Enacted in 1996, HIPAA has long been a source of irritation for healthcare organizations, but not much of a threat. In fact, until recently, being hit by lightning was far more likely than being punished for violating any of the rule’s privacy or security provisions. Naturally, many began to view HIPAA as a paper tiger. However, the Health Information Technology for Economic and Clinical Health (HITECH) Act, best known for its EHR incentive programs, also included significant alterations to HIPAA–times have changed. In addition to new rules and definitions governing protected health information (PHI), business associates, and other matters, HITECH ushered in a renewed emphasis on enforcement. The multi-million dollar fine levied against a Maryland healthcare facility, and recent moves by the Office of Civil Rights (OCR) to beef up auditing compatibility, prove that the paper tiger is no more.
Here are the most important HITECH provisions related to penalties and enforcement:
Data Breach Notification
A breach is defined as an “impermissible use or disclosure of PHI.” Further, the PHI involved has to be unsecured (i.e. it can be read or understood by whoever has access to it). If the PHI is encrypted, or otherwise unreadable, then no breach is considered to have occurred.
Probably the only thing worse than having a data breach occur is having to tell everyone about it. Unfortunately, this is exactly what is required when a breach affects more than 500 patients. In such cases, the entity is required to notify the media and HHS. If fewer than 500 patients are involved, then it is only necessary to notify, in writing, the affected individuals.
New penalty rules assign fines at four levels based on the organization’s level of knowledge of the violation: did not know; reasonable cause; willful neglect corrected in 30 days; and willful neglect not corrected after 30 days. Assessments may range from $100 to $50,000 per violation. Willful neglect brings a minimum of $10,000; $50,000 if identified issues are not corrected within 30 days. Under HITECH, fees may now be assessed for the lowest level of violation–did not know. Ignorance can no longer be used as an excuse to avoid penalties.
Compliance audits are slated to become a standard part of HIPAA activities for the OCR. Auditing procedures are being readied for testing in 2011 and 2012. In addition, HITECH allows state attorneys general to bring civil lawsuits for HIPAA violations on behalf of state residents.
Compliance has to be taken seriously. Penalties are real, and enforcement is becoming a fact of life.
The Security Rule
HIPAA compliance requires meeting the provisions of both the security rule and the privacy rule. Yet, most providers I have spoken with are unaware of the security rule as a separate compliance requirement. One source of confusion may be how the two rules apply. The privacy rule applies to both paper and electronic PHI; however, the security rule applies only to PHI in electronic form. Therefore, practices moving from paper will not have had any prior reason to be concerned with the security rule.
In addition, there seems to be a dangerous misconception that the security rule is an issue only if one is applying for an incentive program. If your practice currently has an electronic system that stores PHI, then the security rule applies to you—even if you are not applying for an incentive program.
HITECH made significant changes to HIPAA that impact every organization that handles protected health information. Be warned! Although it has taken nearly 15 years, now HIPAA has teeth.
The next post in this series will look at the security rule more closely.