HITECH Act and HIPAA:
Important Compliance Update
Susan E. Ziel
Gerald “Jud” DeLoss
Disclaimer
This content is provided for general
information purposes and is not intended
as legal advice. Competent legal counsel
should be sought before taking any action
in reliance on this content.
2
Legislative History
 Health Information Portability and Accountability
Act of 1996
 Privacy Regulations (2003)
 Security Regulations (2005)
 American Recovery and Reinvestment Act of
2009 (“ARRA”) (2/17/09)
 Title XIII: Health Information Technology for Economic
and Clinical Health Act (“HITECH”)
3
HHS Regulations Under
HITECH Act To Date
 4/27/09 HHS Guidance: Techniques and
Methods to Create Secure PHI
 8/24/09 HHS IFR: Breach Notification
Involving Unsecured PHI
 8/30/09 HHS Moves HIPAA Security
Responsibilities from CMS to OCR
 10/30/09 HHS IFR: Amend HIPAA Civil
Money Penalties and Enforcement
4










HITECH Act Amendments
to HIPAA
HIPAA and Business Associates
Amended Civil and Criminal Penalties
Breaches Involving Unsecured PHI
“Minimum Necessary” Disclosures
Patient Requests to Restrict Disclosures
Accounting of Disclosures
Marketing and Fundraising
Patient Access to PHI in Electronic Format
Prohibition on Sale of PHI
HHS “ Improved Enforcement”
5
HIPAA and Business Associates
(“BA”)
 Current Law
 HIPAA requirements only apply to covered
entities
 BA not directly subject to HIPAA
 Covered Entities (“CE”) required to enter into
BA agreements with BA
 Indirect way to impose requirements on BA
6
HIPAA and Business Associates
(“BA”s)
 New Law Effective 2/17/10 (Section
13401)
 HIPAA Security Provisions Apply to BA
 BA required to comply with HIPAA Security
Rule as if they were CE




45 CFR § 164.308 (Administrative Safeguards)
45 CFR § 164.310 (Physical Safeguards)
45 CFR § 164.312 (Technical Safeguards)
45 CFR § 164.316 (Policies and Procedures)
7
HIPAA and Business Associates
(BA)
 New Law (Section 13404)
 Certain HIPAA Privacy Provisions apply to
BA
 BA required to use or disclose PHI only if
such use or disclosure is in compliance
with privacy provisions of their BA
agreements
8
HIPAA and Business Associates
(BA)
 Other ARRA privacy/security requirements
that apply to CE “shall be incorporated”
into BA agreements
 If BA aware of CE’s violation of HIPAA, BA
obligated to either terminate BA agreement
with CE or report CE to HHS
 BA subject to HIPAA enforcement and
penalties as if a CE
9
HIPAA and Business Associates
(BA)
 Section 13408. CE must also enter into
BAA with third parties that provide PHI
transmission/exchange




Health Information Exchange Organizations
Regional Health Information Organizations
E-Prescribing Gateways
Other
10
Amended Civil and Criminal
Penalties
 Current Law
 Only CE directly liable for criminal violations
 New Law Effective 2/17/10 (Section 13409)
 Clarifies that CE, as well as employees, BA, and
other actors that obtain/disclose PHI maintained
by a CE without authorization will be subject to
potential criminal penalties
11
Civil and Criminal Penalties:
“Improved Enforcement”
 Current Law
 Civil Money Penalties (“CMP”s) limited to $100 per
HIPAA violation, with a maximum of $25,000 for all
violations of identical nature in single year
 New Law Effective 2/17/09 (Section 13410(d))
 CMPs are now tiered and increase for different levels of
HIPAA violations
 Fines range from $100 to a maximum of $1.5 million cap
for all violations per year
 OCR maintains discretion to use corrective action without
penalty where person did not know of violation
12
HHS IFR: Civil Penalties
 New Definitions
 Reasonable Cause
 Reasonable Diligence
 Willful Neglect
 New CMP Amounts Depend On




