To keep our clients informed on changing areas of the law, Felhaber, Larson, Fenlon and Vogt publishes periodic email alerts and newsletters. Click on a title to read the current issue online, or sign up to have them sent to you.

View Past Issues



Sign up for Felhaber
News & Events
Felhaber, Larson, Fenlon & Vogt
Felhaber, Larson, Fenlon & VogtFelhaber, Larson, Fenlon & Vogt

September 14, 2009

Articles

HIPAA Changes under the Stimulus Act
A checklist of action items to remain in compliance
By Jennifer A. Forbes, JD

The American Recovery and Reinvestment Act (ARRA) includes significant changes to HIPAA phased-in over the next two years, so don’t let these changes catch you by surprise. During the coming months, you need to revise your HIPAA policies, notice of privacy practices, business associate agreements, and training programs. Here is a recommended checklist of action items your practice needs to remain in compliance (organized in chronological order by effective date).

Effective now (as of Feb. 17, 2009)

  1. Incorporate new penalty provisions into training, policies, and business associate agreements. Up until the ARRA, the HIPAA regulations have imposed very limited financial penalties for unintentional violations. These limited penalties have provided a sense of comfort to providers acting in good faith with respect to unintentional violations of the law, and to other providers who are placed in the unenviable position of having to choose between the lesser of two evils (violate privacy rights or protect others). Now it is clear: Wrist-slapping is a thing of the past.

    The ARRA clarifies that an individual who wrongfully discloses protected health information (PHI) may be subject to criminal prosecution and penalties for violations. You may recall a memorandum from the Department of Justice that indicated that only covered entities, and not individuals, could be criminally prosecuted. This change is intended to clarify that nothing could be further from the truth. Therefore, you will want to build into your training information on the personal criminal penalties, as they create serious personal motivation for workers to comply with the law.

    In addition, the ARRA has substantially increased penalties for civil violations. The size of the penalty is based on the violator’s intent and the number of violations of identical requirements in a calendar year. Table 1 outlines the new penalty scheme.

    2. TABLE 1

    Level of Intent Involved in Violation

    Penalty per Violation

    Maximum Calendar Year Penalties for Violations of Identical Requirements

    Unknowing Violations

    $100

    $25,000

    Violations based on Reasonable Cause

    $1000

    $100,000

    Violations based on Willful Neglect which are Corrected

    $10,000

    $250,000

    Willful Neglect which are not Corrected

    $50,000

    1.5 million

Prior to the ARRA, violations of HIPAA were enforced only by the federal government. Now state attorney generals have the right to litigate in federal district court to remedy violations. Regulations providing clearer guidance on penalties are expected this August.

    Effective 30 days after final regulations (published August 24, 2009)

     

  1. Establish procedures for breach notification in your training, policies, procedures, and business associate agreements. Beginning this autumn, you will be required to notify individuals of “breaches” of their “unsecured PHI.”  In certain cases (such as breaches involving the information of over 500 individuals), you will be required to provide notice to prominent media outlets. There are several new definitions that you will need to integrate into your HIPAA policies, including the terms “breach” and “unsecured PHI.” Guidance on methods to render PHI “unusable, unreadable or indecipherable” is now available at www.hhs.gov and should be built into your policies. This requirement will be effective 30 days after the date of regulations, which are due within 180 days of the effective date of ARRA. You should target to be in compliance by September 2009.

    UPDATE:  The interim final regulations were published August 24, 2009 making the effective date for breach notification September 24, 2009. Click here to access a copy of the regulations.

  2. Establish policies regarding breach notifications related to vendors of personal health records. The ARRA also contains new rules governing personal health records (PHR). Personal health records are distinct from electronic health records or electronic designated record sets in that the records are controlled by the individual, much like a MySpace or FaceBook page for health care records. Now companies that sell products through the Web sites of covered entities that offer PHR, and companies that access information in or send information to a PHR are required to track and report security breaches of these records. The Federal Trade Commission has been ordered to announce interim regulations by Aug. 17. Entities must be in compliance within 30 days after the regulations are issued.

