The HITECH (Health Information Technology for Economic and Clinical Health) Act is Title 13 of the American Recovery and Reinvestment Act of 2009 (ARRA). While the various subtitles of HITECH cover many topics relevant to physicians (for example, financial incentives for health information technology), this article will address Subtitle D of HITECH amending the privacy and security rules under HIPAA (Health Insurance Portability and Accountability Act of 1996).
HIPAA's privacy and security rules established floors of confidentiality and security protections for patients' demographic and health information in all forms—paper, oral, and electronic. The development of health information technology (for example, electronic health records, personal health records, health information exchanges) has resulted in additional risks; HITECH builds on the privacy and security rules to address these new risks.
How has HIPAA enforcement increased?
State attorneys general can bring enforcement action for violations of federal HIPAA regulations.
Employees and individuals are subject to HIPAA's criminal penalties.
The Department of Health and Human Services (HHS) must conduct audits of covered entities and business associates.
HHS must investigate complaints of willful neglect, and if substantiated, HHS must impose a statutory penalty of at least $10,000 to $50,000 per violation.
HHS and state attorneys general can pursue civil HIPAA violations in cases in which criminal penalty could attach, but the Department of Justice declines to pursue.
Individuals can recover a percentage of penalties imposed or settlement proceeds from HIPAA investigations based on their complaints.
What are the penalties for HIPAA violations?
Civil penalties for HIPAA violations have increased for covered entities and business associates to $100 to $50,000 or more per violation, with a cap of $1.5 million per calendar year for multiple identical violations. "Violation" means disclosure of one person's information.
Criminal penalties remain up to $250,000 and 10 years imprisonment.
What can I do to ensure compliance with the Privacy Rule?
The first step is to understand what the Privacy Rule requires. There are comprehensive educational resources available on the HHS Web site, <www.hhs.gov/ocr/privacy>. Remember that under HIPAA's Privacy Rule, patients have the right to receive a Notice of Privacy Practices; authorize the release of information for purposes other than treatment, payment, or health care operations; request restrictions on disclosures; access the records (with very limited exceptions); request amendment of the record; request an accounting of disclosures (other than for treatment, payment, or health care operations purposes); complain about violations to the provider and to HHS; and have only the minimum necessary information disclosed.
Also under the Privacy Rule, covered providers must designate a privacy officer and contact person/office; implement safeguards (administrative, physical, and technical safeguards) for protected health information (PHI) (oral, paper, and electronic); mitigate damages from unauthorized uses or disclosures of PHI; investigate complaints; prevent retaliation for complaints; impose sanctions for privacy violations; have documented confidentiality policies and procedures; and train employees on confidentiality policies and procedures.
The second step is to understand HHS's Privacy Rule enforcement. While no civil monetary penalties have been imposed to date, HHS has publicized two resolution agreements. In the most recent case from January 2009, the CVS drug-store chain agreed to pay $2.25 million to resolve allegations stemming from media reports that PHI was being disposed of in unsecured dumpsters. The second case, from July 2008, involved a resolution agreement to settle allegations related to loss of electronic backup media and laptop computers with PHI. The health care system involved agreed to pay $100,000. HHS's Web site also contains examples of cases that were investigated, violations that were found, and corrective actions that were ordered.
What can I do to ensure compliance with the Security Rule?
First, know what the Security Rule requires to protect against reasonably anticipated improper use or disclosure of electronic PHI. The Security Rule has general requirements to
The Security Rule consists of 18 safeguards (administrative, physical, and technical), and for each of the three types of safeguards, there are standards (what must be done) and implementation specifications (how it must be done).
Second, become familiar with the vast amounts of educational and enforcement information made available by HHS. While its Office for Civil Rights now enforces both the Privacy and Security Rules, its Centers for Medicare and Medicaid Services (CMS) originally enforced the Security Rule and published many enforcement resources including a "Security Guidance," posted at <www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806rev.pdf>, which addresses portable-device security.
Moreover, CMS issued a list of what would need to be provided by a covered entity in a Security Rule audit—20 different types of policies and procedures and an additional 19 specified documents. CMS also published compliance reviews indicating that the most common security complaints involve unauthorized access to electronic PHI (particularly by employees), loss or theft of devices containing electronic PHI, and insufficient access controls, such as lack of encryption.
What do I need to know about breach notification?
Covered providers and business associates need to be aware of the requirements under state and federal breach notification laws.
Under HITECH's federal breach notification law:
What do I need to do to ensure compliance? Prior to a breach, physicians should develop processes to prevent and discover breaches, train staff, and ensure ongoing monitoring. Once a breach is discovered or reported:
While there is no uniformity among state laws on breach notification, almost all states have some type of consumer-protection law requiring businesses to notify customers of an inappropriate use or disclosure of their information. Some state laws are reactive—requiring notification of the breach. Other states are reactive and proactive—also requiring specific security standards be met to prevent breach of consumers' data. And at least one state, California, has expanded its breach-notification law to include breach of medical information.
Where can I find more information?
American Recovery and Reinvestment Act of 2009, <http://fdsys.gpo.gov/fdsys/pkg/BILLS-111hr1ENR/pdf/BILLS-111hr1ENR.pdf>
HHS Office for Civil Rights (OCR) <www.hhs.gov/ocr/privacy> and regional offices (contact information available on Web site); regional offices are required to provide HIPAA guidance and education to covered providers (along with business associates and patients)
HHS Centers for Medicare and Medicaid Services (CMS)—Security Rule enforcement, <www.cms.hhs.gov/Enforcement> (note: Security Rule enforcement authority transferred from CMS to OCR, so enforcement information is expected to ultimately be found on OCR's Web site)
HHS Breach Notification Guidance (4/09) and Breach Notification Regulation (8/09), <www.hhs.gov/ocr/privacy/index.html>
PRMS's HIPAA Help, <www.psychprogram.com> (Risk management section)