Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
2. Increased enforcement of HIPAA
3. Provisions to address health information held by entities not covered by HIPAA
4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series. This article focuses on the ARRA’s changes to HIPAA enforcement policy and procedure.

Direct Accountability

The ARRA amends original legislation and holds business associates accountable by federal and state authorities for failure to comply with any applicable provisions of the HIPAA Privacy and Security Rules. The original Act states that government authorities are unable to hold business associates accountable for failing to comply with their agreements; only covered entities can be held liable for the actions of their business associates in limited circumstances.

Criminal Penalties

ARRA provides important clarification that HIPAA’s criminal penalties can be enforced against individuals. This includes, but is not limited to, employees of a covered entity. This provision essentially overrules a Department of Justice memo issued during the Bush Administration that declared only covered entities could be criminally prosecuted for violations of HIPAA.

ARRA also clarifies that Health and Human Services (HHS) and state attorneys general can pursue a civil HIPAA violation in cases where criminal penalties could be imposed, but the Department of Justice declines to pursue the case. The Secretary is required to formally investigate any complaint where a preliminary investigation of the facts indicates a possible violation due to willful neglect. The Secretary must also impose a civil monetary penalty if a violation is found to constitute willful neglect of the law. The Government Accountability Office (GAO) will need to develop a methodology for individuals affected by HIPAA violations to receive a percentage of any penalty or monetary settlement collected.

There is also a new tiered penalty structure, based on the level of the HIPAA violation, which is capped at $50,000 per violation and an annual maximum of $1.5 million.

Enforcement by State Attorneys General & Secretary Auditing

There are a number of states that authorize their attorneys general to enforce federal consumer protection laws, which include HIPAA. ARRA expressly authorizes all state attorneys general to enforce HIPAA in federal district court. This means that attorneys general in all states are able to enforce the law, even if no state authorizing statue exists. Penalties imposed in such situations are limited to former statutory minimum set by the HIPAA: $100 per violation and $25,000 annually for repeat violations of the same provision.

The Secretary has the right to intervene in the application of this provision where necessary. The ARRA also requires the Secretary to perform periodic audits to ensure compliance with the new provisions.

Summary

This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which created some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the modifications the ARRA made to HIPAA enforcement.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

According to the commentary in President Obama’s Budget for Fiscal Year 2010:

“These incentives, coupled with other activities authorized in… [ARRA], are expected to result in a dramatic increase in the percentage of health care providers using health IT within five years. Computerized health records – while protecting the privacy and security of personal health information – is expected to facilitate improvements in the quality of health care, prevention of unnecessary health care spending, and a reduction in medical errors.”

Provisions on privacy and security were found in ARRA’s Title XIII, Subtitle D and certain parts of Subtitle A. The ARRA provisions were generally effective as of February 17, 2010, but a more specific implementation timeline is available here.

Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
2. Increased enforcement of HIPAA
3. Provisions to address health information held by entities not covered by HIPAA
4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series. This article focuses on the ARRA’s changes to HIPAA statutory requirements.

Business Associates & Compliance

Prior to the enactment of the ARRA, HIPAA required that covered entities (e.g. hospitals, physicians and health plans) enter into contracts (called “business associate agreements”) with entities performing functions or providing services on their behalf, where those functions/services involved the exchange of health information. The business associate agreements required the business associates to use appropriate security safeguards to protect health information they received and were responsible for. It is important to note that before the enactment of the ARRA, business associates were not directly subject to governmental enforcement action; covered entities would have to sue them for breach of contract.

The ARRA requires business associates to comply directly with most of the provisions of the HIPAA Security Rule. Business associates must also comply with Privacy Rule provisions that are made applicable to them by their contract with the covered entity. This means that they must comply with any changes to the Privacy Rule that are part of ARRA, whether or not those provisions are included in their contracts with the covered entities.

Data Breaches

Originally, the HIPAA did not require covered entities to notify affected individuals in the case of breaches of their protected health information. Now, the ARRA requires that individuals be notified if their unsecured health information has been breached. In the case of outsourcing, business associates should notify the covered entities of any breaches and the covered entities should then notify the individuals concerned.

Restricting Disclosures

ARRA imposes a requirement on covered entities (and their business associates) to honor an individuals’ request to restrict disclosure of protected health information to a health plan for purposes of payment or health care operations if the information pertains solely to a health care item or service that the individual has paid for in full or out-of-pocket.

