Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

Stimulus law makes changes to HIPAA

Health plans, population health affected

The $787 billion American Recovery and Reinvestment Act of 2009 pushes healthcare into a new era of personal health information regulation and enforcement—and companies need to deal with these changes now.

As part of the stimulus act, President Barack Obama and Congress infused billions into the country’s struggling economy.

Not stopping there, Congress and Obama also set aside $19 billion for healthcare information technology (IT) and created new HIPAA regulations through the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Most HITECH news reports have focused on Medicare reimbursement incentives for healthcare providers who use certified electronic health records in a “meaningful way.” But there is another piece of HITECH that will have a larger effect on health plans and companies working in the managed care arena—changes to the HIPAA law.

Much of the new healthcare security and privacy requirements created through HITECH will go into effect February 18, 2010, one year after Congress passed the stimulus bill.

Over the next year, the federal government will issue many new health IT regulations to resolve questions that remain following the legislation’s passage.

“There’s nothing in there that was surprising, but I think some significant things in the bill will have consequences in the marketplace,” says David C. Kibbe, MD, MBA, principal of the Kibbe Group and senior advisor at the American Academy of Family Physicians.

Health plans, especially population health, disease management, and wellness companies, face several changes thanks to HITECH.

“This has a profound impact on disease management organizations, as well as the healthcare industry,” said Reece Hirsch, CIPP, partner at Sonnenschein Nath & Rosenthal, LLP, in San Francisco, who spoke during a members-only DMAA: The Care Continuum Webinar in March.

HITECH makes a number of changes to HIPAA, including extending the reach of privacy and security rules, imposing breach notification requirements on covered entities and business associates (BA), limiting certain uses and disclosures of personal health information (PHI), increasing individuals’ rights with their PHI, and adding enforcement and penalties for HIPAA violations.

Five things to know

The following are the five things health plans and disease management and population health companies need to know about the HITECH Act:

1. Federal leaders used the stimulus as a way to make HIPAA changes. Washington leaders have debated revising HIPAA for the past decade, and legislators used the stimulus bill as a way to revamp HIPAA’s privacy and security provisions.

These changes are an attempt to protect individual health information in the face of greater technology and sharing of patient information, Kibbe says.

“One good thing about HIPAA changes is that this clearly places patients in greater control of their health information, and I think that is not going to be mentioned as much as it ought to,” says Kibbe.

The electronic health information movement gained steam during the past year as Microsoft and Google entered the market. The addition of these technology giants helped spark the legislation, Kibbe says.

“There were those who felt, and I’m one of them, that we need to completely go back to square one in respect to healthcare information and its privacy and security because this idea of breaking the world up under covered entities and everyone else no longer makes sense. I think a lot of the confusion, and some of the consternation and some of the unintended consequences of this fix to HIPAA, is the result of it being a fix rather than a rewrite,” says Kibbe.

HITECH stops short of a European-type policy that requires any entity that handles personally identifiable health information to comply with the same privacy and security rules, but it does move the United States a step closer to that, he says. “That day is a little nearer as a result of these changes, but I don’t think [lawmakers] wanted to take the time to do that and didn’t feel it was actually necessary,” says Kibbe.

2. HITECH extends privacy and security rules.The new legislation protects patient information from unauthorized acquisition, access, use, or disclosure that compromises the security of privacy. As so-called covered entities, health insurers will need to work with their multiple vendors to make changes to BA agreements.

For example, health insurers must incorporate the new privacy and security requirements into agreements and remove amendments that are no longer necessary under HITECH from contracts. They may also need to amend notice of privacy practices to reflect new patient rights to their health information under HITECH, said Hirsch.

BAs, such as disease management companies, will need to perform those duties and incorporate changes to comply with the same obligations as covered entities.

An exception to the security rules is when an unauthorized person “would not reasonably have been able to retain” the information, said Hirsch.

The following are not considered breaches under the new law:

  • An employee or other person who acts under the authority of the covered entity or BA and accesses the record in good faith and within the scope of employment or other professional relationship, but the information is not acquired or accessed by another person or entity
  • An authorized person at a facility who inadvertently discloses the information to another authorized person at the facility, but the information is not accessed or disclosed further

3. HITECH imposes requirements for breach notification on HIPAA covered entities and BAs. HITECH requires that BAs comply with the same obligations and face the same potential penalties as covered entities. This means violations are not just problems that will be handled through BA agreements, but could be subject to federal action.

Covered entities and BAs must notify the proper people or entities within 60 days of discovering security breaches. The covered entities will also need to:

  • Provide a description of facts surrounding the breach
  • List the type of PHI
  • Highlight the steps individuals should take to protect themselves
  • Note what the covered entity is going to investigate and mitigate the issue
  • Give contact information for inquiries

“This means that business associates are going to be required to pretty much do everything that a HIPAA covered entity is required to do under the HIPAA security rule,” Hirsch said. “It’s also important to note that the new HIPAA civil and criminal sanctions will also apply to business associates under the strengthened enforcement initiative of the HITECH Act.”

4. HITECH increases enforcement of and penalties for HIPAA violations. BAs that violate the new regulations will not merely need to deal with covered entities, but may face hefty fines from federal and state governments.

Critics, including the Office of Inspector General, have charged that the U.S. Department of Health and Human Services (HHS) enforcement of HIPAA regulations has been lax.

HITECH tackles the limited enforcement issue and speeding ticket–sized HIPAA fines. HITECH creates a tiered penalty that stretches to as much as $1.5 million for violations.

All civil money penalties will go to the Office of Civil Rights to fund future investigations. HITECH requires that HHS formally investigate any complaint of a HIPAA violation if preliminary investigation shows possible violations.

The new law also allows state attorneys general to bring civil actions in federal court on behalf of state residents.

“A security breach can be a disastrous event for many organizations because the adverse consequences can be enormous, from class-action lawsuits to regulatory action. One of the major components of HITECH is to really create new stringent security breach obligations for HIPAA covered entities,” Hirsch said.

5. Prepare for the changes now. Hirsch said BAs need to:

  • Revise BA agreements to incorporate the new privacy and security requirements and remove amendments that are no longer necessary under HITECH from contracts
  • Implement written policies and procedures that address each HITECH security rule standard
  • Create an employee security awareness and training program
  • Designate a security official
  • Conduct a security risk analysis

As part of this process, BAs will need to track, store, and compile information so there is an audit trail in case of breaches.

“Because the security standards are fairly broad and general, the security risk analysis is key because that’s how an organization decides how to prioritize and justify the decision they make in implementing all of these broad and general standards. A formal, thorough security risk analysis is critical to that process,” said Hirsch.

Although many large BAs have a comprehensive security compliance program, smaller companies will need to create their own.

This may force some companies to decide that the added work and regulations are too much. Smaller BAs, especially those that work in areas beyond healthcare, may bow out of the industry rather than invest the money, time, and manpower to create procedures to follow HITECH regulations, said Hirsch.

Managed care companies need to prepare for these changes—and realize that there are more revisions coming.

HHS will issue clarifications during the next year before HITECH goes into effect February 2010.

“I am trying to remain fairly optimistic that it will settle down after a few months because I think the administration understands that there has to be a balance here between bringing better, cheaper, faster technology to healthcare at the same time that we deal with the legitimate fears people have about risks of privacy,” Kibbe says.