Brach Eichler, LLC. - Counsellors At Law - New Jersey Law Firm - (973) 228-5700 > asc_obligations_in_a_"hitech"

HOME

PUBLICATIONS MAIN

Publications

ASC Obligations in a "Hitech" World

Lani M. Dornfeld and Isai Senthil

AN ALTERNATE OF THIS PUBLICATION CAN ALSO BE FOUND HERE

No longer can it be said that HIPAA doesn’t have the bite to match its bark. The HITECH (short for Health Information Technology for Economic and Clinical Health) Act states that employees of HIPAA-covered entities — essentially any healthcare provider that conducts patient transactions in electronic form — who disclose protected health information without authorization may be subject to criminal penalties. It also extends civil and criminal liability under HIPAA to business associates that handle their data.

Increased enforcement
The HITECH Act establishes a tiered system of civil penalties. At the low end are HIPAA violations that have occurred outside a violator’s knowledge, which carry a penalty of a $100 or more. You may be able to defend yourself against such penalties if the violations are corrected in a timely fashion. At the high end are violations resulting from uncorrected, willful neglect, which carry a $50,000 fine per violation and an annual cap of $1.5 million.

In addition to increasing the penalties, the act empowers states to prosecute HIPAA violations, an authority previously held solely by HHS. In January, Connecticut Attorney General Richard Blumenthal became the first to exercise this new power when he filed suit against insurer Health Net of Connecticut for allegedly failing to secure patient records and financial information involving hundreds of thousands of enrollees and failing to notify them promptly following a breach of such information. It seems likely that other states’ attorneys general will follow Mr. Blumenthal’s lead and exercise their new authority to enforce HIPAA against its offenders.

Breach notification
The HITECH Act’s most significant provision might be its introduction of a security breach notification requirement, which directs healthcare providers and other organizations subject to HIPAA regulations to alert affected individuals in the event that unsecured protected health information (that is, information that has not been rendered unusable, unreadable or indecipherable through HHS-specified means) has been breached. HHS also requires the business associates of these parties to report to them the discovery of any such information breach.

Although the act defines “breach” as any “unauthorized acquisition, access, use or disclosure of [protected health information] which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information,” HHS regulations issued in August 2009 somewhat narrow the scope. These regulations include a risk-of-harm threshold that must be met before triggering a notification requirement, namely that the event poses a “significant risk of financial, reputational, or other harm to the individual.” While it’s not likely that many breaches will reach the point of requiring notification, the decision not to notify must be supported by a documented risk assessment.

If a provider determines that a breach notification is warranted, it must notify any affected individuals within a reasonable period of time, but no later than 60 calendar days after it knows, or reasonably should have known, of the breach. For breaches involving fewer than 500 individuals, providers must maintain an internal log detailing what happened, the date of the breach, the date of its discovery and the number of patients affected, if known, and submit this log to HHS annually.

For breaches involving 500 or more individuals, the provider must notify HHS HHS at the same time as the affected individual. HHS will post a report of the breach on its Web site. If a breach affects more than 500 individuals in a state or region, the provider must also notify area media outlets.

The Act’s breach requirements are extensive and complex, and providers must draft, implement and train their staff on policies and procedures addressing notification actions, sanctions for employees and business associates who fail to respond appropriately to a breach and the retention of documents related to such situations.

Business associates
As of February 2010, the HITECH Act mandates that certain HIPAA provisions apply directly to healthcare providers’ business associates. Business associates are individuals or organizations that perform activities involving the use or disclosure of protected health information on a healthcare provider’s behalf, but are not members of the provider’s workforce (billing companies and accounting firms, for example.)

Previously, privacy and security requirements had been imposed on business associates by way of contractual agreements with the providers that had retained their services. Now, the HITECH Act explicitly requires business associates to implement the HIPAA security rule’s safeguards. These safeguards restrict the use and disclosure of this information as specified in the business associate’s agreement or as ordered by law, require that the business associate make its records available to HHS upon request and mandate the return or destruction of all protected health information, if feasible, upon termination of the agreement between the business associate and the healthcare provider.

If you haven’t already, amend your existing agreements with business associates to reflect the new mandates to which these associates must comply. Also make sure to include the new mandates in any new outsourcing contracts.