|
President Obama signed the American Recovery and Reinvestment Act (ARRA) into law February 17, 2009. ARRA provides $787 billion in new spending and tax cuts, and billions for health information technology (HIT). Medicare and Medicaid are the two main incentive opportunities of ARRA. The president’s economic stimulus package also made numerous changes to the Health Insurance Portability and Accountability Act (HIPAA), affecting electronic and paper records which contain patient-identifiable health information (PHI). Details will be determined through the federal regulatory process. The revisions don’t affect all employers, but many in healthcare. Covered are health plans (such as insurers), healthcare providers, and healthcare clearinghouses.
Title XIII of ARRA, Health Information Technology for Economic and Clinical Health (HITECH) Act, is the source of these dozens of HIPAA revisions. The most sweeping change, according to Jennifer N. Willcox, an attorney with Pullman & Comley, Bridgeport, Conn., is to the obligations of “business associates.” “Business associates” are organizations under contract to health plans, providers, or clearinghouses to perform various outsourced functions that involve access to private health information. When the HITECH Act becomes effective in February 2010, these associates will be subject to the same civil and criminal penalties that can now be assessed against plans and providers for HIPAA violations. “Business associates will now have an express obligation to ‘rat out’ [plans or providers] … if they have knowledge that a … customer is violating the regulations,” she says. Many state laws already require that people whose personal information is stolen must be notified by the company from which it was stolen, and now the HITECH Act will add a federal obligation to those laws. HIPAA enforcement must have been seen as lax by Congress, so legislators enhanced the penalties. Criminal penalties will apply to covered entities that violate privacy rules, as well as to those organizations’ individual employees. And, civil penalties can also be shared with harmed individuals. HITECH gives state attorneys general the power to enforce HIPAA rules. ARRA has designated more than $20 billion for the transition to electronic health records (EHR). Congress has recognized the need to improve protections under HIPAA to ensure tough privacy and security measures protecting these records. Many HIPAA provisions have been changed and covered entities will need to update their HIPAA privacy and security programs to implement these changes. The rules for restrictions of disclosures of protected health information, accounting of disclosures, marketing communications and the minimum necessary provisions have been changed. Security safeguards will need to be reexamined in light of guidance issued in connection with HIPAA's new breach notification requirements. Also, business associate contracts will need to be revised to incorporate the major changes to the treatment of business associates. Further guidance for implementing these changes will be contained in HHS regulations that are expected to be published in mid-August (“United States: Significant Changes To HIPAA as a Result Of President Obama’s Stimulus Package,” by Allison K. Perry, Bracewell & Giuliani, LLP, July 13, 2009, Mondaq, http://www.mondaq.com/article.asp?articleid=82854).
HHS will issue regulations any day now implementing ARRA’s changes to HIPAA. These upcoming changes will require medical practices to Stop using identifiable patient data for some health care operations Use de-identified patient data or disclose only the minimum data possible to conduct administrative transactions Provide patients with a copy of their EHR record on a CD, Website or other electronic medium Notify each patient by letter within 60 days, whose PHI has been disclosed due to a breach, and if more than 500 patients are involved, local media and HHS must be notified Account for certain protected health information disclosures if the covered entity uses EHR (practices using EHR are required to track all treatment, payment, and healthcare operation disclosures) Follow patient direction to restrict disclosures to health plans if the patient has paid his/her premium in full Apply HIPAA requirements and penalties to business associates and others and apply certain provisions to vendors of personal health records and health information exchanges
ARRA has increased the amount of civil penalties currently applicable to covered entities, effective immediately, according to Thompson Hine, LLP (http://www.thompsonhine.com/publications/pdf/2009/03/changestohipaa1737.pdf). In addition, the penalties for HIPAA security and privacy violations to business associates have been extended to February 17, 2010. HIPAA had set the maximum civil penalty for security and privacy violations at $100 per violation (and at $25,000 for the total amount imposed on a person for all such violations of an identical requirement for a calendar year). Under ARRA, the $100 figure is now a minimum instead of a maximum, and higher minimum penalties apply based on the facts and circumstances of the violation. | Criteria for Determining Penalty | Minimum Penalty
(Per Violation/Cap) | Maximum Penalty
(Per Violation/Cap) | Violator did not know and could not have been expected to know about the violation | $100/$25,000 | $50,000/$1,500,000 | | There was “reasonable cause” and no “willful neglect” | $1,000/$100,000 | $50,000/$1,500,000 | | There was willful neglect and violation was corrected | $10,000/$250,000 | $50,000/$1,500,000 | | There was willful neglect and violation was not corrected | $50,000/$1,500,000 | No specified maximum | (This chart is courtesy of Thompson Hine, LLP) |
Recommendations from Thompson Hine, LLP: Because increased penalties for non-compliance are effective immediately, it is recommended that covered entities, including sponsors of group health plans, review and refresh their compliance efforts with respect to pre-ARRA HIPAA requirements and the newly posted guidance regarding disposal of PHI. Some questions to consider: Are your HIPAA privacy and security officer designations up-to-date? Have you recently reviewed your privacy and security practices and procedures to ensure that they are still in place, and have you documented any changes or improvements to such procedures? Note that as you review existing policies and procedures, be sure to specifically review procedures for the disposal of PHI, and compare them to the guidance recently posted by HHS. Have you conducted HIPAA training or refresher training for employees who handle PHI? Have you confirmed that business associate agreements are in place with all current business associates? As you check the status of these agreements, keep them handy, as modifications to these agreements will be necessary once applicable guidance has been issued. Have you reviewed your privacy policy recently, and are you in compliance with the requirements for providing a copy of the policy to health plan participants every three years? Business associates should be conducting this same type of exercise and will likely have to enhance their privacy and security policies and procedures, employee training efforts, etc. to prepare for the increased security requirements and penalties for non-compliance that will take effect in 12 months. Both covered entities and business associates should also begin taking steps in preparation for compliance with the breach notification rules and the EHR accounting rules
|