    3. Effective one year from date of ARRA (February 17, 2010)

     

  3. Revise policies on the use of limited data sets as a temporary replacement for the “minimum necessary” rule. HIPAA’s “minimum necessary” standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.

    The ARRA will require covered entities to use a limited data set, where the minimum necessary rules otherwise applies, and where the covered entity can accomplish its objectives using the limited data set. HHS is required to issue guidance on the meaning of “minimum necessary” by Aug. 17, 2010. Once that guidance is available, providers will be required to follow the new guidance and the use of the limited data set will no longer be required. So dust off the definition of “limited data set” (which is de-identified as specified under the regulations) and use this instead of following the minimum necessary rule if practicable.

  4. Establish procedures for dealing with a patient’s request to limit information to his or her health plan. A patient will be able to request that a provider not disclose information to a health plan if the patient pays in full for the service. Providers will be required to comply with such a request. You will want to include a procedure for flagging such accounts to avoid inadvertent disclosures of treatment information to health plans. This change will also require a revision of your Notice to Private Practices (NPP).

  5. Revise your policies on when authorization is needed for disclosure related to marketing. The ARRA significantly narrows the ability of a covered entity to use PHI in marketing. Unless the communication falls within a very narrow exception, authorization will strictly be required. This change will require a review of policies, procedures, the NPP, and business associate agreements.

  6. Revise procedures for opting out for fundraising. HIPAA currently requires a covered entity using PHI for fundraising to provide a patient with a right to opt out. The ARRA now requires that the opt-out must be “clear and conspicuous” in the fundraising material.

  7. Establish procedures for providing copies of electronic health records electronically. Providers with electronic health records (EHRs) will be required to give an electronic copy of an individual’s electronic health record to the individual upon request. Providers are advised to revise their HIPAA policies and procedures to describe this process, and business associates who are handling or managing electronic health records must be required to facilitate this response and transfer. EHR systems must be established to allow compliance with this requirement.

  8. Notify your business associates and amend your business associate agreements. Business associates will now be directly subject to the legal requirements of HIPAA. Currently, business associates are subject to HIPAA indirectly through the business associate agreement. However, we expect that many business associates will not be prepared to comply with the legal requirements under HIPAA. In addition, business associate agreements need to be amended to include the additional legal requirements incorporated by the ARRA.

    9. Earliest effective date Jan, 1, 2011, or later

     

  9. Prepare to account for disclosures of electronic health records for treatment, payment, and operations. HIPAA has not required an accounting for disclosures for treatment, payment, or health care operations. All that is changing. Beginning in 2011, providers will be required to provide an accounting for all disclosures for treatment, payment, and operations from electronic health records to an individual upon request. Note that “Electronic Health Record” is another new term that you will need to integrate into your HIPAA policies. The term is distinct from ePHI or an electronic designated record set. Procedures will need to be established to track and log disclosures from EHRs. The effective date will be set by final regulations. The earliest possible effective date is Jan. 1, 2011. As an incentive, those providers who are first to adopt EHRs will be the last to be required to begin tracking and reporting.

  10. Incorporate new restrictions on sale of personal health information (PHI). The sale of PHI will require authorization unless the sale is in connection with one of the applicable exceptions (such as a merger or sale of business). HHS has 18 months to publish regulations with additional guidance. The restrictions will be effective six months thereafter.

All of these changes are coming at a time when most providers are comfortable with their HIPAA privacy and security practices. Now is the time to dust off your HIPAA privacy and security policies, training program, notice of privacy practices, and business associate agreements incorporate the new legal requirements—and avoid those new and improved penalties. For complete information about HIPAA regulations, go to www.hhs.gov/ocr/privacy/.

Jennifer A. Forbes

Jennifer A. Forbes, JD, is a health lawyer and a frequent lecturer on HIPAA and other regulatory issues facing health care providers. She is the chair of the health law practice group at the firm of Felhaber, Larson, Fenlon & Vogt, PA, with offices in Minneapolis and St. Paul.

Jennifer A. Forbes | (651) 312-6007 | jforbes@felhaber.com 

Copyright 2009, Minnesota Physician Publishing. This article originally appeared in Minnesota Physician 23(6): 24 25, and is published with permission.

Back to Articles