Several important modifications to the Health Insurance Portability and Accountability Act were included in the American Recovery and Reinvestment Act of 2009 (ARRA) and took effect in February 2010.The new requirements are provisions of Title XIII of ARRA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and relate to security standards, disclosure of personal health information, and notification of information breaches.
In terms of HIPAA security standards, as of Feb. 17, requirements of the existing standards/rule also apply to business associates of covered entities. Specifically, "[t]he additional requirements of this title that related to security and that are made applicable with respect to Covered Entities shall also be applicable to such a Business Associate and shall be incorporated into the business associate agreement between the business associate and the covered entity." Penalties for noncompliance with the rule will also apply to both covered entities and business associates.
Regarding disclosure of personal health information (PHI), as of Feb. 18, health care providers, health care plans and other entities are required to honor patient requests to restrict disclosure of their PHI if such disclosure is for purposes unrelated to treatment (e.g., payment or health care operations) and if the PHI in question involves a health care service for which the patient has paid the provider out of pocket in full.
And as of Feb. 22, enforcement of the breach notification rule is in effect, meaning providers will be penalized for failure to provide required notifications for breaches of unsecured PHI discovered on or after that date. The breach notification rule stipulates that when personal health information is breached, individuals whose information has been breeched must be immediately notified. If the breach affects more than 500 individuals, the secretary of Health and Human Services and public media must also be informed in prompt fashion. (Breaches affecting less than 500 individuals should be reported to HHS annually, according to the rule.) The rule also requires that these stipulations be incorporated into business associate agreements between business associates and covered entities, meaning responsibility and liability rest not just with the covered entity (as was the case previously), but the business associate as well if an information breach occurs.
In implementing these new protocols into your practice, consider that the HITECH Act also stipulates dramatically increased fine ranges for HIPAA violations by both covered entities and business associates. In general, monetary penalties now range from $100 to $50,000 per individual violation, with total annual penalties for violations of a single requirement capping out at between $25,000 and $1.5 million based on the severity of the violation. These new fines apply not only to the above-mentioned regulations now in effect, but also to other HITECH Act stipulations scheduled to take effect within the next several years. To stay current on HIPAA requirements, visit www.hhs.gov/ocr/privacy.