INDUSTRY INSIGHTS | WINTER 2009/2010 EFFECT

HITECH Act Ups the Ante on Protecting Health Information

by Chad Kunze

With the passing of the American Recovery and Reinvestment Act of 2009 (ARRA), protecting health information is once again in the spotlight, this time bringing even greater consequences for noncompliance. The law, enacted on February 17, 2009, features sweeping changes related to health information privacy, including updates to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Here at LarsonAllen, we recently reviewed and addressed our role in the use and security of protected health information (PHI). Have you looked into the new requirements and how they apply to your organization?

Title XIII of ARRA is known as the Health Information Technology for Economic and Clinical Health Act (HITECH), which includes many new requirements and updates such as:

• $20 billion for health care IT projects, including incentives for electronic health records and IT infrastructure
• An extended reach of HIPAA
• Breach notification requirements for covered entities and business associates
• Limitations in the use and disclosure of certain PHI
• Increased individual rights with respect to PHI
• Significant enforcement and penalties for violating the privacy and security of PHI

Background

HIPAA was originally enacted to address four main areas:

1. Electronic transaction and “code set” standards requirements
2. Privacy requirements
3. Security requirements
4. National identifier requirements

HIPAA directly effects “covered entities,” which were defined as health care providers, health plans, and health care clearinghouses. Those entities should already be complying with HIPAA requirements, and from our experience, it appears most health care organizations throughout the country are. The question is: have they stayed up to date with internal changes as well as external guidance?

When an organization agrees, by contract, to maintain privacy and security of PHI in its transactions with a covered entity, it is identified as a “business associate.” Many organizations (including LarsonAllen) have reviewed and signed multiple business associate agreements when working with their covered entity clients.

So how has HITECH changed those requirements?

Breach notification

Under HITECH, both covered entities and business associates have a greater responsibility to protect PHI. Unprotected PHI, even if it is not directly breached, is a violation. As a result, all organizations must review their current and future policies and controls to ensure they are protecting all past, present, and future PHI. This is a best practice for everyone, regardless of the new requirements. Simply sending an email to your consultant who is performing an analysis of revenue or accounts receivable could be considered “unsecure” unless appropriate file transfer protocol measures are taken.

Notification requirements

Covered entities are required to notify individuals and the Department of Health and Human Services (HHS) if any unsecured PHI has been or is reasonably believed to have been breached. Business associates must also notify the covered entity by first class mail within 60 days of becoming aware of a potential breach, unless the individual had previously specified email.

Additional notification requirements are based on the number of individuals affected:

• More than 10 individuals: Post a notice on the covered entity’s Web site and alert major print/broadcast media.
• More than 500 individuals: Do not wait 60 days, you must contact HHS immediately. Contact prominent media outlets of each state where individuals are affected.

Notification must include:

• Identification of facts and circumstances
• Type of PHI involved
• Steps individuals should take to protect themselves
• Investigation methods
• Mitigation to prevent future events
• Contact information for questions

Penalties and enforcement

Under updated enforcement requirements, HHS is now required to investigate possible violations regardless of a breach being reported. As part of an investigation, the agency must determine presence of willful neglect and reasonable due diligence, and whether the breach was corrected.

Penalties and fines have increased significantly from those outlined in HIPAA in 1996. Previous penalties were $100 per violation up to $25,000. New civil monetary penalties are now tiered as follows:

• $1,000 per each violation up to a maximum of $25,000 if reasonable care is present
• $10,000 per violation up to a maximum of $250,000 if willful neglect with correction is present
• $50,000 per violation up to a maximum of $1.5 million (per calendar year) if willful neglect is present and NOT corrected

In addition to these civil monetary penalties, the state attorney general offices may bring a HIPAA enforcement action against a covered entity and/or business associate. HHS is required to perform periodic compliance audits of both covered entities and business associates. Finally, individuals may now receive a percentage of any civil monetary penalties as compensation for jeopardized information (clarification of this is expected before 2012).

These new requirements and the consequences, if not followed, demand review by both covered entities and business associates. Personal information is at risk every day, and without diligent attention to these rules, your organization may be as well.