HIPAA Compliance: What You Need to Know About the New HIPAA-HITECH Rules Counselors who have not already done so will need to update their policies and contracts to comply with new HIPAA rules added by the Health Information Technology for Economic and Clinical Health Act (HITECH). If you think HIPAA is no big deal or don't have a clue what HITECH means, this could be a wake-up call. On January 17, 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued the final omnibus HIPAA-HITECH rules (45 CFR Parts 160 and 164) with an enforcement date of September 22, 2014. Unfortunately, pleading ignorance won’t get you very far with HHS or the attorneys general of your state. The term “did not know” is actually one of three penalty categories for violating the new HIPAA-HITECH rules, along with “reasonable cause” and “willful neglect.” All of them come with penalties. In the “did not know” category, a breach will cost you $100–$50,000 for each personal health information (PHI) item. If it has been a while since you brushed up on HIPAA-HITECH, you may be surprised to find that PHI and electronic PHI (ePHI) includes any of the following pertaining to a client: first name, last name, e-mail, ZIP code (yes, ZIP code), city, county, phone number, IP address and more (18 items in all). But hey, at least there’s a $1,500,000 annual cap on penalties! Bottom line, it would not be an overstatement to say these penalties would be devastating to a private practice or one’s professional career. It is time to get serious about HIPAA-HITECH. Enforcement is not just in hospitals anymore. HHS.gov cites several case examples of enforcement in mental health centers and private practices. Read the whole article at http://www.nbcc.org/assets/HIPAA_Compliance.pdf