Title XIII of the American Recovery and Reinvestment Act (ARRA) is specific to Healthcare. Called Health Information Technology for Economic and Clinical Health Act (HITECH), it allows for specific funding for investment in Electronic Health Records (EHR). In addition to the promise of monies for implementing EHRs, the HITECH Law also strengthened or changed many components of HIPAA. Most of the focus has been on qualifying for the potential incentive funds to implement electronic health records.
Let’s spend a little time looking at a few of the changes related to HIPAA in the HITECH Act. Some of the changes are pretty well known and well documented; others are a bit more obscure.
The first well known change related to HIPAA became effective in February 2010. It extended privacy and security rules to Business Associates, instead of just having the responsibility on the covered entity (hospitals, physicians, insurance plans etc.). If you have not reviewed your Business Associates Agreements recently, now may be a good time to do so. HIMMS offered a good presentation regarding the changes.
Breach Notifications must be issued when there is a breach of privacy or security. Individuals must be notified if their unsecured PHI has had any compromise within a maximum of 60 days after the breach has been discovered. In the event of a breach impacting more than 500 individuals the covered entity must immediately notify the Secretary of HHS as well as local media outlets. If the breach involves less than 500 individuals the Secretary of HHS must be notified annually, no later than 60 days at the end of the calendar year.
HITECH has also restricted exceptions that were previously used by entities to circumvent rules regarding use disclosure and selling of PHI for various purposes including marketing. Many entities argued that marketing is part of health care operations and did not require an Accounting of Disclosure.
HITECH now allows for individuals to receive an electronic copy of their health record upon discharge, within 48 hours of discharge for 80% of their patients. The record includes diagnostic tests results, problem lists, discharge summary, discharge instructions, allergies, and procedures. This format can be DVD, USB drive, or even through an interface to a personal health record (PHR).
The standards for electronic transmission of data have been changed. By December 31, 2010 Covered Entities should begin internal testing of Version 5010 & D.0 Transactions and Code Sets Standard Modifications to ensure compliance by January 1, 2012. Version 5010 replaces the X12 standard for electronic transactions; D.0 replaces the current standard for pharmacy transactions.
One of the more interesting and potentially challenging aspects of the changes to HIPAA as a result of HITECH is the right for a patient to pay for their treatment as a self-pay and not have anything related to that visit, procedure(s) or follow up sent to their insurance company, pending final ruling from HHS. AIS Health recently featured a story about a patient at University of Florida Health Sciences Center in Jacksonville. The patient had drug related heart issues and asked that the visit not be sent to his insurance company. He discovered that it was not an easy process to prevent communication from going to insurance companies as there were other vendors and outside physicians, all who were involved in the care.
The final aspect we will look at is the enforcement of HIPAA Violations and how they will be enforced. For the first time in 2010 an individual was jailed for a violation of HIPAA. Audits and formal investigations of complaints are required as part of the HITECH Act, previously these items were at the discretion of the Secretary of HHS. HIPAA Violation penalties can range from a minimum of $100 per violation to an annual maximum of $1.5 million. Rite Aid paid a $1million fine for HIPAA Violations earlier this year. A quick internet search for HIPAA Violations 2010 yields many results.
Each day there seem to be increasing accounts on the news of Facebook violations of pictures, video, names etc. being posted by Healthcare workers. It is becoming more and more important to stay vigilant and ensure you are compliant with the changes as they occur.
Peter Miessner