The HITECH Act and HIPAA
The American Recovery and Reinvestment Act (ARRA) of 2009 became federal law in February, 2010 and brought significant changes to HIPAA regulations in three broad categories: breach notifications, business associations, and penalties. It increases enforcement of Health Insurance Portability and Accountability Act (HIPAA). It also allocates billions of dollars to invest in the implementation and exchange of health information technology, such as electronic medical records.
The Health Information Technology for Economic and Clinical Health Act (HITECH) expands upon HIPAA and holds healthcare organizations to a higher level of responsibility for breach of patient information. Under HITECH, if a breach compromises the privacy and security of the patient’s information and poses a significant risk of financial, reputational, or other harm, patient notification is required. Additionally, the Secretary of Health and Human Services and media outlets must be notified under specific circumstances.
The Complexities of HIPAA’s Expanding Role
The act delineates that organizations providing data transmission of PHI and requiring access to that information are now considered Business Associates and must enter into written contracts with covered entities (American Recovery and Reinvestment Act of 2009).
Five new definitions have been added:
• Breach Electronic
• Electronic Health Record (EHR)
• National Coordinator
• Personal Health Record (PHR)
• Vendor of Personal Health Records
Breach:
A breach is an unauthorized acquisition, access, use, or disclosure of protected health information relating to failure to comply with organizational security or privacy policies, or violation of federal or state privacy and security regulations. Accessing information by an employee of a covered entity, in good faith, is not considered a breach.
However, HITECH strengthens the specifics of privacy and security, significantly increasing penalties, establishing a heightened enforcement scheme, giving state attorneys general enforcement authority. Individuals may now be held accountable for wrongful disclosure (HITECH Act section 13409).
Under the new law, when a breach is learned, a covered entity (CE) must notify each individual whose unsecured PHI has been, or believed to have been, accessed or disclosed. Business associates must notify the CE of the breach. CE and BAs must notify individuals about a breach as soon as possible, but no later than 60 days following discovery of the breach. There is a burden of proof to demonstrate notification, including any delay.
If a breach involves 500 or more individuals, the department of Health and Human services should be immediately notified. They will post the covered entity on their website. DHHS began posting names on March 1, 2010. Breaches of below 500 must be recorded on a log and annually sent to DHHS.
Electronic Health Record (EHR):
An electronic health record consists of health related information that is created, gathered, managed, and authorized by health care clinicians and personnel. The belief of the government is that widespread use of EHR will not occur until the public is assured that the privacy of their health information is secure. Hospital workers inappropriately accessing celebrity health information, such as that of Farrah Fawcet, Britney Spears, and Nadya Suleman (mother of octuplets) has been an impetus to hold individuals, as well as facilities responsible for breaches of EHR.
National Coordinator for Health Information Technology:
Dr David Blumenthal is the physician Coordinator of the Office of the National Coordinator for Health Information Technology (ONCHIT). Dr. Blumenthal is the brother of the State Attorney General of New York.
Personal Health Record (PHR) and Vendors of PHR:
A PHR is an electronic health record that the consumer maintains. It contains identifiable health information usually maintained by the consumer, although a health care provider may facilitate its use and populate the record with permission of the consumer. PHR are becoming more widely used by consumers and PHR vendors are generally not covered by HIPAA. Companies such as Personal MD and Dossia serve Wal-Mart, AT&T, and Intel. Google has launched GoogleHealth and their competitor has initiated Microsoft HealthVault.
Because companies that are not covered entities or business associates of a CE that maintains health records are not federally liable for privacy or security, there is legislative movement to create law to change that fact. Because PHR, are under consumer control, there is greater privacy risk.
Protected Health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology or methodology specified by the Secretary HHS is not secure. If data is not encrypted or destroyed, it is not secure. Data that is truly encrypted or destroyed cannot be breached.
There are two types of data encryption: 1) encrypting data at rest such as laptop and notebook hard drives and data bases, 2) encrypting data in transit such as securing Web connections, VPNs, and wireless networks.
Business Associates:
A business associate, under HIPAA privacy, is a person or entity that performs functions or activities on behalf of, or provides services to, a CE. A member of a CE’s workforce is not a business associate. HIPAA originally did not automatically subject BAs to HIPAA regulations.
The HITECH Act was expanded to include organizations that provide data transmission of PHI to CE and their BAs as well as each vendor that contracts with a CE to allow the CE to offer PHR to patients as part of EHR (HITECH Act 13408). The Business Associate agreement must establish permitted, required uses, and disclosures by the BA (CFR 164.504 (e)(2)(i).
