased paperwork and staff required to meet the
HIPAA requirements (Solove, 2013).
The HIPAA law has also been modified in order to create a larger impact on health plans
and companies which work in the managed care arena. The general impact of these legal
modifications is that promote the protection of individual’s health information. The law requires
both state and federal governments to be involved actively in the health sector with regards to
punishment of companies which do not comply with the requirements of HITECH and HIPAA
(Hipaa.com).
How the regulations will modify the implementation and ongoing use of software systems
that maintain patient data
With regards to compliance with the Technical Safeguard Standard, covered entities need
to ensure the implementation of procedures for verifying the identity of people seeking access to
electronically protected patient data. This is in line with HPAA requirements of nondisclosure of
protected individual information to wrong persons. Covered entities must therefore develop and
implement this software in order to ensure that information is only given out to people with
rightful claims (Solove, 2013).

REGULATIONS AND IMPLEMENTATION  4

The security officials for covered entities are required to implement policies and
procedures which require business associates or workforce members to verify the identity of
those who seek access to electronically protected patient data. The implementation is demanding
since it requires more than just a password. It require the maintenance of audit trails in order for
the covered entities to authenticate the identity of the people and entities that create, read, alter,
destroy or transmit electronically protected patient data (Solove, 2013; Credant Technologies,
Inc).
The changes and impacts to software and hardware vendors
Currently, cloud vendors, subcontractors, SaaS vendors and others are categorized as
business associates and must comply with HITECH and HIPAA security and privacy
requirements. Failure to comply with HIPAA and HITECH requirements attracts heavy statutory
penalties of up to $1.5 million. The vendors must be updated by the covered entities on the
compliance requirements and the expanded responsibilities (Bowman, 2012). They must ensure
that the data in their possession is handled securely. The impact on vendors is that most of them
will fear getting involved with patient data because of the data breaches and the heavy fines
attached to such violations. In addition, the security officials of covered entities are required to
consult hardware and software vendors on matters relating to authentication with regards to
electronic media. This is because authentication control procedures include software
applications, database and operating systems (Hipaa.com; Credant Technologies, Inc; Bowman,
2012).
 The changes and impacts to infrastructure and organizational standards

REGULATIONS AND IMPLEMENTATION  5

HIPAA provides patients with a right to access their protected health information through an
electronic format. The patient can also indicate that a certain third party may access the electronic
protected health information. The medical center is only required to charge a fee equivalent to the labor
cost. This implies that the organization cannot transfer the costs of infrastructure to the patients. The
medical center is supposed to transform the organizational culture of the institution through the education
of employees on the specific privacy and security responsibilities. In addition, the health provider has a
duty to evaluate and assess the possible risks arising from program governance and infrastructure
including resources, staffing, reporting relationships and designation of security and privacy officers. This
way, the institution will be prepared to respond to emergencies and other infrastructural challenges such
as natural disaster, system failure, vandalism and fire (Solove, 2013; Hipaa.com).

References
Bowman, D. (2012). HIPAA Changes Likely to Put Onus on Vendors to Protect Data. Fierce
Health IT. Accessed on 26 th June 2013.
Credant Technologies, Inc. (2013). The HITECH Act: Raising the Compliance Bar for HIPAA.
In-Depth Solution Brief. Accessed on 26 th June 2013.
Person or Entity Authentication: What This HIPAA Security Rule Technical Safeguard Standard
Means. Hipaa.com. Accessed on 26 th June 2013.
Solove, D. (2013). HIPAA Turns 10: Analyzing the Past, Present, and Future Impact.

REGULATIONS AND IMPLEMENTATION