March 19, 2010
Published in Business in Savannah
Persons or entities providing certain services to covered entities such as health care providers, health insurers and health care clearinghouses under the Health Insurance Portability and Accountability Act (HIPAA) should take note of the recently enacted Health Information Technology for Economic and Clinical Health Act (HITECH).
HITECH has vastly expanded liability under HIPAA to not only covered entities, but also to their business associates. Business associates may be attorneys, third party administrators, medical transcriptionists, software vendors and even accounting firms, if those persons or entities use or disclose protected health information (PHI) to perform a function for the covered entity. As part of the recent American Recovery and Reinvestment Act, the new HITECH law is intended to prepare the health care community to safeguard its information for an eventual mandatory switch to electronic health records by 2014.
HIPAA, which became law in 1996, is mostly known for its privacy regulations, which in general state that an individual’s PHI should only be disclosed to the individual and to those who need the information for treatment of the individual, payment or health care operations. While HIPAA compliance has not been rigorously enforced in the past, the Department of Health and Human Services (HHS) is expected to increase enforcement actions with civil penalties ranging from $100 to $25,000 per violation and from $25,000 to $1,500,000 for similar violations in any given year. Criminal penalties also are possible if a disclosure of information is egregious.
Physicians and other covered entities are advised to make sure that they have business associate agreements with all business associates and to update existing agreements with any current business associates to include the new regulations. The health care community is awaiting further guidance from HHS regarding how current business associate agreements should be updated to comply with HITECH.
HITECH provisions will be enacted in stages. One of the first provisions to take effect requires hospitals and other covered entities and their business associates to notify individuals when the privacy of their unsecured PHI is breached. Because of this new requirement, all business associates and covered entities should have encryption software to safeguard PHI and comply with the security provisions.
Provisions effective on February 17, 2010 include restrictions on disclosures by health care providers to health plans, changes to the minimum necessary standards for uses and disclosures of PHI, accounting requirements for disclosures relating to electronic health records, tougher prohibitions on selling PHI and restrictions on marketing and fundraising.
To protect themselves in the event of an HHS investigation, covered entities and business associates should make sure that they have a documented security policy in place and detailed and accurate compliance records. A goodwill effort may decrease the penalties levied by HHS.
At minimum, a covered entity should provide a notice of privacy practices for protected health information, provide a written acknowledgement of receipt of such notice, post such notice in a prominent location in the provider’s office, if the covered entity is a health care provider, and provide updates whenever the notice is revised.
To comply with the security standards of HIPAA, covered entities and business associates must ensure the confidentiality, integrity and availability of all electronic PHI and protect against any reasonably anticipated threats, hazards or unauthorized disclosure of the information. These standards apply even to the smallest covered entities and business associates.
Employees should be advised and trained in these practices and the policies should be kept in written or electronic format where employees can access it. The records of notice should be maintained and retained by a designated privacy official — usually the office administrator in a small office.
Keeping adequate records can help ensure compliance with the latest healthcare privacy and security guidelines. Additional changes are expected in the coming years, so be sure to stay on top of the latest laws and regulations.