Penalties Soar, HIPAA Gets Update With HITECH Act Provisions
Adam Greene, JD, MPHSoaring penalties and new privacy, security, and breach-notification provisions intended to modernize HIPAA have raised the stakes in the patient-privacy arena and rewritten the HIPAA rulebook. Radiology departments, practices, and their business associates are well advised to sit up and take notice. Adam Greene, JD, MPH, formerly an attorney with the US DHHS Office for Civil Rights, offered an overview of the changes in a February 21 session at the annual meeting of Health Information and Management Systems Society in Orlando, Florida. Some changes, such as the exponential increase in penalties and the responsibility for breach notification for business associates, are already in effect, but others will kick in after the final rule is published (sometime this year). “It is quite a different playground that we are working in,” Greene says, than it was before the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Adapting circa-2000 policies to the era of the electronic health record (EHR) and cloud computing presents new opportunities to meet patient privacy and data-security requirements, but also new challenges, Greene says. At the very least, these changes call for providers to revisit and update their risk-management programs, to reassess what the reasonable and appropriate safeguards mandated by HIPAA regulations are, and to implement new forms of data-integrity maintenance and availability of information. A final rule covering privacy, security, and breach-notification provisions of the HITECH Act—as well as a final Genetic Information Nondiscrimination Act—will be published simultaneously, sometime this year, to minimize the changes that providers must make to their notices of privacy practices. Based on the Notice of Proposed Rulemaking to Implement HITECH Act Modifications¹ (privacy, security, and breach-notification provisions), health-care providers can anticipate the multiple changes. Business associates: The final HITECH rule will provide for direct liability for business associates. Business associates currently are liable for breach notifications (up to $1.5 million annually for violations of an identical provision) and will be held liable for privacy and security provisions. While the Office for Civil Rights will give health-care providers ample time to adapt their business-associate agreements—up to one year and 240 days—providers should not delay in adding this task to their planning agenda. “We are going to publish a rule that will become effective 60 days after publication, and then pursuant to our statute, we provide an additional 180 days for people to come into compliance, and that is where you get the 240 days,” Greene explains. “In our proposed rule, we propose to provide up to a year after that compliance date, so with a year and 240 days, we will give people some opportunity to get their houses in order on that front.” Greene notes that some have questioned the need for a business-associates agreement, now that business associates are directly liable, and he suggests that the business-associates agreement continues to be an important opportunity to clarify roles. For instance, in the case of breach investigations, when is a breach reported? Does the business associate conduct its own investigation and then report the covered entity, or does it report the breach to the covered entity? In the area of patient access, what are its roles and responsibilities, especially if someone comes to visit the associate and requests access to his or her records? Subcontractors: The HITECH rule proposes that subcontractors would have the same liability as business associates. In the past, HIPAA required a chain of contracts stipulating that if business associates are going to share information with a subcontractor, then they need to have the same privacy and security restrictions in place. This would cement that provision, in that subcontractors would become business associates. Marketing, sale of patient health information, and fundraising [Robert: please make the preceding words a different color]: Under HITECH, the government is expanding what is considered marketing (and would, therefore, require occasional authorization). Much of this involves things for which the provider receives remuneration from a third party and that previously would not have been considered health-care operations. If you are receiving money for the service, it becomes marketing. The sale of patient health information, as a general matter, has always been prohibited by HIPAA, but for something permissible—for example, permissible health-care operations or permissible research—there was never a restriction on whether you could also receive remuneration. Under HITECH, there will be additional restrictions on receiving money for what would have otherwise been permissible use of disclosures. The HITECH Act also calls for additional restrictions on fundraising, with clearer opt-out processes in place. Electronic patient access: Greene notes that there has always been some level of electronic access under the privacy rule; a patient was entitled to access in the form requested if it could readily be produced. If the format requested could not readily be produced, then the default was a hard copy in whatever form your system could provide. HITECH calls for a changing that default to some type of electronic format, even if it is not the one specifically requested by the patient. It also clarifies that an individual can specify that an electronic copy is to go to the individual’s designee. “If the individual wants an electronic copy sent to a caretaker, a son, or a daughter, he or she is entitled to that,” Greene says. The request, however, should be in writing. Enforcement: The civil monetary penalties for violations have increased dramatically under enforcement by the Office for Civil Rights, but remain the same at the state level. Previously, the maximum penalty per violation was $100, with an annual cap on continuing violation of a single provision of $25,000. Greene notes that the total bill could be significant because where there is one violation, there are usually others. “It was possible to have hundreds of thousands of dollars of violations under the old system—which is the system, by the way, that is still in place for state attorneys general,” he explains. With respect to the Office for Civil Rights, the penalties have been ramped up exponentially, increasing from a $100 maximum to a $100 minimum and $50,000 maximum per violation, depending on the level of culpability. The maximum penalty per year increases from $25,000 to $1.5 million for each provision violated. “If you are a business associate, and you do not have any security program in place, you are probably violating dozens of security provisions and are facing tens of millions of dollars per year in exposure,” Greene warns. Right to request restrictions: The HITECH Act obligates health-care providers to agree to restrict the release of certain health-care information to insurers if patients pay for something out of pocket and don’t want the information going to the health plan, and the EHR should to be able to support this kind of restriction. “Certainly, you can try a manual process, but presumably, you are going to want to have some sort of process in the EHR that is able to do this electronically,” Greene notes. Added flexibility: Greene reports that the proposed rule contains added flexibility in the areas of research authorization, disclosures of students’ immunization records to schools, and handling disclosures to relatives and friends—welcome news for providers. The proposal would also remove the privacy rule for information 50 years after the patient’s death. Accounting disclosures: Under the HITECH Act, the exemption will be removed for treatment, payment, and health-care operations. Patients will now be able to request disclosures relevant to treatment, payment, and operations from their providers. It is possible—and certainly, many health-care providers hold out hope—that the requirements called for in the proposed rule for the HITECH Act’s privacy, security and breach-notification provisions will be modified to reduce the cost of compliance for already burdened health-care providers. “Congress calls for us to balance the interests of the individual and the administrative burden on covered entities,” Greene says, adding that this is the aim of the proposal. Nonetheless, the importance of developing the appropriate policies for privacy, security, and breach notification cannot be overemphasized, in light of the fact that the HITECH Act deputizes state attorneys general to assist in enforcement and to coordinate investigations with the Office for Civil Rights. Cheryl Proval is editor of