The recently passed Health Information Technology for Economic and Clinical Health Act ("HITECH Act") contains numerous amendments to the HIPAA Privacy and Security Rules that add new requirements and new limitations that HIPAA "covered entities" (i.e., health care providers, health plans, and health care clearinghouses) and their "business associates" must comply with in the coming months.
Under HIPAA, if protected health information ("PHI") is accessed by or disclosed to an unauthorized person, the covered entity is required to mitigate any harmful effect resulting from this breach of privacy. Before the HITECH Act, a covered entity was not explicitly required by HIPAA to notify the affected person of the incident. Effective September 15, 2009, however, that will all change as covered entities will now be subject to explicit HIPAA breach notification requirements.
More specifically, the HITECH Act requires HIPAA covered entities to notify individuals without reasonable delay, and in no case later than 60 calendar days, after discovery of a breach of "unsecured protected health information" of individuals whose PHI has been, or is reasonably believed to have been, inappropriately accessed, acquired, or disclosed in the breach. The new breach notification provisions apply to information not only in electronic, but also in paper form, and the PHI triggering the new breach provisions can be as simple as the unauthorized disclosure of a patient name or date of birth. If an individual's unsecure PHI is affected by a breach, or there is reason to believe an individual's unsecure PHI was affected, the covered entity must send written notification via first-class mail to the affected individual. The HITECH Act also specifies the information that must be contained in the notice that must be sent to the affected individual advising them of the breach. If the covered entity has insufficient or out-of-date information for an individual affected by a breach, the HITECH Act has requirements the covered entity must follow to ensure effort is made to inform the affected individual about the breach.
The HITECH Act also contains amendments that will impact "business associates" of covered entities (i.e., an individual or entity, such as a vendor, that performs services for or on behalf of a covered entity which involves the use or disclosure of PHI) and the Business Associate Agreements that HIPAA requires covered entities and business associates to sign. For instance, the HITECH Act now requires HIPAA business associates to comply with the HIPAA Security Rule requirements and directly subjects business associates to civil and criminal penalties for violating the HIPAA Security Rule. Prior to the HITECH Act, a business associate that violated a Business Associate Agreement was only subject to a breach of contract claim by a covered entity, and could not be fined or otherwise held accountable by the federal government. But effective February 17, 2010, that will all change.
Finally, the HITECH Act calls for enhanced enforcement of HIPAA and increased civil monetary penalties for violations. In fact, the HITECH now requires the Department of Health and Human Services to perform periodic audits to ensure that both covered entities and business associates are in compliance with the HIPAA Privacy and Security Rules. Furthermore, effective February 17, 2010, covered entities are also subject to increased penalties for violating HIPAA. Prior to the HITECH Act, a covered entity was subject to a minimum civil monetary penalty of $100 per violation, with a maximum of $25,000 for multiple violations. Now, the HITECH Act provides a sliding scale of civil monetary penalties that include minimum penalties of $10,000 per violation, not to exceed $1,500,000 for all violations of an identical requirement or prohibition during a calendar year.
What Can You Do Now?
Because of these changes in the law and to ensure compliance with the September 15, 2009, deadline for the breach notification requirements and with the February 17, 2010, deadline set by the HITECH Act for compliance with the other numerous amendments to the HIPAA Privacy and Security Rules, covered entities and business associates should:
(a) update old, and develop new privacy and security policies and procedures to comply with the new requirements and limitations;
(b) amend existing Business Associate Agreements and determine whether new Business Associate Agreements are warranted; and
(c) develop breach notification policies and procedures that comply with the new requirements.
Covered entities should also review and revise their Notice of Privacy Practices in light of changes to the use and disclosure of health information and accounting of such disclosures under the HITECH Act.