Stricter HIPAA Rules Bolster Enforcement

When President Obama signed the economic stimulus package in 2009, included in its hundreds of pages was the Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act. The HITECH Act sets the groundwork for widespread adoption of electronic health records and provides billions of dollars in incentive payments to get physicians to buy into the idea. The HITECH Act also makes substantial changes to patient privacy rules that practices need to be aware of.

The HITECH Act institutes changes to HIPAA, the Health Insurance Portability and Accountability Act of 1996, in three important ways:

1. It introduces the first federal security breach notification requirement.
2. It creates new obligations for physicians and those who do business with medical practices.
3. It increases the enforcement of HIPAA rules and the penalties when breaches occur.

What is a Covered Entity?
Any physician who transmits information in electronic form is considered a “covered entity” and must comply with HIPAA requirements. New to HIPAA is the expansion of regulations regarding “business associates.” These are individuals or entities — such as billing companies, consultants, attorneys and others — who are not employed by you but perform functions on your behalf that involve protected health information. For the first time, these associates are subject to essentially the same rules as the physician.

If a Patient’s Privacy is Breached
Arguably the most important part of the HITECH Act is the new federal breach notification rule, which requires that physicians inform their patients when the security of their unsecured health information has been compromised. The breach notification requirement also mandates that business associates inform the physician when they discover a breach has occurred. This makes it very important for physicians to ensure that health information is encrypted as anything that is not encrypted in not considered secure and therefore not exempted from the breach notification requirement.

Defining a Breach
The term “breach” is broadly defined as the unauthorized acquisition, access, use or disclosure of protected health information in a way that violates the HIPAA privacy rule and compromises the security or privacy of that information. Protected health information is considered compromised only if the breach poses a “significant risk of financial, reputational or other harm to the individual.”

Generally, a breach does not include:

1. Any unintentional acquisition, access or use of health information by one of your employees or a business associate
   if the use was made in good faith and does not result in a violation of HIPAA privacy rules
2. An inadvertent disclosure by a person who is authorized to access health information to another authorized person as long as the information is not further used in an impermissible manner
3. A disclosure of health information in which you, an employee or business associate has a good faith belief that an unauthorized person would not reasonably be able to retain the information

For example, let’s say a staff member mistakenly hands a patient a medical file belonging to another patient, but she realizes her mistake immediately and recovers the file. If the employee can reasonably conclude that the patient could not have read or otherwise retained the information, then this disclosure would not constitute a breach under the HITECH Act’s breach notification rule.

On the other hand, a breach warranting additional investigation would clearly occur if an office employee takes a cell phone picture of patient and transmits the photo to friends or posts it on Facebook.

What to Do
If you discover that a breach was made, what should you do? First, you are required to notify the affected people within 60 days of first discovering the incident (or reasonably should have known about it). You’ll need to keep a log of breaches involving fewer than 500 people and submit the log to the Department of Health and Human Services
(HHS) annually. If a breach involves 500 people or more, you must notify (HHS). For breaches involving more than 500 people in one state or jurisdiction, the media must be notified in addition to HHS.

The HITECH Act also bolsters enforcement of the rules by adding a new aggressiveness in issuing fines, instituting tiered ranges of penalty amounts (with a minimum penalty of $100 for violations that have occurred without your knowledge and maximum penalty of $1.5 million for willful neglect). It also empowers state attorneys general to enforce some aspects of HIPAA.

Accountability for Business Associates
In addition to requiring that business associates notify you when they discover a breach, the HITECH Act makes business associates directly responsible for compliance with certain HIPAA provisions. Business associates must implement HIPAA-approved safeguards for electronic health information and comply with HIPAA
business associate rules.

Given the numerous changes and the increased enforcement, physicians should review agreements with current business associate to incorporate these new requirements and also make sure that internal HIPAA policies are up to the new standards, training staff on the new policies and putting in place procedures to remain compliant.