Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
2. Increased enforcement of HIPAA
3. Provisions to address health information held by entities not covered by HIPAA
4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series.

Breach Notification

As discussed in an earlier article, the ARRA establishes new breach notification requirements. These requirements are extended to vendors of personal health records and other non-HIPAA covered entities. This means that breach notification requirements now apply to the following entities:

• Those that offer products or services through the website of a vendor of personal health records.
• Those that are not themselves HIPAA-covered entities, but that offer products or services through websites of covered entities with personal health records.
• Those that are not themselves HIPAA-covered, but access information, or sent information to a personal health record.

HHS & FTC Study

The ARRA also commissions the Department of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), to conduct a study and produce a report to Congress on privacy and security requirements for non-covered entities or business associates under the HIPAA. This study needs to include:

• Requirements relating to breach notifications that will be subject to the FTC’s new breach notification authority.
• Which federal government agency is best able to enforce recommended privacy and security protections.
• A workable timeframe for implementing regulations based on these findings.

Administration Changes

ARRA established the Office of the National Coordinator (ONC) for Health IT (HIT). It also created a new advisory committee infrastructure with a new HIT Policy Committee and a new HIT Standards Committee, both of which are governed by the Federal Advisory Committee Act (FACA).

The HIT Policy Committee is required to make recommendations regarding technologies that protect privacy and promote security in an electronic health record. This includes those that allow for the segregation of sensitive health information and the use of limited data sets.

ARRA also creates a position of Chief Privacy Officer (CPO) within the ONC framework. This individual is responsible for advising the National Coordinator on privacy, security and data stewardship of electronic health information. However, the CPO is not responsible for HIPAA oversight.

Studies, Reports & Educational Initiatives

The ARRA commissions a number of studies and reports from the Government Accountability Office (GAO), HHS and FTC. The ARRA also directs the HHS to develop and maintain a thorough national education initiative with the objective of enhancing public transparency regarding the uses of protected health information.

Summary

This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which resulted in some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the provisions for entities that are not currently covered by HIPAA, as well as other miscellaneous changes made by the ARRA.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
2. Increased enforcement of HIPAA
3. Provisions to address health information held by entities not covered by HIPAA
4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series. This article focuses on the ARRA’s changes to HIPAA enforcement policy and procedure.

Direct Accountability

The ARRA amends original legislation and holds business associates accountable by federal and state authorities for failure to comply with any applicable provisions of the HIPAA Privacy and Security Rules. The original Act states that government authorities are unable to hold business associates accountable for failing to comply with their agreements; only covered entities can be held liable for the actions of their business associates in limited circumstances.

Criminal Penalties

ARRA provides important clarification that HIPAA’s criminal penalties can be enforced against individuals. This includes, but is not limited to, employees of a covered entity. This provision essentially overrules a Department of Justice memo issued during the Bush Administration that declared only covered entities could be criminally prosecuted for violations of HIPAA.

ARRA also clarifies that Health and Human Services (HHS) and state attorneys general can pursue a civil HIPAA violation in cases where criminal penalties could be imposed, but the Department of Justice declines to pursue the case. The Secretary is required to formally investigate any complaint where a preliminary investigation of the facts indicates a possible violation due to willful neglect. The Secretary must also impose a civil monetary penalty if a violation is found to constitute willful neglect of the law. The Government Accountability Office (GAO) will need to develop a methodology for individuals affected by HIPAA violations to receive a percentage of any penalty or monetary settlement collected.

There is also a new tiered penalty structure, based on the level of the HIPAA violation, which is capped at $50,000 per violation and an annual maximum of $1.5 million.

Enforcement by State Attorneys General & Secretary Auditing

There are a number of states that authorize their attorneys general to enforce federal consumer protection laws, which include HIPAA. ARRA expressly authorizes all state attorneys general to enforce HIPAA in federal district court. This means that attorneys general in all states are able to enforce the law, even if no state authorizing statue exists. Penalties imposed in such situations are limited to former statutory minimum set by the HIPAA: $100 per violation and $25,000 annually for repeat violations of the same provision.

The Secretary has the right to intervene in the application of this provision where necessary. The ARRA also requires the Secretary to perform periodic audits to ensure compliance with the new provisions.

