On Feb. 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (commonly referred to as ARRA or the Stimulus Bill) which includes the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act includes significant changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that affect otolaryngologists and other health care providers, as well as those who process or work with health care information. Below is a summary of how these new provisions, many of which go into effect this Feb. 17, will affect your practice.
Expansion of Security and Privacy Provisions
The HITECH Act extends the principal privacy and security provisions of HIPAA directly to business associates who have access to individual health information in the course of performing services for covered entities.
A “covered entity” is a health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form. A “business associate” is a person (other than a member of the covered entity’s workforce) or entity who, on behalf of a covered entity, performs an activity involving the use or disclosure of an individual’s health care information, such as the performance of financial, legal, actuarial, accounting, consulting, data aggregation, management, administrative, or accreditation services to or for a covered entity. A common example of a business associate is a third-party service provider that assists with claims processing or billing.
An example of how this works is that HIPAA permits a physician to disclose a patient’s protected health information (“PHI”) to a third-party service provider in order to allow the service provider to create, receive, maintain, or transmit health information on behalf of the physician, as long as the physician receives written assurance that the service provider has implemented appropriate safeguards to protect the confidentiality of the information. These written assurances are typically in the form of a Business Associate Agreement.
With respect to the security provisions of HIPAA, the HITECH Act includes new requirements for third-party service providers to protect the confidentiality of electronic protected health information (“ePHI”). For example, service providers should develop physical safeguards to limit access to ePHI stored in electronic information systems (i.e., facility or workspace access controls) and develop technical safeguards so that only those persons or software programs that have been granted access rights can access ePHI (i.e., person or entity authentication).
For the privacy rule, the HITECH Act imposes an obligation on both parties to police the compliance of the other party. For example, if a third-party service provider becomes aware of a pattern of activity or practice of the physician that constitutes a material breach of the physician’s obligations under the Business Associate Agreement, the service provider must take reasonable steps to cure the breach. What is a reasonable step will vary with the circumstances and nature of the parties’ relationship. If those steps prove to be unsuccessful in curing the breach, the service provider must either terminate the contract with the physician, if feasible, or report the problem to the Department of Health and Human Services (HHS).
While HIPAA already requires physicians and business associates to enter into a written contract, existing agreements should be reviewed to determine whether they are sufficient under the HITECH Act and should be modified accordingly.
Notification Requirement
The HITECH Act requires covered entities and business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI to provide notification upon discovering a breach of unsecured PHI. “Breach” is generally defined as the unauthorized acquisition, access, use, or disclosure of unsecured PHI. “Unsecured PHI” is PHI that is not secured through the use of a technology or methodology that renders PHI “unusable, unreadable, or indecipherable to unauthorized individuals.”
A physician who discovers a breach of unsecured PHI should inform the patient; a service provider that discovers a breach of unsecured PHI should notify the physician. In general, the notice must be provided “without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach.”
Disclosures upon Patient Request
The HITECH Act also requires physicians to comply with patient requests to restrict the disclosure of any PHI that pertains to a health care item or service paid out of pocket in full, under certain circumstances.
Accounting of Electronic PHI
In general, HIPAA provides the patient with the right to receive an accounting of any disclosures of his or her PHI. As such, HIPAA requires business associates to make information available to the physician to enable the physician to provide this accounting of disclosures to the patient. Under the HITECH Act, the physician must provide an accounting of the disclosures of PHI made by the physician and either an accounting of the disclosures made by service providers acting on behalf of the physician or a list of all service providers acting on the physician’s behalf, along with their contact information.
Prohibition on the Sale of PHI
The HITECH Act generally prohibits physicians and service providers from receiving remuneration in exchange for a patient’s PHI, unless the physician obtains a valid authorization from the patient. This prohibition is subject to exceptions, however, when the purpose of the exchange is for research, treatment of an individual, payment from a physician to a third-party service provider for activities involving the exchange of PHI, or other reasons determined by HHS.
Penalties and Enforcement
The HITECH Act expands enforcement activities and penalties for violations of the law. In the event of noncompliance, the violating party may be subject to civil monetary penalties ranging from $100 to $1.5 million per violation, depending on the amount of neglect and intent involved.
In addition, the HITECH Act permits a state attorney general to initiate a civil lawsuit if there is reason to believe that a state resident’s interest has been or is threatened or adversely affected by a violation of the HITECH Act.
In such situations, courts are permitted to enjoin the violation or obtain monetary damages up to $25,000 plus court costs and attorneys’ fees.
The consequences of noncompliance are too severe to ignore. Be sure to contact a health law attorney who can assist in creating—or amending—a Business Associate Agreement that complies with the new requirements imposed by the HITECH Act. ENTtoday
Steven M. Harris, Esq., is a nationally recognized health care attorney and a member of the law firm McDonald Hopkins, LLC. Steve may be reached at sharris@mcdonaldhopkins.com
TOP IMAGE SOURCE: SPXCHROME, ALXPIN/ISTOCK.COM