HIPAA AND HITECH – WHAT YOU NEED TO KNOW

Terms

TNP INSUREDS, PLEASE VISIT MyTNP FOR MORE DETAILED HIPAA INFORMATION.

As part of President Obama’s stimulus plan, the American Recovery and Reinvestment Act of 2009 was passed in February 2009.  One section of this federal law, known as the “HITECH Act” (Health Information Technology for Economic and Clinical Health), has significant implications for physicians and other healthcare providers.  While HITECH covers many topics, including electronic health records, it also amends the regulations under HIPAA.

SUMMARY IMPACT TIMELINE
(Note that compliance deadlines could always change)

1. Civil penalties for HIPAA violations increase for CEs – up to $1.5 million.
2.  State Attorneys General (AGs) may bring HIPAA enforcement action against CEs.

3. Each Department of Health and Human Services (HHS) region is to provide guidance and education by CEs, BAs, and patients.

4. CEs and BAs must comply with HITECH’s breach notification provisions (in addition to state law requirements); need to amend BAAs.

5. HHS must have broad program to educate individuals about their rights.

6. BAs must now comply with HIPAA’s Security Rule.
7. BAs are now subject to HIPAA’s (increased) civil and criminal penalties.
8. State AGs can bring HIPAA enforcement action against BAs (in addition to CEs).
9. Employees and other individuals are subject to HIPAA’s criminal fines and penalties.
10.  HHS now required to conduct audits of CEs and BAs
11. New type of BA – data transmission entities (health information exchange organizations, regional health information organizations, e-prescribing gateways, vendors of personal health records); CEs need BAAs from these new BAs.
12.  Restriction on disclosure requests:  CEs have to comply with certain restriction requests from patients – must agree to patient’s restriction on disclosure request if disclosure is to a health plan for payment or health care operations (not treatment), AND the patient information pertains solely to health care items / services for which patient has paid provider in full.
13. Patient access to CE’s electronic health record:  patients have the right to obtain copies of a CE’s electronic health record in electronic form.
14. Minimum necessary is basically the limited data set (as defined by Privacy Rule), unless more is required; guidance to be issued prior to deadline.
15. Further restrictions on using patient information for marketing purposes

16.  PHR vendors / service providers must give notice of security breaches.

17. If CE’s electronic health record was acquired after 1-09, CEs and BAs must account for disclosures of electronic health record even if disclosure is for treatment, payment, or health care operations; regulations coming.

18.  HHS must investigate complaints of willful neglect, and if substantiated, must impose statutory penalty – at least $10K - $50K per violation.
19. HHS and state AGs can pursue civil HIPAA violations in cases where criminal penalty could attach, but the Department of Justice declines to pursue.

20. Individuals can recover a percentage of penalties or settlement.
21. CEs and BAs may not sell patient information / electronic health records.

22. If CE’s electronic health record was acquired before 1-09, CEs and BAs must account for disclosures of electronic health record even if disclosure is for treatment, payment, or health care operations.