A law that goes into effect on Feb. 17 establishes stiff penalties for firms that fail to protect medical records – even if they aren’t medical services providers.

The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 as part of the stimulus package. It grants the attorneys general in Florida and other states the authority to levy penalties against third-party providers to health care institutions who don’t follow Health Insurance Portability and Accountability Act (HIPAA) patient record privacy regulations.

The attorney general in Connecticut got an early start in January when he filed a lawsuit against a health insurance company for failing to notify 446000 enrollees about a security breach involving their health records.

HIPAA requires that holders of medical records limit access to them and quickly notify patients if their records have been compromised. A breach involving at least 500 people must be reported to major media outlets. Fines range from $100 to $50000 per incident with a maximum penalty of $1.5 million a year.

Companies that the HITECH Act applies to include accounting firms software companies billing agencies and law firms that work directly with medical records through a contract with medical providers. Before the law they had to comply with HIPAA but they couldn’t face penalties for not doing so.

Ryan Wiggins a spokeswoman for Florida Attorney General Bill McCollum said the state’s top prosecutor is determining which units in his office are best suited to enforce the HITECH Act.

Jim Mattei CEO of Miami-based United Business Corp. said his health care software company has reviewed its compliance with HIPAA including its policies for passwords data encryption and the physical security of its building. The company works directly with medical records and must ensure that only authorized employees can view them.

His staff undergoes HIPAA training sessions. Mattei hired accounting firm Kaufman Rossin & Co. to perform an audit of its procedures.

“That is important because inevitably we might miss something and an outside security firm is able to see things that we might not see” he said.

Jorge Rey the director of information security and compliance at Kaufman Rossin’s Miami office said some third-party providers he’s seen have needed to make corrections to comply with the new law.

Some of them needed to toughen their password policies including using more complex passwords not writing them down in obvious places and regularly changing them. Companies should also limit the number of computers where medical records are stored and who has access to them. Rey discourages companies from keeping medical records on laptops.

Rey also said that e-mails involving medical records should be encrypted because “when you’re sending it in an unencrypted e-mail you increase the likelihood that medical information could get in the hands of someone who isn’t the intended receiver.””

Rey recommends staff training on HIPAA rules and written guidelines.

Larry Reid CEO of Boca Raton-based health care collections agency RSource said he has amended its servicing agreements with medical providers to ensure that it complies with the HITECH Act.

“Our goal is to never have a breach but now we know what to do in case one happens” Reid said. “The environment has definitely changed and everyone understands that enforcement will be tougher going forward.”

Click here to read the article on BizJournals.com.

“”sfbj120x80.jpgSFBJ.jpg”