Changing Rules Under HIPAA/HITECH

Changing Rules Under HIPAA/HITECH

Just when everyone began to feel more comfortable with the rules governing patient privacy and medical record security, the rules are changing. The Health Insurance Portability and Accountability Act of 1996, or HIPAA, and its resulting regulations have largely been in effect since April 15, 2003. However, the stakes were raised with the passage of the Health Information Technology for Economic and Clinical Health Act, commonly referred to as HITECH, which was part of the American Recovery and Reinvestment Act of 2009. In the past, much criticism was leveled against HIPAA because of the appearance that it did not go far enough in its enforcement efforts and its regulation over thousands of people and entities that have access to or maintain patient’s private medical information. That is now changing, and practitioners, health care facilities and, specifically, those businesses and persons in arrangements with practitioners and facilities must take note.

Below are several of the key changes arising out of HITECH:

 HITECH directly regulates business associates for the first time. While not subjecting business associates to all of the obligations of covered entities (such as providing privacy notices), the statute requires business associates to comply with the HIPAA provisions mandating administrative, physical and technical safeguards;

HITECH establishes the first national data security breach notification law. It requires Covered Entities to provide notice of a breach of unsecured protected health information (PHI) to each individual without unreasonable delay, but in no event later than sixty (60) days from discovery of the breach. There are additional notification requirements when more than 500 individuals are involved.

Enforcement is strengthened under HITECH. Greater civil money penalty amounts apply to the HIPAA Privacy and Security Rule violations occurring after February 18, 2009.

For the first time patient victims of HIPAA violations will have the opportunity to share in any penalties imposed against a Covered Entity. HHS is required to adopt such a methodology within three years of HITECH’s enactment, which is now upon us in 2012.

So why should you care about the changing rules? Again, one of the biggest reasons relates back to the criticism that HIPAA was not going far enough to deter unpermitted disclosures of patients’ private medical information. To address this issue under HITECH the Office of Civil Rights is charged with arranging for the performance of mandatory HIPAA audits. HHS is required to implement periodic audits of compliance with the HIPAA Privacy and Security Rules, and up to 150 random HIPAA compliance audits will be performed by the end of 2012. While in the past, audits had been performed only at entities which had been the subject of a complaint, the new rule calls for audits whether or not there is a complaint. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of their privacy and security compliance efforts. Additionally, every audit will include a site visit and result in an audit report. Call NPA today to discuss updating your HIPAA policies and procedures.