March 8, 2010 – All the Hype about HIPAA and HITECH

March 8, 2010 – All the Hype about HIPAA and HITECH
Have you done anything about it?

As part of the American Recovery and Reinvestment Act of 2009 (ARRA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act) significantly expands the Privacy Rules and the Security Rules under the Health Insurance Portability and Accountability Act (HIPAA). The HITECH Act addresses a number of areas, including:

1. notification requirements where a “breach” involving protected health information (PHI) occurs,
2. imposition of direct business associate liability for violations of the HIPAA Privacy and Security Rules,
3. expanded individual rights with respect to PHI disclosures,
4. further restrictions on the amount of PHI that may be disclosed,
5. more restrictions on the sale of PHI and the use of PHI in marketing activities, and
6. more stringent enforcement provisions.

THESE CHANGES REQUIRE ATTENTION BY BOTH “COVERED ENTITIES” AND THE “BUSINESS ASSOCIATES” THAT PROVIDE SERVICES TO THEM.

Focusing on Enforcement

The business analysis through which covered entities and business associates go regarding HIPAA compliance (e.g., how much to do, consequences of not doing enough, etc.) has changed.  In the past, we often heard “well, it’s not like there are HIPAA Police out there” or “what’s the likelihood of being audited” as factors in the HIPAA compliance risk analysis.  HITECH has “modified” the enforcement environment in a number of ways, including the following:

1. Making it easier to go after violators.  HITECH provides (1) authority for state attorney generals to enforce HIPAA, and (2) clarification that employees can be held responsible under the criminal provisions (i.e., not just the entity that employs).  Both of these changes are expected to increase enforcement actions.
2. Mandating compliance audits and investigations.  HITECH mandates HHS to conduct periodic audits.  In the past, HHS had the authority to conduct audits but was not mandated to conduct them.  In addition, HITECH mandates an investigation where “willful neglect” may be involved.
3. Adding a “self-reporting” requirement.  Through the new breach notification requirement, covered entities and business associates are charged with identifying, investigating, and then addressing (which may include notification to individuals at risk and the papers) HIPAA failures likely to result in significant harm.  For a detailed discussion of this requirement, click here.
4. Significantly increasing the available penalties.  There are now four tiers of civil penalties differing based upon the degree of culpability and whether the failure was corrected.  For example, Tier B addresses violations due to reasonable cause and not willful neglect.  HITECH authorizes a penalty of $1,000 per day with a $100,000 per calendar year maximum for violations of the same requirement.  In the past, the likely penalty was only $100 per day.  
5. Authorizing part of the penalty amount to go to the harmed individuals.  As what is likely a further incentive for individuals to report violations and penalties to be pursued, HITECH now provides that a portion of the penalty proceeds can go to the individuals harmed by the violation.

Observation:  HITECH changes the risk analysis environment. 

To assist you with evaluating where you are on the HIPAA HITECH compliance continuum, we have prepared two checklists, one for “covered entities” and one for “business associates”.  These checklists will help you determine what you need to do.  And, if you want our assistance, the checklists will help us identify and efficiently provide the services you need.

Please contact us if you have any questions regarding the requirements, or if you need our assistance with any of the foregoing action items.

__________________________________________________________________

The information contained in this ALERT is intended for general information purposes only and does not constitute legal advice relative to a specific situation.