Below are the significant changes to HIPAA contained in the HITECH Act…

New Enforcement Rules

Effective: Applies to penalties issued 24 months after enactment.
Effective: Implementing Regs within 18 months after enactment.

• Mandatory investigations for “willful neglect” cases.
• Mandatory civil penalties for “willful neglect” violations.
• Periodic compliance audits for CE’s and BA’s.
• Fines & penalties paid will go to OCR for increased investigations & enforcement.
• Harmed individuals will get a percent (t.b.d.) of CMP or settlement.
• Recommendations report in 18 months.
• System in place within 3 years.
• In addition to CE’s, individuals now made subject to HIPAA criminal provisions.
• State AG’s can bring civil suits in federal courts on behalf of state residents.

New HIPAA Penalties
Effective: Immediately.

• Increased penalties for violations.
• Penalties calculated on variety of factors.
• Four tiers of penalties, depending on nature of offense…
  • Tier A - Offender didn’t know, and by reasonable diligence would not have known, that he or she violated the law.
    • $100 per violation
    • $25,000 annual maximum total per violator
  • Tier B - Violation due to reasonable cause and not willful neglect.
    • $1,000 per violation
    • $100,000 annual maximum total per violator
  • Tier C - Violation due to willful neglect but was corrected.
    • $10,000 per violation
    • $250,000 annual maximum total per violator
  • Tier D - Violation due to willful neglect and was not corrected.
    • $50,000 per violation
    • $1,500,000 annual maximum total per violator

Breach Notifications to Consumers
Effective: Implementing Regs from HHS due within 6 months after enactment.
Effective: Beginning with breaches 30 days after Regs are published by HHS.

• CE’s, BA’s, and PHR Vendors are subject to breach notification requirements.
• Notify consumers if “unsecured” PHI was accessed, acquired, or disclosed in breach.
• “Unsecured” essentially means “unencrypted” data, including all physical media.
• Notices must be sent “without reasonable delay” – no later than 60 days after breach.
• Minimum content of notifications is specified in the regs.
• Notices sent by 1st class mail – email only if consumer stated a preference for email.
• If 10 or more victims can’t be located, notice on website or in media must be posted.
• Breaches involving > 500 victims: Mandatory, immediate reporting to HHS.
• Breaches involving < 500 victims. Entity keeps log, provides to HHS annually.
• If over 500 victims, HHS will publicly post on Internet.
• PHR breaches get reported to FTC, and FTC in turn notifies HHS.
• Guidance from Sec of HHS within 60 days after enactment.

Business Associates Must Comply with HIPAA Security Rule
Effective: 12 months after enactment.

• BA’s subject to same civil & criminal penalties as CE’s.
• BA’s must comply with Administrative, Technical, and Physical Safeguards.
• BA’s must establish and maintain appropriate policies and procedures.
• BA’s must document all Security Rule compliance activities.
• BA’s must report breaches just like CE’s.
• BA Contracts must be created or amended to include new requirements.
• BA’s don’t comply with Privacy Rule, but are restricted from PHI uses and disclosures not in compliance with BA contract. This represents “de-facto” Privacy compliance.
• PHR Vendors and Health Information Exchanges become Business Associates.

Disclosure Accounting Includes TPO Disclosures if EHR Used
Effective: January 01, 2011 and January 01, 2014.

• If EHR used, patient has new Right to accounting of disclosures for TPO.
• Such accounting can go back 3 years from date of request.
• Can charge reasonable fees for accounting, but no greater than direct labor cost.
• HHS must adopt & publish standards within 6 months from enactment.

New Right to Obtain Copies of Electronic Health Records
Effective: 6 months after enactment.

• When CE uses an EHR, individual has Right to an electronic copy of their records.
• Individual can direct CE to send an electronic copy directly to another party or entity.
• Maximum fees are the direct labor costs associated with fulfilling the request.

Expanded Right to Privacy Restrictions
Effective: 12 months after enactment.

• CE’s must agree to individual disclosure restriction requests – previously was optional.
• Some exceptions exist with regard to health plans and payments.
• Much CE confusion, some push-back expected over this.

New Restrictions on Marketing & Fundraising
Effective: 12 months after enactment.

• Definition of “Marketing” clarified.
• Recipients must have clear & conspicuous way to “opt out” of future communications.
• Opt-out must be regarded as “revocation of authorization” to market-to.
• Restrictions apply to communications made after Feb. 17, 2010. (12 mo. > enactment)

No Selling of PHI
Effective: New Regs from HHS within 6 months after enactment.
Effective: Compliance is 18 months after new Regs from HHS.

• HIPAA previously allowed payment to CE for PHI as long as disclosure was otherwise lawful and permitted by Privacy Rule.
• CE will not be able to receive payment for PHI, even if disclosure is permitted, without an auth from patient that includes permission to sell from patient.
• A number of exceptions exist, for research, public health activities, sale or transfer of practice, etc.

Priority for Limited Data Sets and De-identified Data
Effective: 12 months after enactment.

• Limited Data Set (LDS) disclosures are preferred over “minimum necessary” disclosures.
• Provides a simpler, clearer approach to de-identifying data for uses and disclosures not involving treatment or payment.

Clarification of Minimum Necessary Rule
Effective: New Guidance from HHS within 18 months after enactment.

• Aims to clarify definition and practical use of “Minimum Necessary” and LDS‘s.
• Scope of PHI requests from one CE to another treating same patient was major concern.
• No CE’s or BA’s held to new standard till new Guidance is issued.