Whether Violations Pre or Post 2/18/09
No Knowledge
Reasonable Cause
Willful Neglect
13
Security Breach Notification
 Current Law
 CE are only required under HIPAA to account for wrongful
disclosure
 However, Security Rule imposes a duty to mitigate
 Remember: IN Security Breach Laws
 New Law/Regulations Effective 9/17/09, Now Delayed
Until 2/22/10 (Section 13402)
 CE required to notify individuals whose “unsecured” PHI has
been, or is reasonably believed to have been, accessed,
acquired, or disclosed as a result of a breach
 BA required to notify CE of breach
14
Security Breach Notification
 “Breach”
 Unauthorized acquisition, access, use, or disclosure of PHI
which compromises the security/privacy of such information,
except when an unauthorized person to whom such information
is disclosed would not reasonably have been able to retain such
information
 Exceptions
 Unintentional acquisition, access, or use of PHI by employee or
individual acting under authority of CE or BA in good faith &
within scope of employment or other relationship; or
 Inadvertent disclosure involving employees or individuals acting
under authority of CE or BA; or
 Inadvertent disclosure to third party not reasonably able to retain
information
 Risk Assessment Reveals Evidence of “Low Risk” Harm
15
Security Breach Notification
 Unsecured PHI
 HHS Guidance (4/17/09)
 “Unsecured” PHI is not secured through the
use of a technology or methodology specified
by HHS that makes the PHI unusable,
unreadable, or indecipherable to unauthorized
individuals
16
Security Breach Notification
 HHS Guidance re: Technologies & Methodologies
to render PHI unusable, unreadable,
indecipherable; not required but if used, “safe
harbor” with no reporting not required
 Two Mechanisms:
 Electronic PHI has been encrypted as specified in the HIPAA
Security Rule and NIST Guidelines; or
 Media on which PHI is stored or records has been destroyed:
 Paper, film, or other hard copy media have been shredded or
destroyed such that PHI cannot be read or otherwise
reconstructed
 Electronic media have been cleared, purged, or destroyed
consistent with NIST Special Publication 800-88, Guidelines
for Media Sanitization, such that PHI cannot be retrieved
17
Security Breach Notification
 Notification Requirements
 Notification required to be made “without
unreasonable delay” but no later than 60
calendar days after discovery of breach
 Notice must be:
 In writing to individual by mail (or e-mail)
 Sent to last known address of individual
 If insufficient/out-of-date info; CE must give notice in
substitute form (e.g. web site/media)
18
Security Breach Notification
 Notification Requirements (continued)
 If breach involves PHI of more than 500
individuals in a state, CE must give notice of
breach to prominent media outlets
 CE must also notify HHS of any breach
 If more than 500 individuals, HHS must be notified
immediately
 If fewer than 500 individuals affected, the CE must
notify HHS annually (March 1)
19
Security Breach Notification
 All Notices must include, if possible:
 A brief description of what happened, including dates of
the breach & discovery
 Description of the types of unsecured PHI that were
involved in the breach
 Steps individuals should take to protect themselves from
potential harm resulting from the breach
 Brief description of what the CE involved is doing to
investigate the breach, to mitigate losses, and protect
against further breaches
 Contact procedures, including toll-free telephone number,
e-mail address, web site, or postal address
20
Patient Requests to Restrict
Disclosures
 Current Law
 Individual has right to request that a CE
restrict certain uses/disclosure of PHI
pertaining to that individual
 CE not obligated to comply with request
 New Law (Section 13405(a))
 CE required to agree to requested restriction
if disclosure is to a health plan for payment
purposes AND PHI relates to item/service that
CE has been paid for out of pocket in full
21
“Minimum Necessary” Disclosures
 Current Law
 CE required (except for treatment) to provide
only the “minimum necessary” amount of PHI
to accomplish purpose of use/disclosure
 New Law (Section 13405(b))
 Until further guidance is issued, a CE is
required, to the “extent practicable,” to limit
disclosures of PHI to the “limited data set,” or
if more information is needed, the “minimum
necessary” to accomplish intended purposes
of such use, disclosure, or request
22
“Minimum Necessary” Disclosures
 Limited Data Set:
 PHI that excludes direct identifiers, such as
names, addresses, and SS#s
 Does not apply to treatment disclosures
 HHS required to issue guidance on minimum
necessary standard within 18 months of
ARRA (8/2010)
23
Accounting of Disclosures
 Current Law
 Individual has right to receive accounting of
disclosures of PHI for certain purposes made by a