Summary

This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which created some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the modifications the ARRA made to HIPAA enforcement.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

According to the commentary in President Obama’s Budget for Fiscal Year 2010:

“These incentives, coupled with other activities authorized in… [ARRA], are expected to result in a dramatic increase in the percentage of health care providers using health IT within five years. Computerized health records – while protecting the privacy and security of personal health information – is expected to facilitate improvements in the quality of health care, prevention of unnecessary health care spending, and a reduction in medical errors.”

Provisions on privacy and security were found in ARRA’s Title XIII, Subtitle D and certain parts of Subtitle A. The ARRA provisions were generally effective as of February 17, 2010, but a more specific implementation timeline is available here.

Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
2. Increased enforcement of HIPAA
3. Provisions to address health information held by entities not covered by HIPAA
4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series. This article focuses on the ARRA’s changes to HIPAA statutory requirements.

Business Associates & Compliance

Prior to the enactment of the ARRA, HIPAA required that covered entities (e.g. hospitals, physicians and health plans) enter into contracts (called “business associate agreements”) with entities performing functions or providing services on their behalf, where those functions/services involved the exchange of health information. The business associate agreements required the business associates to use appropriate security safeguards to protect health information they received and were responsible for. It is important to note that before the enactment of the ARRA, business associates were not directly subject to governmental enforcement action; covered entities would have to sue them for breach of contract.

The ARRA requires business associates to comply directly with most of the provisions of the HIPAA Security Rule. Business associates must also comply with Privacy Rule provisions that are made applicable to them by their contract with the covered entity. This means that they must comply with any changes to the Privacy Rule that are part of ARRA, whether or not those provisions are included in their contracts with the covered entities.

Data Breaches

Originally, the HIPAA did not require covered entities to notify affected individuals in the case of breaches of their protected health information. Now, the ARRA requires that individuals be notified if their unsecured health information has been breached. In the case of outsourcing, business associates should notify the covered entities of any breaches and the covered entities should then notify the individuals concerned.

Restricting Disclosures

ARRA imposes a requirement on covered entities (and their business associates) to honor an individuals’ request to restrict disclosure of protected health information to a health plan for purposes of payment or health care operations if the information pertains solely to a health care item or service that the individual has paid for in full or out-of-pocket.

“Minimum necessary” Amounts

The Privacy rule outlines that only the minimum necessary amount of protected health information should be accessed, used or disclosed (except in cases of treatment and other specific circumstances). The rule also outlines that a limited data set should be used. This data set should be stripped of a number of categories of patient-identifying information and can be used pursuant to a data use agreement for research, public health and health care operations purposes. The ARRA requires the Secretary to establish guidance on what “minimum necessary” means.

Disclosures of Personal Health Information

The Privacy Rule initially stated that covered entities needed to provide – upon request – an accounting of disclosures of protected health information made from the individual’s medical record for the previous six years. However, a number of disclosures are exempted from this requirement, including disclosures for treatment, payment, and health care operations. The ARRA states that covered entities using electronic health care records may no longer exempt such disclosures. However, the accounting only needs to cover the previous three years, rather than six.

No “Sale” of Protected Health Information

ARRA prohibits direct or indirect remuneration in exchange for an individual`s protected health information without the individual’s authorization. This authorization must also specify whether the information can be further exchanged for remuneration by the original entity that receives the data. There are of course, exceptions to this provision.

Right of Access

The HIPAA Privacy Rule always protected individuals’ right to access and obtain a copy of their health records, normally within thirty days of their request. The ARRA requires covered entities using electronic health records to provide individuals with an electronic copy of the record. The record must directly be transmitted to an entity or person specified by the individual. Fees should be kept to a minimum reasonable amount in relation to the labor costs.

Marketing Communications

ARRA imposes more stringent restrictions and regulations on authorization for marketing purposes. If a covered entity is paid by an outside entity to send a communication to a patient, the communication is considered “marketing.” This means that it will require prior authorization from the patient.

There are some exceptions to this regulation. For instance, protected health information is permitted to be used without authorization if it is for communications that describe a drug or biologic that is currently being prescribed/administered to the individual, as long as the payment received by the covered entity is reasonable in amount. Communications that have patients’ authorization may also be sponsored by outside entities.