“Minimum necessary” Amounts

The Privacy rule outlines that only the minimum necessary amount of protected health information should be accessed, used or disclosed (except in cases of treatment and other specific circumstances). The rule also outlines that a limited data set should be used. This data set should be stripped of a number of categories of patient-identifying information and can be used pursuant to a data use agreement for research, public health and health care operations purposes. The ARRA requires the Secretary to establish guidance on what “minimum necessary” means.

Disclosures of Personal Health Information

The Privacy Rule initially stated that covered entities needed to provide – upon request – an accounting of disclosures of protected health information made from the individual’s medical record for the previous six years. However, a number of disclosures are exempted from this requirement, including disclosures for treatment, payment, and health care operations. The ARRA states that covered entities using electronic health care records may no longer exempt such disclosures. However, the accounting only needs to cover the previous three years, rather than six.

No “Sale” of Protected Health Information

ARRA prohibits direct or indirect remuneration in exchange for an individual`s protected health information without the individual’s authorization. This authorization must also specify whether the information can be further exchanged for remuneration by the original entity that receives the data. There are of course, exceptions to this provision.

Right of Access

The HIPAA Privacy Rule always protected individuals’ right to access and obtain a copy of their health records, normally within thirty days of their request. The ARRA requires covered entities using electronic health records to provide individuals with an electronic copy of the record. The record must directly be transmitted to an entity or person specified by the individual. Fees should be kept to a minimum reasonable amount in relation to the labor costs.

Marketing Communications

ARRA imposes more stringent restrictions and regulations on authorization for marketing purposes. If a covered entity is paid by an outside entity to send a communication to a patient, the communication is considered “marketing.” This means that it will require prior authorization from the patient.

There are some exceptions to this regulation. For instance, protected health information is permitted to be used without authorization if it is for communications that describe a drug or biologic that is currently being prescribed/administered to the individual, as long as the payment received by the covered entity is reasonable in amount. Communications that have patients’ authorization may also be sponsored by outside entities.

Opting Out of Fundraising

Previously, covered entities were able to use an individual’s demographic information as well as the dates during which they received health care to send fundraising communications without pre-authorization from the individual. The ARRA now requires the Secretary to create a rule requiring that individuals be able to opt-out of receiving such communications in a clear and conspicuous way.

Summary

This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which created some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the modifications the ARRA made to HIPAA statutory requirements around privacy and security.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

HIPAA legislation is divided between two rules: the Privacy Rule and the Security Rule. The Privacy Rule of HIPAA involves the privacy of protected health information (PHI). Among the protections it provides are the right to access and amend medical records, the right to consent to PHI disclosure, the right to notice of a covered entity’s privacy practices, as well as the safeguarding and limited disclosure of PHI. Enforcement of the Privacy Rule ensures that such rights are protected.

How Does the OCR Enforce the Privacy Rule?

The Office of Civil Rights enforces the Privacy Rule through several methods:

• Investigating complaints filed with the OCR
• Conducting compliance reviews of covered entities
• Creating programs for education and outreach

The most common method of enforcement is the investigation of complaints.

How Does the OCR Investigate Complaints?

All complaints filed with the OCR go through an Intake and Review process. If the complaint meet the following criteria, the complaint moves on to the investigation stage:

• The alleged violation occurred after the effective dates of the Privacy or Security Rule.
• The entity against whom the complaint is filed must be considered a covered entity
• The alleged complaint must be an activity that would violate the Privacy or Security Rule.
• The Complaint must be filed within 180 days of when then person submitting the complaint became aware of the violation.

If the complaint does not meet all of the above criteria, than no violation of HIPAA is considered to have occurred. If the complaint does meet all of the above criteria, an investigation is launched to determine the veracity of the complaint.

If the complaint involves a possible criminal violation, the investigation is handled by the Department of Justice. If the complaint only involves Privacy or Security Rule violations, it is investigated by the OCR. Depending on the results of the OCR investigation:

• No violation may be found
• A violation may be found and voluntary compliance, or corrective action is taken
• A formal finding of violation from the OCR is issued

Enforcement Statistics

The Number of HIPAA complaints has increased each year since its institution. In 2008, the OCR received almost 10,000 complaints. On average, around two-thirds of alleged complaints are determined to be violations and resolution action is taken. One-third of alleged complaints either do not meet the criteria to warrant an investigation or the investigation determined that no violation had occurred.

