Abstract
The 2009 HITECH Act expands HIPAA coverage and definition to include covered entity business associates, definition of security breach and disclosure requirements, new restrictions on use and disclosure of protected health information, new patient rights, mandatory compliance audits and heightened HIPAA enforcement.
2009 HIPAA; what has changed?
Many changes have been made to HIPAA as part of the 2009 HITECH Act. Many expansions to existing rules were qualified and additional penalties and actions required for violation. Proactive response to new requirements should be best practice for all health care providers with careful attention paid to the additional expansion on requirements and enforcement over the next 18 months.
Expanded definition of security breach
One of the most significant changes is the burden placed on a health care provider or covered entity who suffers a breach of unprotected health information. This breach does not apply just to electronic data, but any breach of data stored by the provider. HITECH establishes a rule that all individuals affected by the breach must be notified within 60 days of the security violation. Additionally, if more than 500 records were compromised then “prominent media outlets” must be notified as well. A breach is defined as an acquisition of an individual’s unsecured identifiable health information by any person without the their authorization. Additionally, the notification of the breach will be posted on the HHS website when more than 500 records are breached.
New restrictions on use and disclosure
Additional restrictions on use and disclosure of protected health information are also in the expansion of HIPAA privacy. A covered entity is prohibited from receiving remuneration in excess of the cost of preparing and transmitting the data and only with authorization of the individual and for research purposes. Marketing to individuals based upon protected health information becomes more restrictive as well and often prohibits any direct marketing if money is exchanged by any parties involved in marketing to the individual without the individual’s consent.
New guidelines will be set forth on definition of minimum information necessary for treatment. This is used to determine what information can be transmitted between parties except for treatment of the patient. These are due within 18 months and will be defined by HHS.
New patient rights
Patients will be happy to hear that several new rights have been granted to the patient regarding use and disclosure of their health information. Patients have the right to request providers not share their health information with a health insurer if the patient is paying full cost of the services provided. Additionally, providers are required to provide a patient with a copy of their health record once a year. Additionally, covered entities maintaining electronic health records must provide audit accounting of all disclosures for treatment, payment and health care operations for a three-year period. Many of these features will be included in a patient health record portal that good EHR systems should include. Last of all is the right to opt out of fundraising communications and opportunities. Opt-out rights have been present in the past, but fundraising communications must communicate the patient’s right to opt out in future fundraising solicitations.
HIPAA coverage for business associates
Additional restrictions on how data is shared with covered entity business associates have been defined as well. All business associates of a covered entity must comply with HIPAA security requirements and data sharing policies. This legislation now brings technology vendors, practice management companies, transcription services, billing services, attorneys, accountants and many other types of business associates under direct regulation of HIPAA.
Heightened HIPAA enforcement
New more severe penalties are effective immediately for HIPAA violations.
Increased Monetary Penalties
| Unknowing Violations | $100/violation up to $25,000 annually |
| Reasonable Cause Violations | $1,000/violation up to $100,000 annually |
| Willful Neglect Violations | $500,000/violation up to $1.5 Million annually with civil penalties starting in 2011 |
Additionally, the State Attorney General’s office are now granted authority to bring civil action against HIPAA violations. The HITECH Act also clearly defines that criminal penalties may be imposed under HIPAA for individuals or entities that wrongfully obtain protected health information.
Mandatory Compliance Audits
HHS will be required to conduct periodic audits of covered entities and business associates to evaluate HIPAA compliance.
Subscribe to eHRTech.info to stay updated with the latest information and resources for your eHR system.
August 3rd, 2009 at 7:36 pm
You’re absolutely correct, and the penalties are “the stick.” My husband and I co-authored a HITECH / HIPAA Survival Guide for practitioners with a free newsletter for those who want to stay informed. The website is located at http://www.hipaasurvivalguide.com and it now has clickable links to the “official” HITECH Regulations. If you’re interested, you could check it out.
Regards,
Deborah
June 13th, 2010 at 9:22 am
I have to state, you chose your words well. The ideas you wrote on your encounters are well placed. This is an incredible blog!
June 25th, 2010 at 4:00 pm
Just finished this article and wanted to thank you personally. Precise and succinct!