* UPDATE: SEPTEMBER 2013 *
With new regulations taking effect, update your HIPAA privacy policies ASAP
Remember the sweeping HIPAA reforms enacted in 2009 as part of the economic stimulus legislation? Yeah, neither did we. However, the U.S. Department of Health and Human Services (HHS) hasn’t forgotten. It has issued final regulations for implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The regulations require entities covered by HIPAA—including employer-provided health plans—to update their privacy policies ASAP. The deadline: Sept. 23, 2013. HIPAA is the Health Insurance Portability and Accountability Act of 1996, which governs almost all employer-provided health insurance plans. It also sets the national standards for electronic health care transactions—the primary focus of the HITECH Act.
HITECH expanded security measures employers must take to ensure employee privacy and restricted how employers may use “protected health information,” including genetic information.
Most of the HITECH privacy regulations affect health care providers and insurance companies that store vast amounts of electronic patient data. However, many of the regs affect employers, too.
Example: Entities that handle health records must have a way to scrub medical data from digital photocopiers and other equipment that electronically stores information.
Advice: Consult your attorney to ensure your privacy policies comply with the new regulations. Read the final HITECH regs online.
Read background on HITECH below.
_______________________________________
OCTOBER 2009 article
by Eric A. Mahler, Esq., Ogletree Deakins
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on Feb. 17, 2009 as part of the American Recovery and Reinvestment Act of 2009, also known as the economic stimulus bill.
HITECH was designed to advance the use of health information technology, such as electronic health records.
Among other important aspects, the HITECH Act expands the scope and enforcement power of the Health Insurance Portability and Accountability Act (HIPAA), with greater penalties for noncompliance.
Privacy and security regulations
One of HIPAA’s primary purposes is to safeguard the confidentiality of patients’ health information. If you provide health insurance to your employees, it’s important to understand how HITECH affects HIPAA.
HIPAA previously required that “covered entities” enter into contracts or “business associate agreements” (BAAs) with noncovered entities if those transactions involved the exchange of protected health information (PHI).
For HR purposes, one of the most common types of covered entities are group health insurance carriers. Business associates include other companies that provide ancillary services, such as claims processing.
The BAAs required the entities working on behalf of providers and insurers to use appropriate safeguards for the PHI they receive from the covered entities. The BAAs also set forth permitted uses and disclosures for the PHI.
Prior to HITECH, business associates were not directly subject to either HIPAA or direct government enforcement action.
Under HITECH, business associates must now comply directly with the administrative safeguards, physical safeguards, policies and procedures and documentation requirements of HIPAA. Business associates also must comply with the HIPAA Privacy Rule provisions that would otherwise be applicable to them through BAAs and any changes to the privacy rules (whether or not those changes are covered by the BAAs).
Business associates can now be subject to enforcement by federal or state authorities for any failure to comply with HIPAA (as amended by HITECH).
If security is breached
In contrast to the previous version of HIPAA, covered entities must now notify individuals whose health information has been breached. Business associates must notify covered entities of any breaches; the covered entity must then notify the individual.
A two-part inquiry is applied to determine if notification is required:
- Does it qualify as a breach?
- Was the information protected by encrypted technology?
No notification to individuals is required if the breached information was covered by an encryption system approved by the U.S. Department of Health and Human Services (HHS). Those systems render the information “unusable, unreadable or indecipherable to unauthorized individuals,” using technologies or methods approved by HHS.
Notice must occur no later than 60 days after discovery of the breach—when at least one employee of the entity knows or should have known of the breach. Notice is also required to be provided to media outlets if the information of more than 500 individuals has been compromised. Notification must also be forwarded to HHS.
____________________________________
Author: Eric A. Mahler is an associate in the Bloomfield Hills, Mich., office of Ogletree, Deakins, Nash, Smoak & Stewart, P.C. His practice concentrates on labor and employment, advising clients on matters including collective bargaining, corporate downsizing, union-free campaigns, media communications regarding labor negotiations, disciplinary matters, grievance adjustment, contract administration and revising job descriptions.
HITECH increases HIPAA enforcement powers
With the enactment of HITECH, HIPAA’s enforcement power is much stronger.
- Criminal penalties can now be enforced against individuals, including employees of a covered entity. The scope of activities subject to criminal prosecution is now broader, covering individuals who disclose individual PHI “without authorization.
- HITECH clarifies that HHS or state attorneys general can pursue civil penalties in cases where criminal penalties could attach but the U.S. Department of Justice declines to pursue the case. Civil monetary penalties are mandatory when a violation due to “willful neglect” has occurred.
- HIPAA penalties will now be based on the level of the violation, with discretion given to HHS on the nature and extent of the harm. Penalties top out at $50,000 per violation, with an annual maximum of $1.5 million for repeat violations of the same provisions. HHS will not impose civil penalties (except in cases of willful neglect) if violations are corrected within 30 days.
- HITECH expressly authorizes all state attorneys general to enforce HIPAA in federal district court. This provision gives attorneys general the power to enforce the law even if there is no state authorizing statute (but HHS reserves the right to intervene in the action). However, if a state attorney general brings the action, the penalties are the same as the former maximums under the preceding version of HIPAA—$100 per day, $25,000 annual maximum for repeat violations.