On average the top five complaints filed every year involve:

1. Impermissible uses and disclosures
2. Safeguards
3. Access
4. More PHI is collected or used than the minimum necessary
5. Improper authorization for disclosure

On average, the top five covered entities that have been found to be in violation of the Privacy Rule include:

1. Private Practices
2. General Hospitals
3. Outpatient Facilities
4. Health Plans
5. Pharmacies

Summary:

The OCR is committed to HIPAA enforcement. All complaints filed with the OCR are reviewed and may be subject to investigation if a violation is suspected. Depending on the severity of the violation, the OCR may need to take enforcement action against an entity to ensure compliance. Such enforcement is costly to both the entity, the U.S. Government and its citizens, so covered entities should review their practices and policies to correct any potential compliance violations.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• HIPAA (I.B.a.i)

What is Protected Health Information?

Protected Health Information is any personally identifiable health information communicated in any form–oral, paper or electronic–that is maintained by a covered entity as defined by HIPAA (see below.) Personally identifiable health information may include a person’s age, gender and other demographic information as well as information about their diagnosis; prognosis; their past, present or future medical health or conditions; and payment for the provision of past, present or future medical care. Any information that may potentially identify an individual personally is considered to be protected health information (PHI.)

Who Must Comply With HIPAA?

In general any entity that handles protected health information must comply with HIPAA regulations. However, the law specifically mentions the following all of which are considered “covered entities” :

• Health Care Providers – All hospitals, doctors, nurses, health care workers and any other healthcare service providers
• Health Plans– Medicare and Medicaid; private insurance companies; group health plans
• Business Associates– Any third part that may handle protected health information as a service, such as billing, data analysis, data aggregation, etc.

The Privacy Rule

The HIPAA Privacy rule attempts to strike a balance between the need for disclosure among health care professionals to ensure quality care, payment and  maintain public security, while still protecting the identity and personal health information of the patient.

Under the Privacy Rule a patient has the right to:

• Notice of a covered entity’s privacy practices which include the type of information collected and its intended use.
• Consent or object to the disclosure of protected health information to third parties other than those disclosures granted to business associates for the rendering of treatment or services. The Privacy Rule requires that a signed authorization from the individual be placed on record for each specific third party with which the patient wishes to share their information.
• Access and amend their protected health information that an entity has on record about them. A minimal charge may be assessed to cover expenses associated providing access or changes to the their records.
• Limited disclosure of protected health information. Disclosure must be limited to that which is minimally necessary. When a heath care provider or plan shares personal health information with a business associate for the purposes of rendering a service, (ie: billing, data analysis, research, etc) the covered entity must ensure that the business associate or third party will maintain the same standards of privacy.
• Safeguarding of their protected health information. All entities handling personal health information must maintain the necessary physical, technical and administrative safeguards to protect the confidentiality, integrity and security of the patient’s information.

Exceptions to the Privacy Rule

The Privacy Rule makes provisions for the disclosure of protected health information without the limitations outlined above for the following situations:

• Information needed for public health activities and safety
• In coordination with law enforcement of judicial activities and proceedings
• Certain research purposes
• Special Government functions

The Security Rule

HIPAA’s Security Rule deals specifically with the protection of personal health information in its electronic form, which includes data stored on computer hard drives and magnetic or digital storage devices.

The Security Rule requires that covered entities take reasonable measures to:

• Ensure the confidentiality, integrity, and availability of electronic health information
• Protect against the unauthorized access, use or disclosure of protected health information.
• Enforce HIPAA compliance in the work force.

Further more the Security Rule requires:

• The creation of an individual entity to be responsible for implementing and enforcing the Security Rule
• Initial and periodic risk assessments to determine the efficacy of current safeguards, evaluate new threats and implement the necessary protections to maintain the confidentiality and integrity of the data.
• The creation of an ongoing training program to educate the workforce on complying with the Security Rule
• The Covered entity to incorporate the Security Rule into Business Associate Contracts to ensure that all business associates maintain an equivalent level of protection.

Summary:

The Health Care Portability and Accountability Act plays a significant role in the protection of the privacy of health information. HIPAA is a complex and far reaching law which pertains all professionals involved in the health care field. Education in HIPAA compliance must be ongoing, and compliance closely monitored to ensure the protection of health information.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• U.S. Public and Private Sector General Laws including HIPAA (I.A.b.i.)