HITECH Act Privacy and Security

Changes to Current HIPAA Laws and Regulations

My colleague Jonathan Krasner at Business Engineering, Inc. in Reston, Virginia sent me the following information about HIPAA changes that take effect this week. His information pertains to physician offices, medical billing companies, hospitals and a host of other healthcare facilities and vendors.

Congress passed and President Barack Obama signed the American Recovery & Reinvestment Act (ARRA) in February, 2009.  The healthcare IT component of the ARRA is commonly referred to as the HITECH (Health Information Technology for Economic and Clinical Health) Act.  The HITECH Act covers a broad range of healthcare IT initiatives including providing over $20 billion in funding towards implementation of healthcare IT.

The HITECH Act also includes “Subtitle D” which focuses on privacy and modifies and broadens portions of the HIPAA Privacy and Security laws and regulations.  The following is a high level overview of how the HITECH Act impacts current HIPAA laws and regulations.  This first section is an overview of the changes that will go into effect on February 17, 2010; changes that were or will be effective on other dates are summarized on the second page of this document.

Application of Security/ Privacy Rules to Business Associates

Business Associates (BA’s – generally defined as those who do not work for a covered entity (CE) but handle protected health information (PHI)) will now be required to directly comply with the Administrative Safeguards, Physical Safeguards, Technical Safeguards and Policies and Procedures provisions of the existing HIPAA Security Rule.  Similarly, BA’s are now directly bound by the privacy rules in the existing HIPAA regulations.  They are also now directly subject to civil and criminal penalties for violations.  Previously BA’s were only indirectly regulated through BA agreements with CE’s.

Restrictions on Certain Disclosures

CE’s are required to grant a request from an individual to restrict disclosure of their PHI if the disclosure is to a health plan for purposes of either payment or health care operations and the PHI pertains to a service for which the individual paid in-full, out-of-pocket.  CE’s were not previously required to grant requests for restriction of any disclosure for payment or healthcare operations.

Disclosures Limited to the “Minimum Necessary”

CE’s are currently required to limit requests, use or disclosure of PHI to the “minimum necessary”.  The HITECH Act clarifies that the “minimum necessary” will only be satisfied if a CE or BA uses a “limited data set” which is defined in HIPAA as PHI that excludes a specific set of direct identifiers of the individual.  However, if using a “limited data set” is not practical then the “minimum necessary” guidance still applies.  This HITECH Act also clarifies that it is the CE or BA disclosing the PHI that determines the “minimum necessary”.

Access to PHI in Electronic Format

CE’s that use an EHR must provide individuals the option to receive an electronic copy of their PHI.  Any associated fee charged by the CE can only cover its labor costs for providing the electronic copy.  Previously there was no requirement that an electronic copy had to be made available to individuals.

Marketing

Under HIPAA a CE generally must obtain authorization for any use or disclosure of PHI for marketing purposes except if the communication is for “health care operations”. This has been revised under HITECH. If a CE has received payment for making a communication, the communications for “health care operations” is allowed if (1) it relates to a drug or biologic that is currently being prescribed or (2) individual authorization has been obtained and or (3) a BA makes the communication on behalf of a CE that is within the framework of the BA agreement.

Fundraising

The requirement that a CE must, in any fundraising materials it sends to an individual, allow that individual to opt out of receiving any future fundraising communications is unchanged except that it is now a statutory requirement of the HITECH Act and not just a regulatory requirement.

Other HIPAA Changes in the HITECH Act

Clarification of Criminal Penalties (effective 2/17/2009)

The Department of Justice declared in a June 1, 2005 position paper that only CE’s could be directly liable for HIPAA criminal violations.  The HITECH Act clarifies this to include that individuals, whether or not they are employees of a CE, can now be criminally liable for violations of HIPAA.  BA’s are also now directly liable for violations of HIPAA or the HITECH Act.  A new set of tiered, significant civil monetary penalties have also been established.  Fines start at $100 per violation (max. $25K  per year) and go to $50K per violation ($1.5M per year), depending upon the violation type.

Improved Enforcement (effective 2/17/2009)

The HITECH Act now requires that HHS must investigate any complaint that may have resulted from “willful neglect” by a CE or BA.  Also, a methodology must be developed by which victims of privacy violations may receive a share of the collected penalties.  Finally, states’ attorneys general are also now permitted to bring a federal civil action on behalf of the residents of their states whom they believe have been adversely affected by a HIPAA violation.

Notification in Case of Breach of Confidentiality (effective 9/24/2009)

CE’s must now notify individuals whose unsecured protected health information (PHI) has been accessed or disclosed as a result of a breach.  BA’s must similarly notify CE’s who must then notify affected individuals.  Notification must be in writing within 60 days of discovery of the breach.  If more than 500 individuals are affected Health and Human Services (HHS) and prominent media outlets must also be notified.

Prohibition on Sale of PHI (regulations due by 8/16/2010, effective 6 months later)

CE’s and BA’s may only receive payment in exchange for PHI if the individual has signed an authorization that discloses that payment will be made to the CE or BA.  There are some exceptions including disclosures for public health, research, treatment, sales or mergers, payments to a BA for services performed for the CE or payments by an individual to obtain a copy of that individual’s record.  Previously, only sales of PHI for marketing purposes required an authorization that disclosed payment was involved.

Accounting of Disclosures (effective date varies by date CE implements EHR)

The HITECH Act will require that CE’s follow a detailed accounting  practice  not previously in place  under HIPAA. If an individual requests an accounting of electronic health records (EHRs), CE’s  must be able to provide to the individual disclosure information  for  the prior three years, if the disclosures were made for “treatment, payment or health care operations.”  This will be phased in between 2011 and 2014.

We have seen some of these changes already being enforced.  For instance, in January 2010, Connecticut Attorney General Richard Blumenthal sued Health Net for multiple HIPAA violations.  Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months before Health Net notified appropriate authorities and consumers.

Note:  The foregoing is intended solely for informational purposes and should not be construed as legal advice.  Providers should consult with independent legal and accounting counsel before making any decisions.