| |
Below are the significant changes to HIPAA contained in the HITECH Act…
New Enforcement Rules
Effective: Applies to penalties issued 24 months after enactment.
Effective: Implementing Regs within 18 months after enactment.
- Mandatory investigations for “willful neglect” cases.
- Mandatory civil penalties for “willful neglect” violations.
- Periodic compliance audits for CE’s and BA’s.
- Fines & penalties paid will go to OCR for increased investigations &
enforcement.
- Harmed individuals will get a percent (t.b.d.) of CMP or settlement.
- Recommendations report in 18 months.
- System in place within 3 years.
- In addition to CE’s, individuals now made subject to HIPAA criminal
provisions.
- State AG’s can bring civil suits in federal courts on behalf of state
residents.
New HIPAA Penalties
Effective: Immediately.
- Increased penalties for violations.
- Penalties calculated on variety of factors.
- Four tiers of penalties, depending on nature of offense…
- Tier A - Offender didn’t know, and by reasonable diligence would not
have known, that he or she violated the law.
- $100 per violation
- $25,000 annual maximum total per violator
- Tier B - Violation due to reasonable cause and not willful neglect.
- $1,000 per violation
- $100,000 annual maximum total per violator
- Tier C - Violation due to willful neglect but was corrected.
- $10,000 per violation
- $250,000 annual maximum total per violator
- Tier D - Violation due to willful neglect and was not corrected.
- $50,000 per violation
- $1,500,000 annual maximum total per violator
Breach Notifications to Consumers
Effective: Implementing Regs from HHS due within 6 months after enactment.
Effective: Beginning with breaches 30 days after Regs are published by HHS.
- CE’s, BA’s, and PHR Vendors are subject to breach notification
requirements.
- Notify consumers if “unsecured” PHI was accessed, acquired, or disclosed
in breach.
- “Unsecured” essentially means “unencrypted” data, including all physical
media.
- Notices must be sent “without reasonable delay” – no later than 60 days
after breach.
- Minimum content of notifications is specified in the regs.
- Notices sent by 1st class mail – email only if consumer stated a
preference for email.
- If 10 or more victims can’t be located, notice on website or in media must
be posted.
- Breaches involving > 500 victims: Mandatory, immediate reporting to HHS.
- Breaches involving < 500 victims. Entity keeps log, provides to HHS
annually.
- If over 500 victims, HHS will publicly post on Internet.
- PHR breaches get reported to FTC, and FTC in turn notifies HHS.
- Guidance from Sec of HHS within 60 days after enactment.
Business Associates Must Comply with HIPAA
Security Rule
Effective: 12 months after enactment.
- BA’s subject to same civil & criminal penalties as CE’s.
- BA’s must comply with Administrative, Technical, and Physical Safeguards.
- BA’s must establish and maintain appropriate policies and procedures.
- BA’s must document all Security Rule compliance activities.
- BA’s must report breaches just like CE’s.
- BA Contracts must be created or amended to include new requirements.
- BA’s don’t comply with Privacy Rule, but are restricted from PHI uses and
disclosures not in compliance with BA contract. This represents “de-facto”
Privacy compliance.
- PHR Vendors and Health Information Exchanges become Business Associates.
Disclosure Accounting Includes TPO Disclosures if EHR Used
Effective: January 01, 2011 and January 01, 2014.
- If EHR used, patient has new Right to accounting of disclosures for TPO.
- Such accounting can go back 3 years from date of request.
- Can charge reasonable fees for accounting, but no greater than direct
labor cost.
- HHS must adopt & publish standards within 6 months from enactment.
New Right to Obtain Copies of Electronic Health Records
Effective: 6 months after enactment.
- When CE uses an EHR, individual has Right to an electronic copy of their
records.
- Individual can direct CE to send an electronic copy directly to another
party or entity.
- Maximum fees are the direct labor costs associated with fulfilling the
request.
Expanded Right to Privacy Restrictions
Effective: 12 months after enactment.
- CE’s must agree to individual disclosure restriction requests – previously
was optional.
- Some exceptions exist with regard to health plans and payments.
- Much CE confusion, some push-back expected over this.
New Restrictions on Marketing & Fundraising
Effective: 12 months after enactment.
- Definition of “Marketing” clarified.
- Recipients must have clear & conspicuous way to “opt out” of future
communications.
- Opt-out must be regarded as “revocation of authorization” to market-to.
- Restrictions apply to communications made after Feb. 17, 2010. (12 mo. >
enactment)
No Selling of PHI
Effective: New Regs from HHS within 6 months after enactment.
Effective: Compliance is 18 months after new Regs from HHS.
- HIPAA previously allowed payment to CE for PHI as long as disclosure was
otherwise lawful and permitted by Privacy Rule.
- CE will not be able to receive payment for PHI, even if disclosure is
permitted, without an auth from patient that includes permission to sell from
patient.
- A number of exceptions exist, for research, public health activities, sale
or transfer of practice, etc.
Priority for Limited Data Sets and
De-identified Data
Effective: 12 months after enactment.
- Limited Data Set (LDS) disclosures are preferred over “minimum necessary”
disclosures.
- Provides a simpler, clearer approach to de-identifying data for uses and
disclosures not involving treatment or payment.
Clarification of Minimum Necessary Rule
Effective: New Guidance from HHS within 18 months after enactment.
- Aims to clarify definition and practical use of “Minimum Necessary” and
LDS‘s.
- Scope of PHI requests from one CE to another treating same patient was
major concern.
- No CE’s or BA’s held to new standard till new Guidance is issued.
|