Did you just cringe a little? You’re not alone if you did. Complying with the privacy and security requirements imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has never been considered fun. Reading the words HIPAA, compliance, change and HITECH together in a sentence could make you want to tune out, but you really shouldn’t, because 2009 was an eventful year in terms of HIPAA requirements.
The Department of Health and Human Services (HHS) and Congress have been making and will continue to implement changes to HIPAA’s privacy and security requirements. As part of the financial bailout bill, Congress passed HITECH, a law aimed at revamping HIPAA enforcement and keeping pace with technological changes in the way health information is stored and used. HITECH itself altered the way HIPAA privacy and security works, and also called for HHS to create regulations to implement other aspects. HHS released two sets of rules implementing HITECH in 2009 and is expected to release several more in 2010. Some of the changes made by HITECH and the HHS rules went into effect in 2009, while others are slated to go into effect in February 2010.
One dramatic change to the enforcement provisions of HIPAA went into effect November 30, 2009. HHS released rules that allow the imposition of up to $1.5 million in civil monetary penalties on violators per calendar year. That $1.5 million is the upper limit on such civil penalties; the actual amount is subject to HHS discretion and other factors relating to the violation(s). The rule also modifies the affirmative defenses available relating to such violations. The criminal sanctions remain unchanged at up to 10 years imprisonment and up to $250,000 in fines for the most egregious violations. Additionally, HITECH allows state attorneys general to enforce the privacy and security rules through civil actions in federal court. Previously, HIPAA could only be enforced by the federal government.
If that wasn’t enough to get you to comply, last year’s breach notification rules have added public humiliation to the arsenal of violation deterrents. Breaches of certain health information must, in some circumstances, be reported to the media and/or be posted on the HHS website. For more information on the breach notification rules, please see our September 2009 Alert. While the breach notification rules went into effect in September 23, 2009, HHS indicated that enforcement would not generally begin for 180 days, until February 22, 2010.
HITECH has also expanded most of HIPAA’s privacy and security rules to apply to “business associates” of HIPAA-covered entities beginning on February 17, 2010. This mainly substitutes statutory liability for contractual liability, as most business associate agreements already addressed business associate compliance with HIPAA. If you are a covered entity or a business associate, you should review your agreements to make sure they are in line with the new statutory requirements. Parties may also want to revisit notification and indemnification provisions in these agreements in light of these new requirements.
Beneficiaries are now granted expanded rights regarding disclosures of health information. Areas addressed include increased types of disclosures that must be tracked, limits on permissible disclosures and, beginning in February, the ability of beneficiaries to request restrictions on certain disclosures. The scope of disclosures is still limited to the “minimum necessary” amount. The restrictions on the use of health information in marketing have been clarified.
HHS is expected to release more guidance on “minimum necessary” standards and will publish yearly updates to guidance on technical safeguards for compliance with the security rule. As this guidance comes out, it will be easier to comply with HITECH; however, your compliance efforts should already be in effect.
If you haven’t already, it is time to take a fresh look at your HIPAA compliance programs and policies. You should examine your business associate agreements, your disclosure policies, your security practices, your privacy notices and your HIPAA compliance training for employees. As HIPAA privacy and security rules expand and enforcement becomes more aggressive, you might want to overhaul your compliance program altogether, but at the very least you should be prepared for the changes going into effect February 2010.