HITECH Increases HIPAA Responsibility and Penalties

David Siegfeld
December 17, 2012 — 1,133 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.

HITECH (the Heath Information Technology for Economic and Clinical Health Act) was part of ARRA (the American Recovery and Reinvestment Act) of 2009. HITECH included some good news in that it provides over $19 billion to promote the adoption of electronic medical records through incentive payments. There are provisions for substantial payments to eligible professionals and eligible hospitals that are "meaningful users" of Electronic Health Records. Rules have recently been published both to address the incentives and penalties for not using EHR "meaningfully". The legislation provides significant financial incentives through the Medicare and Medicaid programs to encourage doctors and hospitals to adopt and use certified electronic health records. Physicians will be eligible for $40,000 to $65,000 for showing that they are meaningfully using health information technology, such as through the reporting of quality measures. Hospitals will be eligible for several million dollars in the Medicaid and Medicare programs to similarly use health information technology. Federally qualified health centers, rural health clinics, children's hospitals and others will be eligible for funding through the Medicaid program.

The other part of the new law which may make it more challenging to either be a health provider or do business with such a provider is that HITECH also made some substantial changes to HIPAA (Health Insurance Portability and Accountability Act of 1996). Some highlights of these changes include: 1 a requirement that covered entities notify individuals of breaches involving their PHI (protected Health Information); 2 that new Business associate agreements are required that provide that Business associates will be directly responsible to HHS for the use and disclosure of PHI and that they will be directly subject to civil and criminal penalties; 3 that Covered entities must account to HHS for disclosures of PHI; 4 that Covered entities are prohibited from selling PHI without an authorization from the patient; 5 a limitation on the potential for using PHI for marketing purposes; 6 a major increase in the civil penalties for HIPAA violations and 7 a provision that permits the enforcement of HIPAA by State Attorney Generals.

Before ARRA, HIPAA required that covered entities such as hospitals, physicians and health plans had to enter into contracts (known as "business associate agreements") with entities performing functions or providing services on their behalf if those functions or services involved the exchange of health information. The contracts had to require that business associates use appropriate security safeguards to protect the health information they received from the covered entity. These agreements also set forth the permitted uses and disclosures of such health information. However, prior to ARRA, business associates themselves were not directly subject to governmental enforcement action: the only remedy available against a business associate was for a covered entity to sue for breach of contract. Under the new law, business associates are now required to directly comply with most provisions of the HIPAA Security Rule. They also must comply with any changes to the Privacy Rule that were part of ARRA regardless of whether or not their contracts with covered entities contain those provisions Business associates can now be held directly accountable by federal or state authorities for any failure to comply with HIPAA as amended by ARRA or applicable regulations.

Additionally the new law requires that covered entities which become aware of breaches of "unsecured" health information comply with certain notification provisions. ARRA includes specific provisions regarding the content, methods and timing of notification. Notice must be afforded no later than 60 days after the discovery of the breach. A breach is considered to be "discovered" when at least one employee of the entity (other than the person responsible for the breach) knows (or reasonably should know) of the breach. Notice is required to be provided to media outlets if the information of more than 500 individuals is involved. Notice of all breaches also must be provided to the Secretary (immediately if the breach involves the information of more than 500 individuals and in an annual log for breaches that do not trigger this threshold.) The Secretary is required to include a list on the HHS website of covered entities involved in breaches of more than 500 individuals' information, and must annually report to Congress on the number and nature of any breaches that occurred during that year.


David Siegfeld