Skip to main content
Full access
Professional News
Published Online: 15 January 2010

More Answers About Law Amending HIPAA Rules

Abstract

This is the second part of a two-part article providing an introductory overview of the new HITECH law. The first part appeared in the January 1 issue and addressed HITECH in detail. Interpretation of this law is still evolving, and there are currently many unanswered questions. Nothing in this article should be construed as legal advice.
The HITECH (Health Information Technology for Economic and Clinical Health) Act is Title 13 of the American Recovery and Reinvestment Act of 2009 (ARRA). While the various subtitles of HITECH cover many topics relevant to physicians (for example, financial incentives for health information technology), this article will address Subtitle D of HITECH amending the privacy and security rules under HIPAA (Health Insurance Portability and Accountability Act of 1996).
HIPAA's privacy and security rules established floors of confidentiality and security protections for patients' demographic and health information in all forms—paper, oral, and electronic. The development of health information technology (for example, electronic health records, personal health records, health information exchanges) has resulted in additional risks; HITECH builds on the privacy and security rules to address these new risks.
•. 
How has HIPAA enforcement increased?
•. 
State attorneys general can bring enforcement action for violations of federal HIPAA regulations.
•. 
Employees and individuals are subject to HIPAA's criminal penalties.
•. 
The Department of Health and Human Services (HHS) must conduct audits of covered entities and business associates.
•. 
HHS must investigate complaints of willful neglect, and if substantiated, HHS must impose a statutory penalty of at least $10,000 to $50,000 per violation.
•. 
HHS and state attorneys general can pursue civil HIPAA violations in cases in which criminal penalty could attach, but the Department of Justice declines to pursue.
•. 
Individuals can recover a percentage of penalties imposed or settlement proceeds from HIPAA investigations based on their complaints.
•. 
What are the penalties for HIPAA violations?
Civil penalties for HIPAA violations have increased for covered entities and business associates to $100 to $50,000 or more per violation, with a cap of $1.5 million per calendar year for multiple identical violations. “Violation” means disclosure of one person's information.
Criminal penalties remain up to $250,000 and 10 years imprisonment.
•. 
What can I do to ensure compliance with the Privacy Rule?
The first step is to understand what the Privacy Rule requires. There are comprehensive educational resources available on the HHS Web site, <www.hhs.gov/ocr/privacy>. Remember that under HIPAA's Privacy Rule, patients have the right to receive a Notice of Privacy Practices; authorize the release of information for purposes other than treatment, payment, or health care operations; request restrictions on disclosures; access the records (with very limited exceptions); request amendment of the record; request an accounting of disclosures (other than for treatment, payment, or health care operations purposes); complain about violations to the provider and to HHS; and have only the minimum necessary information disclosed.
Also under the Privacy Rule, covered providers must designate a privacy officer and contact person/office; implement safeguards (administrative, physical, and technical safeguards) for protected health information (PHI) (oral, paper, and electronic); mitigate damages from unauthorized uses or disclosures of PHI; investigate complaints; prevent retaliation for complaints; impose sanctions for privacy violations; have documented confidentiality policies and procedures; and train employees on confidentiality policies and procedures.
The second step is to understand HHS's Privacy Rule enforcement. While no civil monetary penalties have been imposed to date, HHS has publicized two resolution agreements. In the most recent case from January 2009, the CVS drug-store chain agreed to pay $2.25 million to resolve allegations stemming from media reports that PHI was being disposed of in unsecured dumpsters. The second case, from July 2008, involved a resolution agreement to settle allegations related to loss of electronic backup media and laptop computers with PHI. The health care system involved agreed to pay $100,000. HHS's Web site also contains examples of cases that were investigated, violations that were found, and corrective actions that were ordered.
•. 
What can I do to ensure compliance with the Security Rule?
First, know what the Security Rule requires to protect against reasonably anticipated improper use or disclosure of electronic PHI. The Security Rule has general requirements to
•. 
conduct a risk analysis,
•. 
develop, implement, and maintain appropriate security measures,
•. 
document the security measures in policies and procedures, and
•. 
update risk and security measures.
The Security Rule consists of 18 safeguards (administrative, physical, and technical), and for each of the three types of safeguards, there are standards (what must be done) and implementation specifications (how it must be done).
Second, become familiar with the vast amounts of educational and enforcement information made available by HHS. While its Office for Civil Rights now enforces both the Privacy and Security Rules, its Centers for Medicare and Medicaid Services (CMS) originally enforced the Security Rule and published many enforcement resources including a “Security Guidance,” posted at <www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806rev.pdf>, which addresses portable-device security.
Moreover, CMS issued a list of what would need to be provided by a covered entity in a Security Rule audit—20 different types of policies and procedures and an additional 19 specified documents. CMS also published compliance reviews indicating that the most common security complaints involve unauthorized access to electronic PHI (particularly by employees), loss or theft of devices containing electronic PHI, and insufficient access controls, such as lack of encryption.
•. 
What do I need to know about breach notification?
Covered providers and business associates need to be aware of the requirements under state and federal breach notification laws.
Under HITECH's federal breach notification law:
•. 
When is compliance required? Compliance was required as of September 23, 2009. However, HHS has indicated that it will not enforce the breach notification requirements until February 2010.
•. 
What is a breach? Breach means the unauthorized acquisition, access, use or disclosure of “unsecured” PHI (which includes demographic information) that poses a significant risk of financial, reputational, or other harm to the patient. According to HHS's Breach Notification Guidance, PHI is secured only if it is encrypted or destroyed.
•. 
What is not a breach? HHS regulation on breach notification provides examples of inadvertent, harmless mistakes that would not be considered a breach.
•. 
Who has to be notified? Covered entities must notify each affected individual of breach of unsecured PHI. Notifications must be provided “without unreasonable delay,” but no later than 60 days after breach discovery. If more than 500 people are affected, notice of the breach must be made to the media and to HHS. If fewer than 500 people are affected, notice to HHS can be provided annually.
•. 
What about breaches by business associates? Covered providers will need to ensure that their business-associate agreements reflect the business associate's obligation to notify the covered entity of any breach.
•. 
What do I need to do to ensure compliance? Prior to a breach, physicians should develop processes to prevent and discover breaches, train staff, and ensure ongoing monitoring. Once a breach is discovered or reported:
•. 
Determine if a breach occurred. Has there been an impermissible use or disclosure of unsecured PHI that poses
•. 
significant risk of financial, reputational, or other harm to the patient?
•. 
If so, determine if it is reportable. Does the breach fall under one of the limited exceptions?
•. 
Determine what, if anything, needs to be done to mitigate the harmful effects of the breach (credit monitoring, additional audits, employee sanctions, new safeguards, etc.).
•. 
Provide timely notice to the individual(s) and to HHS.