Opting Out of Fundraising

Previously, covered entities were able to use an individual’s demographic information as well as the dates during which they received health care to send fundraising communications without pre-authorization from the individual. The ARRA now requires the Secretary to create a rule requiring that individuals be able to opt-out of receiving such communications in a clear and conspicuous way.

Summary

This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which created some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the modifications the ARRA made to HIPAA statutory requirements around privacy and security.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

In Brief

The report, entitled the Benchmark Study on Patient Privacy and Data Security, was published by the Ponemon Institute and ID Experts in November 2010. The study was based on findings from 65 health care organizations (mainly hospitals) and included an examination of each organization’s privacy and data protection compliance activities; policies; program management activities; security technologies; security governance practices; and compliance with the mandates of the HITECH Act of 2009.

The major findings of the report are briefly outlined below:

• Data breaches cost the US health care system billions of dollars each year. The study revealed that the economic impact of data breach incidents amounted to over $2 million, over a two-year period.
• The majority of health care organizations have undetected patient data breaches. Organizations participating in the study reported they had inadequate resources (71%); few appropriately trained personnel (52%); and insufficient policies and procedures in place (69%) that could quickly and effectively prevent/detect patient data loss. It was shown that data breaches went undetected due to the lack of preparation and staffing.
• Patient data protection is not a priority in health care organizations. 70% of hospitals participating in the study responded that protecting patient data was not one of their top priorities. 67% of the organizations hired less than two staff members dedicated to data protection management. At many organizations, the patients were the first to detect a disturbingly high number of breaches (41%). This means that sensitive data was being unknowingly exposed until the individuals detected the breach.
• Despite recently-enacted federal regulations, the security of patient records has not improved. Acts supporting the privacy security of medical information, such as the HITECH Act of 2009 and the HIPAA of 1996 have not resulted in stronger safeguards for patient data. According to the study, 71% of respondents did not believe that these federal regulations have sufficiently improved the management of patient records.

What is the HITECH Act?

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was enacted as part of the American Recovery and Reinvestment Act of 2009. It was designed to address privacy and security concerns regarding the electronic transmission of health information. With the HITECH Act, starting in 2011, a physician is eligible to receive up to $44,000 in incentives for “meaningful use” of an electronic health record (EHR).

The HITECH Act also extended the Privacy and Security Provisions of the HIPAA to business associates of covered entities, which include criminal and civil penalties. The Act imposes new breach notification requirements on the following entities:

• Covered entities
• Business associates
• Vendors of personal health records
• Related entities

Finally, the HITECH Act implements rules regarding disclosures of a patient’s health information. Disclosures include information that is used for treatment, payment and health care operations when the health care provider is using an EHR.

Moving to EHR

The majority of respondents in the Ponemon study believed that making the switch to electronic health records (EHR) would make patient data more secure. EHRs are longitudinal electronic records of patients’ health information. They are both generated and maintained within a health care institution, such as a hospital, integrated delivery network, clinic or physician’s office.

Such records would include:

• Progress notes
• Patient’s demographics
• Past medical history
• Immunizations
• Health Problems
• Medications
• Vital signs
• Laboratory data
• Radiology reports

Proponents argue that implementation of EHR processes and systems will help to provide additional functionality (e.g. interactive alerts, interactive flow sheets, tailored order sets), which may not be possible with traditional, paper-based systems. Other major benefits of EHRs include:

• Reduction in medical error
• Improved accuracy/clarity of records
• Increased availability of health information
• Reduced delays in treatment times
• Less duplication of tests
• Better-informed patients

According to a recent study conducted by researchers at the Stanford University School of Medicine, EHRs did little to improve the quality of health care. This was based on data from almost 250,000 patient visits, between 2005 and 2007. Although the federal government’s American Reinvestment and Recovery Act of 2009 allotted $19.2 billion for health information technology, specifically for the adoption of EHRs, there has not yet been evidence of positive impact.