covered entity in the preceding 6 years
 Excludes treatment, payment, HC operations
 New Law (Section 13405(c))
 CE that use electronic health records (“EHR”) must
account for ALL PHI disclosures, including all TPO
disclosures, that were made through the use of an
EHR
24
Accounting of Disclosures
 Grace period for compliance:
 For CE having EHR as of 1/1/09, new rules
apply to disclosures of PHI on or after
1/1/2014
 For CE that acquire an EHR after 1/1/09, new
rules apply to disclosures made on or after the
later of 1/1/2011 or the date that the CE
acquired the EHR
 HHS can postpone compliance dates
25
Accounting of Disclosures
 Under new law, required reporting period
reduced from 6 years to 3 years
 HHS to issue regulations re: what information
must be maintained about each PHI disclosure
 In response to request from an individual, a CE
shall provide account of disclosures of PHI:
 Made by the CE and all applicable BA; OR
 Made only by the CE and provide a list and contact
information for all relevant BA
26
Marketing
 Current Law
 CE must obtain patient’s authorization for any PHI
use or disclosure for marketing purposes. Certain
exceptions apply.
 New Law (Section 13406(a)) with New
Regulations Due 2/17/10
 Confirms that any communication that encourages
recipient to use a product or service is not
considered a health care operation (and is
therefore marketing) unless it is made:
(continued)
27
Marketing
 Marketing Exceptions Continued:
 To describe a health-related product/service provided by or
included in plan of benefits of the CE making communication;
 For treatment of that individual; OR
 For case management, care coordination, or to recommend
alternative treatments, therapies, providers, settings of care
 Above 3 exceptions will not be considered HC
operations unless:
 Payment is for a communication re: a drug currently
prescribed for the recipient of the communication and
payment is reasonable in amount;
 The communication is made by the CE & the CE obtains a
valid HIPAA authorization; OR
 The communication is made by a BA of a CE, and such
communication is consistent with the BA Agreement
28
Fundraising
 Fundraising (Section 13406(b))
 All written fundraising communications shall
provide the recipient with an opportunity to
opt out of any future fundraising
communications
 If person opts out, such election is to be
treated as revocation of authorization under
HIPAA
 Applies to communications occurring on or
after February 17, 2010
29
Patient Access to PHI in
Electronic Format
 Current Law
 Patients have a right to obtain copy of their
PHI maintained in designated record set
 New Law (Section 13405(e))
 Patients have a right to obtain copy of their
PHI in electronic format if the CE uses an
EMR so long as request is clear & specific
 Fee limitations apply
30
Prohibition on Sale of PHI
 New Law (Section 13405(d))
 CE and BA are prohibited from receiving
remuneration in exchange for PHI unless the
patient has signed an authorization specifying
approval
 Several exceptions, including public health
activities, due diligence in conjunction with
sale/merger of CE, etc.
 Subject to additional regulations
31
HHS “Improved Enforcement”
 New Law (Section 13411)
 Secretary of HHS required to perform periodic
audits to ensure that CE and BA are in
compliance with HIPAA and new ARRA
requirements
 HHS required to submit number of audits
performed and summary of findings to
Congress on annual basis by 2/17/10
32
HHS “Improved Enforcement”
 New Law (Section 13410(a))
 HHS must investigate any complaint that may have resulted
from “willful neglect” effective 2/17/11
 If violation found, HHS required to impose CMPs
 -New Law (Section 13410(c))
 CMPs/monetary settlements collected shall be transferred to
the OCR to be used for HIPAA enforcement purposes
 HHS shall establish regulations (by 2/17/12) that specify
methodology under which an individual who has been
harmed by HIPAA violation may receive a percentage of any
monetary amount collected
33
HHS “Improved Enforcement”
 New Law Effective 2/17/09 (Section 13410(e))
 State Attorneys General may bring civil actions to
enjoin privacy/security actions or obtain damages
on behalf of state residents
 Damages limited to $100 per violation with cap of
$25,000 for identical violations in year
 Costs and attorney fees can be awarded to State
34
HIPAA Action Plan
 Covered Entity Compliance




Update Policies
Update Privacy Notice
Communicate With BAs Regarding New Obligations
BAA Amendments
 Business Associate Compliance




Security Risk Assessment
Establish Policies
Communicate with Subcontractors Regarding New Obligations
BAA (Subcontractor) Amendments
35
Questions?
Susan Ziel, RN JD
(317) 238-6244
sziel@kdlegal.com
Gerald “Jud” DeLoss
(312) 423-9307
gdeloss@kdlegal.com
36