As of February 17, 2010, entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), such as group health plans and their business associates, will have to take certain actions to ensure continued compliance with the privacy and security provisions of the act.
HIPAA was put in place to guard the privacy of protected health information and regulate the manner in which covered entities—defined as a health plan or a healthcare provider that uses a healthcare clearinghouse or an electronic device to transmit health information—and business associates create, store, access, and disclose protected health information.
In the final rule from the Department of Health and Human Services (HHS), stricter penalties were applied for violations of the HIPAA privacy and security rules. The rule also amended HIPAA’s enforcement regulations to incorporate the violation categories of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The categories include violations, adding tiered ranges of civil money penalties, and revised limitations on the HHS secretary’s authority to impose civil money penalties.
Some of the changes to HIPAA include:
- Business associates (people who provide services to a covered entity) of a covered entity must fully comply with HIPAA’s privacy and security requirements;
- Covered entities must amend their business associate agreements to reflect the new obligations imposed on business associates;
- Covered entities must notify individuals of any unauthorized disclosure of their unsecured protected health information (PHI);
- Business associates must notify covered entities of any unauthorized disclosure of unsecured PHI;
- Covered entities must honor individuals’ requests to restrict disclosure of PHI; and
- The new HIPAA provisions will be enforced through heightened penalties and mandatory audits by the HHS secretary.
Also, under the new HIPPA security rules, covered entities will have to amend business associate agreements to reflect changes to the privacy regulation that addresses the storage and transmission of electronic PHI. This applies to a limited extent to business associates by requiring that they comply with the security safeguards set forth in business associate agreements.
Business associates will also need to adopt a security policy, appoint a security officer, and train their workforces on how to safeguard electronic PHI. Similarly, it appears that the rule requires business associates to comply with the privacy provisions of HIPAA to the same extent that covered entities must comply. Currently, business associates are required only to comply with the provisions of the Privacy Rule that are set forth in the business associate agreement.
The enforcement of these new guidelines requires HHS to conduct periodic audits of HIPAA compliance by covered entities and business associates. Consequences will be determined according to the “nature and extent of the violation and the nature and extent of the harm resulting from such violation,” according to the final rule in the Federal Register. Penalties range from $100 to $50,000 for each violation. A cap of $1.5 million exists for violations of an identical provision in a calendar year.
Additionally, it is now required that covered entities must notify individuals if any of their unsecured PHI has been breached and as a result information has been accessed, acquired, or disclosed. In the event of a breach, a covered entity is required to take steps to alleviate the damage for such a breach. Furthermore, business associates must notify covered entities of any breach of unsecured PHI no later than 60 days following the date on which a breach has been discovered.
Covered entities should contact their business associates to ensure that they are in compliance with the Privacy Rule and Security Rule; they should also contact any transmission service organizations to discuss their obligations under HIPAA. Failure to make the necessary changes for the new guidelines could cost your practice.
For additional information on HIPAA or practice management guidelines, contact Antanya Chung at achung@rheumatology.org or (404) 633-3777, ext. 818