Today U.S. President Barack Obama signed into law a $787 billion economic American Recovery and Reinvestment Act of 2009 that includes provisions for heightened enforcement of HIPAA and stiffer penalties for privacy and security violations, as well as sets aside billions of dollars to invest into electronic health records (EHR) implementation and exchange. The Act also calls for extended HIPAA security provisions to business associates (BA).
According to a February 13 release on the Web site of Waller Lansden Dortch & Davis, LLP, a law firm based in Nashville with extensive HIPAA and healthcare regulatory experience, to ensure the security of protected health information (PHI) the Act includes provisions requiring BAs to implement:
-
Security policies and training
-
Physical security safeguards (e.g., door locks)
-
Technical security safeguards (e.g., computer encryption and password protection)
The Act suggests that Congress recognizes the need to move to EHRs but with stricter enforcement and protection of patient privacy, according to John Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, Ellicott City, MD, and chairperson of the team that created the HIPAA security rule.
Penalties to facilities that have privacy breaches range from $100 to $50,000 per violation, depending on whether the facility could have reasonably avoided the breach. The Act also gives states' attorney generals the power to seek civil damages and attorney's fees for HIPAA privacy breaches.
"Because [the Act] speaks to privacy and security breach notifications, increased enforcement of patient privacy, audit trails, encryption, and a definite concern for driving the attainment of an EHR while protecting patient information, it emphasizes the critical ingredient in fostering widespread implementation, acceptance, and use of e-health: trust," Parmigiani says. "This includes trust among patients, providers, and payers to effectively and efficiently deliver healthcare and share healthcare information."
The HIPAA provisions in the economic stimulus Act fall under the Health Information Technology for Economic and Clinical Health (HITECH) Act. According to Waller Lansden Dortch & Davis, the Act also includes:
-
New security breach notification requirements. The government wants to expand security breach law with increased notification to patients. Covered entities that experience a breach involving 500 or more patients must immediately report it to the secretary of HHS, who will then post the name of the provider or insurer on its public Web site. Covered entities that experience a breach involving 500 or more patients who reside in the same area must report it to the local media. BAs must report a notice of a breach, including the identify of the patient(s) whose PHI was accessed, acquired, or disclosed to the provider or health plan with which it partnered. Vendors using personal health records (PHR) must notify patients and the Federal Trade Commission (FTC) of any breach caused by their products or services.
-
HIPAA pre-emption on new provisions. Providers and health plans must comply with state security breach laws "to the extent that they exceed the new security breach notifications provisions of the [Act]," according to the law firm.
-
Restricting access to PHI. A patient can now restrict access to his or her PHI, so long as the patient request meets certain requirements.
-
Right to accounting on EHRs. Currently, patients can request an accounting of PHI disclosures dating back six years from the request and HIPAA doesn't currently require disclosures for treatment, payment and healthcare operations to be included in the list. The new Act allows patients to go back three years but requires covered entities to include treatment, payment, and healthcare operations disclosures.
Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA, says the HIPAA provisions in the Act is "HIPAA Administrative Simplification taken to the next level.
The Administrative Simplification provisions of HIPAA (HIPAA, Title II) required HHS to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers.
"The Act contains billions to fund health IT for expanding the implementation and exchange of electronic records," Borten adds. "To do that successfully and safely, Congress recognizes the need for broader and stronger, more explicit privacy and security controls."
Experts say one of the major changes for providers is the law's requirement for BAs to adhere to the security requirements of HIPAA. "HIPAA covered entities are no longer their 'brothers' keepers' since business associates will become directly subject to the HIPAA privacy and security rules, as well as to the penalties which have become stricter," Borten says.
It also makes BAs adhere to the same provisions as covered entities. "This enforces the 'chain of trust' concept envisioned by the crafters of the security rule," Parmigiani says. "So, in a way, it modernizes HIPAA to make it more in tune with an emerging e-health environment."
The Act further strengthens rules for the marketing and release of patient information, according to Parmigiani. For example, patients can now opt out of fundraising communications by hospitals. Parmigiani also believes the Act signals the new administration's focus on more rigorous regulatory enforcement.
Dom Nicastro is a senior managing editor for HCPro, Inc's Revenue Cycle division. He manages the Patient Access Resource Center.
Editor's note: To learn more about HIT initiatives, view the American Recovery and Reinvestment Act of 2009.