Under state law:

While there is no uniformity among state laws on breach notification, almost all states have some type of consumer-protection law requiring businesses to notify customers of an inappropriate use or disclosure of their information. Some state laws are reactive—requiring notification of the breach. Other states are reactive and proactive—also requiring specific security standards be met to prevent breach of consumers' data. And at least one state, California, has expanded its breach-notification law to include breach of medical information.
The National Conference of State Legislatures has a resource to find state breach-notification requirements: <www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx>.
•. 
Where can I find more information?
•. 
American Recovery and Reinvestment Act of 2009, <http://fdsys.gpo.gov/fdsys/pkg/BILLS-111hr1ENR/pdf/BILLS-111hr1ENR.pdf>
•. 
HHS Office for Civil Rights (OCR) <www.hhs.gov/ocr/privacy> and regional offices (contact information available on Web site); regional offices are required to provide HIPAA guidance and education to covered providers (along with business associates and patients)
•. 
HHS Centers for Medicare and Medicaid Services (CMS)—Security Rule enforcement, <www.cms.hhs.gov/Enforcement> (note: Security Rule enforcement authority transferred from CMS to OCR, so enforcement information is expected to ultimately be found on OCR's Web site)
•. 
HHS Breach Notification Guidance (4/09) and Breach Notification Regulation (8/09), <www.hhs.gov/ocr/privacy/index.html>
•. 
PRMS's HIPAA Help, <www.psychprogram.com> (Risk management section)

Information & Authors

Information

Published In

History

Published online: 15 January 2010
Published in print: January 15, 2010

Authors

Details

Donna Vanderpool, M.B.A., J.D.

Notes

Donna Vanderpool, M.B.A., J.D., is assistant vice president, risk management, at Professional Risk Management Services Inc. (PRMS).

Metrics & Citations

Metrics

Citations

Export Citations

If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download.

For more information or tips please see 'Downloading to a citation manager' in the Help menu.

Format
Citation style
Style
Copy to clipboard

View Options

View options

Login options

Already a subscriber? Access your subscription through your login credentials or your institution for full access to this article.

Personal login Institutional Login Open Athens login

Not a subscriber?

Subscribe Now / Learn More

PsychiatryOnline subscription options offer access to the DSM-5-TR® library, books, journals, CME, and patient resources. This all-in-one virtual library provides psychiatrists and mental health professionals with key resources for diagnosis, treatment, research, and professional development.

Need more help? PsychiatryOnline Customer Service may be reached by emailing [email protected] or by calling 800-368-5777 (in the U.S.) or 703-907-7322 (outside the U.S.).

Media

Figures

Other

Tables

Share

Share

Share article link

Share