The $787 billion American Recovery and Reinvestment Act of 2009 pushed healthcare into a new era of personal health information regulation and enforcement—and companies need to deal with these changes now.
As part of the stimulus law, President Barack Obama and Congress infused billions into the country's struggling economy. Not stopping there, they also set aside $19 billion for healthcare information technology and created new HIPAA regulations through the Health Information Technology for Economic and Clinical Health Act (HITECH). Much of what has been written about HITECH has focused on Medicare reimbursement incentives for healthcare providers who use "certified" electronic health records in a "meaningful way."
There is another piece of HITECH that will have a larger impact on health plans and companies working in the managed care arena—changes to the HIPAA law.
Much of the new healthcare security and privacy requirements created through HITECH will go into effect February 18, 2010, one year after Congress passed the stimulus bill. Over the next year, the feds will issue many new regulations in the area of health IT to resolve questions that remain following the legislation's passage, but companies shouldn't wait to get started.
Colleagues have explored many of the aspects of the HIPAA changes as it relates to hospitals and physicians, but health plans and—especially—population health, disease management, and wellness companies also face changes.
"This has a profound impact on disease management organizations as well as the healthcare industry," says Reece Hirsch, CIPP, partner at Sonnenschein Nath & Rosenthal LLP in San Francisco, who spoke during a members-only DMAA: The Care Continuum Webinar this week.
Here are the five things you need to know as a health plan, disease management, or population health company executive about the HITECH Act:
1. Federal leaders used stimulus as a way to make HIPAA changes
Washington leaders have debated revising HIPAA for the past decade and legislators used the stimulus bill as a way to finally revamp HIPAA's privacy and security provisions.
David C. Kibbe, MD, MBA, principal of the Kibbe Group and senior advisor for the American Academy of Family Physicians, says these changes are an attempt to protect individual health information while also trying to create better, cheaper, and faster technology. It also places patients in greater control of their health information. He says HITECH stops short of a European-type policy that requires any entity that handles personally identifiable health information to comply with the same privacy and security rules, but it does move the U.S. a step closer to that.
"That day is a little nearer as a result of these changes, but I don't think [lawmakers] wanted to take the time to do that and didn't feel it was actually necessary," says Kibbe.
2. HITECH extends privacy and security rules
The new legislation protects patient information from unauthorized acquisition, access, use, or disclosure.
As so-called covered entities, health insurers will need to work with their multiple vendors to make changes to business associate agreements. For instance, health insurers must incorporate the new privacy and security requirements into agreements and remove amendments from contracts that are no longer necessary under HITECH. They may also need to amend "notice of privacy" practices to reflect new patient rights to their health information under HITECH, says Hirsch.
Business associates, such as disease management companies, will need to perform those duties and incorporate changes to comply with the same obligations as covered entities.
3. HITECH imposes breach notification requirements on HIPAA covered entities AND business associates
HITECH requires business associates to comply with the same obligations and face the same potential penalties as covered entities.
This means violations are not merely a problem that will be handled through the business associate agreement, but the feds could take action, too.
Covered entities and business associates will have to notify the proper people/entities within 60 days of discovering security breaches. They will also need to provide detailed information about breaches and what steps individuals should take to protect themselves.
4. HITECH increases enforcement of and penalties for HIPAA violations. Business associates who violate the new regulations will not merely need to deal with covered entities, but may face hefty fines from the feds and states, too.
Critics, including the Office of Inspector General, have charged that Health and Human Services enforcement of HIPAA regulations has been lax. HITECH tackles both the limited enforcement issue and speeding-ticket sized HIPAA fines.
HITECH created a tiered penalty that stretches to as much as $1.5 million for violations. All civil money penalties will go to the Office of Civil Rights to fund future investigations.
HITECH requires HHS to formally investigate any complaint of a HIPAA violation if preliminary investigation shows possible violations. The new law also allows state attorneys general to bring civil actions in federal court on behalf of state residents (and state AGs love to take on large healthcare companies).
"A security breach can be a disastrous event for many organizations because the adverse consequences can be enormous, from class action lawsuits to regulatory action. One of the major components of HITECH is to really create new stringent security breach obligations for HIPAA-covered entities," says Hirsch.
5. Prepare for the changes now
Hirsch says business associates will need to:
- Revise business associate agreements to incorporate the new privacy and security requirements and remove amendments from contracts that are no longer necessary under HITECH
- Implement written policies and procedures that address each HITECH security rule standard
- Create a security awareness and training program for employees
- Designate a security official
- Conduct a security risk analysis
As part of this process, the business associates will need to track, store, and compile information so there is an audit trail in case of breaches.
"Because the security standards are fairly broad and general, the security risk analysis is key because that's how an organization decides how to prioritize and justify the decision they make in implementing all of these broad and general standards. A formal, thorough security risk analysis is critical to that process," says Hirsch.
While many large business associates already have a comprehensive security compliance program, smaller companies will need to create their own. This may force some companies to decide the added work and regulations are too much. Hirsch suggested smaller business associates, especially those that work in areas beyond healthcare, may bow out of the industry rather than invest the money, time, and manpower to create procedures to follow HITECH regulations.
As the above action points show, managed care companies need to prepare for these changes—and realize that more revisions are coming. HHS will issue clarifications over the next year before HITECH goes into effect next February.
This is an exciting time for healthcare, but with that excitement comes many changes. Instead of waiting to get started, managed care companies should start work on its game plan now.
Les Masterson is senior editor of Health Plan Insider. He can be reached at lmasterson@healthleadersmedia.com.
Follow Les Masterson on Twitter.
Note: You can sign up to receive Health Plan Insider, a free weekly e-newsletter designed to bring breaking news and analysis of important developments at health plans and other managed care organizations to your inbox.