There are now tougher guidelines for Business Associates. The BA must now comply with HIPAA and HITECH security requirements. BAs must comply with HITECH privacy requirements. BAs are subject to Office of Civil Rights audit and now must notify CEs of any breach of unsecured PHI, both electronic and paper. The HITECH requirements “shall be incorporated into the business associate agreement and the covered entity” (HITECH13401 (a), 13404 (a) XX USC).
The CE should ensure that BAs have implemented the administrative, physical, and technical safeguards of HIPAA security. They must also specify that the BA must comply with use and disclosure rules in the HIPAA Privacy Rule. The BA should demonstrate how they will negotiate security/data breach coordination. There should also be an agreement on reporting and dispute resolution.
Even though, the HITECH Act provides HHS with direct authority over BAs, health care organizations still must sign BA agreements requiring BAs to comply with HIPAA. The business associate agreements must include specific language and responsibilities in their arrangements and contracts with BAs (45 CFR 164.504(e)(1)(i)
If the health care organization suspects or knows that a BA has committed a material breach or violation of the agreement, “the health care organization is in violation of the business associate rules unless it takes reasonable steps to cure the breach or end the violation [45 CFR 164.504(e)(1)(ii)]” (Decision Health, HIPAA, 2010).
If the health care organization is not successful with reasonable steps, then they are expected to end the contract or report the problem to HHS.
Penalties:
The HITECH Act (section 13410) provides a tiered system for assessing both the level and penalty of each violation. There is a cap of $50,000 per violation and $1.5 million for the calendar year for the same type of violation:
-
Tier A is “directed toward the offender who did not know they violated the act and if they had known, would have handled it differently”
Minimum per violation: $100
Maximum per calendar year: $25,000
Tier B is for violations “due to a reasonable cause and not to willful neglect”.
Minimum per violation: $1000
Maximum per calendar year: $50,000
Tier C is for violations of willful neglect, but corrected.
Minimum per violation: $10,000
Maximum per calendar: $250,000
Tier D is directed for violations of willful neglect and not corrected:
Minimum per violation: $50,000
Maximum per calendar year: $1.5 million
Health Care organizations should have in place, policies that address various levels of violation, such as failing to sign off a computer terminal when not attended, sharing passwords, accessing a patient record without legitimate reason, releasing data for personal gain, and intentionally destroying or altering data.
The new regulations allow for the first time, individual penalties under Sec 1177 [42U.S.C. 1320d-6](a). The selling of celebrity information to media has spurred this section. A person who knowingly commits a violation of this part- 1) uses or causes to be used a unique health identifier, 2) obtains individually identifiable health information, 3) discloses individually identifiable health information to another person with punishment:
Penalties – A person described in subsection (a) shall:
1) be fined not more than $50,000, imprisoned not more than 1 year
2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
3) if the offense is committed with the intent to sell, transfer, or use individual identifiable health information for commercial advantage, personal gain, malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.
Training:
Training is crucial for an agency and their patient’s protection. Look at your present training program and update it! Be certain to invite employees and business associates to training sessions. Be certain you discuss written communication on paper, emails, and social networks. Discuss privacy and security policies, business driven access to data, appropriate use of portable devices, and password management. Be certain to minimally address the following:
Privacy and Security training must be documented
Transaction training with documentation
Target personnel training such as board members and executives, front line personnel such as coders should understand the impact of HIPAA on their specialty, administrative personnel as well as technical and support personnel need to understand how the rules impact them. Focus on specifics as well as generalities.
Have a policy on sanctions.
Use Best Practices for:
• Authentication: pre-boot and intricate passwords
• Access: Need to know basis on approved devices
• Retention: Destroy if not needed
• Encryption: Laptops, notebooks, desktops, email, social networks
There should be transparent security with secure data sharing coupled with a quick and reliable recovery of secured PHI and easy deployment and support under the umbrella of consistent policy enforcement and finally, quick and accurate response to compliance audits.
Policies should include hand held devices, iPhones and Blackberries, and photography in the workplace
Remember that your program should allow…
1. Employees to easily serve patients and readily access information
2. Be compliant and have policies that avoid breach and fines
3. Protect privacy and allow collaboration with business associates
4. Encourage employees to be comfortable in their work environment
5. Control costs and achieve outcomes desired
For some peace of mind, have a written information security program, an active HIPAA privacy program, and a living Corporate Compliance Program.