Today, April 14, 2015, marks the 12th anniversary of the compliance date for the HIPAA Privacy Rules for most “Covered Entities” – healthcare providers who engage in certain electronic transactions, health plans, and healthcare clearing houses. (Small group health plans had 1 extra year, until April 14, 2004, to come into compliance with the Privacy Rules.)

What’s HIPAA?

The HIPAA Privacy Rules were the first comprehensive federal rules to protect the privacy and confidentiality of an Individual’s health and medical information.  In addition, the Privacy Rules give Individuals certain rights (including access, accounting and amendment, to list a few) with respect to their health and medical information.

  • There are hundreds of specific provisions within the HIPAA Privacy Rules but, in general-
    • A Covered Entity may not use or disclose individually identifiable health information (“Protected Health Information” or “PHI” in HIPAA terminology), except as permitted or required by the Privacy Rules, without written authorization; and
    • Since 2003, Covered Entities have been subject to civil – and criminal –penalties for violations.

To say the least, I have seen significant new developments in the past 12 years, as I work with “Covered” healthcare providers and health plans challenged by HIPAA.

  • Rule Changes

First, were the important changes in the Rules – including the addition of the HIPAA Security Rules (2005) and the “HITECH” amendments (2013). (“HITECH” is acronym for the Health Information Technology for Economic and Clinical Health Act of 2009).  HITECH amended the HIPAA Privacy Rules in key ways, including

  • New “Breach Notification” requirements; and
  • Business Associates (in addition to Covered Entities) are now directly subject to many HIPAA Privacy and Security Regulations. [We’ll discuss HIPAA Compliance Risks for Business Associates in other posts in very near future.
  • Practice Pointer – Despite these changes, some healthcare providers and health plans have not even updated their HIPAA-required Notice of Privacy Practices – we have all seen them, posted on providers’ websites and reception-area walls, or handed out with other registration papers.
  • Practice Pointer – If a HIPAA “Privacy Notice” bears an effective date of April 14, 2003 – or any date earlier than September 23, 2013–that’s a sign that provider’s (or health plan’s) formal HIPAA policies and procedures and workforce training also may be outdated.
  • New Technologies – e.g., social media and the proliferation of mobile devices — have led to new HIPAA compliance risks.  Many of these risks were not even on our radar screens back in the “good old days” when mis-directed faxes and failure to shred paper medical or health plan enrollee records were key HIPAA risk areas.
  • Stringent Enforcement – Finally, I have seen the federal agency charged with enforcement of the HIPAA Rules, the Office of Civil Rights of the Department of Health and Human Services (“OCR”), shift dramatically.
    • Initially, OCR took a conciliatory posture, preferring to work cooperatively with non-compliant Covered Entities to beef up their policies and workforce training with the goal of preventing the reoccurrence of future HIPAA violations.
    • Today, OCR is taking a much more aggressive (zero tolerance) posture and levying 6-figure (and higher) fines against Covered Entities with lax HIPAA policies and procedures that allow serious “breaches” and other violations to occur.
    • Example: a Phoenix physician practice violated HIPAA by posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.  OCR found that the practice had implemented few policies and procedures to comply with the HIPAA. As a result, the practice was fined $100K and required to implement an exacting corrective action plan. In its Press Release for this matter, OCR warned: “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

See the OCR Website for details about this – and many other—recent HIPAA enforcements.

Throughout the rest of April, look for a series of follow up articles on HIPAA/HITECH compliance topics, to mark HIPAA Privacy Rules’ anniversary today – and the April 20, 2015 10th anniversary of the HIPAA Security Rules.