| IT Change Management
| HIPAA 5010 (“electronic transaction standards”)
|| Modifies transaction standards HIPAA 4010 for primarily ICD-10 upgrade. Without upgrade, providers or health plans cannot electronically transact business.
|| Pervasive systems upgrade and remediation to existing operating software, hardware, applications, etc. Impact mostly isolated to IT Area.
| ICD-10 Upgrade(“International Classifications of Diseases and Related Problems Version 10 ”)
|| Comprehensive overhaul of medical coding system or set of codes that translates written descriptions of a diagnosis into a coded format. Coding system is deeply ingrained in the operations and technological infrastructure.
|| Invasive transformation-massive systems upgrades and remediation to existing software and business processes including payments, claims adjustment, and actuarial.
| IT Security and Privacy Mgt
| HITECH Act
|| Extends the scope of the privacy and security rules of the Health Insurance Portability and Accountability Act (“HIPAA”) and imposes breach notification requirements.
|| HIPAA established comprehensive regulatory framework of Privacy and Security Rules. HITECH expands scope, adds breach notification requirements, and more stringent penalties.
| Gramm-Leach-Bliley (“GLB Act”)
|| Financial Privacy Rules and Safeguard Rules are established under the GLBA.
|| The rules have complex administrative, technical and physical information safeguards. Compliance and managing risks are challenging.
| Massachusetts Data Security Regulations
|| Imposes detailed administrative and technical obligations on any business handling personal information of Massachusetts residents.
|| Companies need to apply rules to all business or carve out and apply to Massachusetts residents only.
| Red Flag Rules
|| FTC requires companies to have written identity theft prevention and notification programs containing “red flag” policies to detect potential fraud in order to prevent or mitigate effects of identity theft.
|| Companies need to define and document their policies and identify red flags. The policies and procedures are required to be annually updated.