Summary

The article takes a look at the 2010 Benchmark Study on Patient Privacy and Data Security, conducted by the Ponemon Institute. The study revealed that data breaches were costing hospitals across the US up to $6 billion each year. Breaches of patient information are largely undetected by the organization, due to lack of priority, resources, preparation and staffing for privacy and security management. The article then examines the HITECH Act (the Health Information Technology for Economic and Clinical Health Act), passed in 2009 to strengthen privacy and security safeguards for health information. One contentious issue is the adoption of electronic health records (EHRs). Although the federal government has created economic incentives for the implementation of EHR systems, researchers have found them ineffective at improving the quality of health care.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Regulatory Authorities – Department of Health and Human Service (HHS) (I.A.c.iv.)
• Health Insurance Portability and Accountability Act of 1996 (I.B.a.v.2.)
• Criminal and Civil Liability (II.B.a.)

What is Protected Health Information?

Protected Health Information is any personally identifiable health information communicated in any form–oral, paper or electronic–that is maintained by a covered entity as defined by HIPAA (see below.) Personally identifiable health information may include a person’s age, gender and other demographic information as well as information about their diagnosis; prognosis; their past, present or future medical health or conditions; and payment for the provision of past, present or future medical care. Any information that may potentially identify an individual personally is considered to be protected health information (PHI.)

Who Must Comply With HIPAA?

In general any entity that handles protected health information must comply with HIPAA regulations. However, the law specifically mentions the following all of which are considered “covered entities” :

• Health Care Providers – All hospitals, doctors, nurses, health care workers and any other healthcare service providers
• Health Plans– Medicare and Medicaid; private insurance companies; group health plans
• Business Associates– Any third part that may handle protected health information as a service, such as billing, data analysis, data aggregation, etc.

The Privacy Rule

The HIPAA Privacy rule attempts to strike a balance between the need for disclosure among health care professionals to ensure quality care, payment and  maintain public security, while still protecting the identity and personal health information of the patient.

Under the Privacy Rule a patient has the right to:

• Notice of a covered entity’s privacy practices which include the type of information collected and its intended use.
• Consent or object to the disclosure of protected health information to third parties other than those disclosures granted to business associates for the rendering of treatment or services. The Privacy Rule requires that a signed authorization from the individual be placed on record for each specific third party with which the patient wishes to share their information.
• Access and amend their protected health information that an entity has on record about them. A minimal charge may be assessed to cover expenses associated providing access or changes to the their records.
• Limited disclosure of protected health information. Disclosure must be limited to that which is minimally necessary. When a heath care provider or plan shares personal health information with a business associate for the purposes of rendering a service, (ie: billing, data analysis, research, etc) the covered entity must ensure that the business associate or third party will maintain the same standards of privacy.
• Safeguarding of their protected health information. All entities handling personal health information must maintain the necessary physical, technical and administrative safeguards to protect the confidentiality, integrity and security of the patient’s information.

Exceptions to the Privacy Rule

The Privacy Rule makes provisions for the disclosure of protected health information without the limitations outlined above for the following situations:

• Information needed for public health activities and safety
• In coordination with law enforcement of judicial activities and proceedings
• Certain research purposes
• Special Government functions

The Security Rule

HIPAA’s Security Rule deals specifically with the protection of personal health information in its electronic form, which includes data stored on computer hard drives and magnetic or digital storage devices.

The Security Rule requires that covered entities take reasonable measures to:

• Ensure the confidentiality, integrity, and availability of electronic health information
• Protect against the unauthorized access, use or disclosure of protected health information.
• Enforce HIPAA compliance in the work force.

Further more the Security Rule requires:

• The creation of an individual entity to be responsible for implementing and enforcing the Security Rule
• Initial and periodic risk assessments to determine the efficacy of current safeguards, evaluate new threats and implement the necessary protections to maintain the confidentiality and integrity of the data.
• The creation of an ongoing training program to educate the workforce on complying with the Security Rule
• The Covered entity to incorporate the Security Rule into Business Associate Contracts to ensure that all business associates maintain an equivalent level of protection.

Summary:

The Health Care Portability and Accountability Act plays a significant role in the protection of the privacy of health information. HIPAA is a complex and far reaching law which pertains all professionals involved in the health care field. Education in HIPAA compliance must be ongoing, and compliance closely monitored to ensure the protection of health information.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• U.S. Public and Private Sector General Laws including HIPAA (I.A.b.i.)