Immediate Action Required under HIPAA/HITECH Final Rule
More Businesses Subject to HIPAA; Revisions to Practices, Policies and Procedures Required; Government is Increasing and Expanding Enforcement Efforts
Health care providers and entities with which they do business are subject to new and revised HIPAA privacy and security regulations and are exposed to potential expanded liability. All such entities should immediately reassess and appropriately revise their current practices, policies and procedures. Additionally, due to the regulations’ substantial broadening of the definition of “Business Associate,” all businesses that encounter health information should perform an analysis to determine whether they are subject to the regulations and, if so, must act quickly to avoid potential criminal and civil liability. For instance, in addition to the numerous types of businesses already subject to HIPAA – such as attorneys and accountants who perform services for health care providers involving health information – the U.S. Department of Health and Human Services (“HHS”) has specifically identified businesses such as data transmission services, data/document storage providers and shredding companies as potential Business Associates. The regulations are effective March 26, 2013 and entities must establish compliance as early as September 23, 2013. Penalties can extend to $50,000 for each violation, and up to $1.5 million for all violations of an identical provision.
The new regulations implement the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and Genetic Information Nondiscrimination Act and also establish additional modifications to the Privacy, Security, Enforcement and Breach Notification Rules under the Health Insurance Portability and Accountability Act (“HIPAA”) (the “HITECH Rule”). Health care providers, health insurance companies and health care clearinghouses subject to HIPAA/HITECH are referred to as “Covered Entities.” Entities that perform certain services for Covered Entities involving protected health information (“PHI”) are referred to as “Business Associates.”
Substantial Broadening of Definition of “Business Associate;” Business Associate Direct Liability
Business Associates are now directly liable for the civil and criminal penalties associated with HIPAA’s extensive privacy and security requirements. The HITECH Rule also greatly broadens the definition of “Business Associate.” For instance, the term now includes subcontractors of Business Associates, as well as entities that merely “maintain,” “receive” or “transmit” PHI on behalf of Covered Entities. HHS has specifically identified data transmission services, data/document storage providers and shredding companies as potential Business Associates and has greatly limited the applicability of the “conduit” exception often relied upon by entities such as cloud computing vendors.
Expanded HIPAA Requirements and Responsibilities
The HITECH Rule expands the rights of individuals with respect to their PHI and implements numerous changes to current HIPAA requirements. Compliance with the HITECH Rule will almost certainly require the following:
- Creating or revising HIPAA privacy and security policies and procedures to comply with the substantial revisions to HIPAA under the HITECH Rule, which include changes to the breach notification requirements, procedures to use PHI for marketing and fundraising, and the provision of access to individuals with respect to their PHI;
- Amending and properly distributing notices of privacy practices to include notifications to patients regarding, for example, new required authorizations, new individual rights regarding genetic information, restrictions of certain disclosures to health plans and the ability of individuals to opt-out of receiving fundraising communications;
- Creating or updating Business Associate agreements and other forms, such as individual requests for access to PHI;
- Updating or implementing physical, technical and administrative security safeguards, conducting or updating security risk analyses and addressing certain threats specifically identified by HHS, such as the use of mobile devices;
- Reviewing existing and potential Business Associate relationships to ensure appropriate agreements and/or safeguards are in place; and
- Designing and conducting workforce HIPAA training and/or retraining.
Substantially Increased Government Enforcement; Small Businesses Are Exposed
In the midst of the HITECH Rule’s sweeping changes, Covered Entities and Business Associates must be prepared for increased HIPAA enforcement and monitoring by HHS and the potential imposition of penalties ranging from $100 to $50,000 for each violation, up to $1.5 million for all violations of an identical provision. Enforcement efforts are enhanced and strengthened under the HITECH Rule, which, for example, requires an investigation of any complaint filed with HHS that, after a preliminary review of the facts, indicates a possible violation due to willful neglect.
HIPAA enforcement actions and audits – which often begin with a patient complaint to HHS – are now frequent and have made abundantly clear that even small entities face substantial exposure. For instance, in April 2012 following an extensive investigation by HHS, a small physician practice entered into a settlement with HHS for $100,000 and also agreed to a Corrective Action Plan and Resolution Agreement. In addition, in January 2013, HHS for the first time entered into a HIPAA settlement for a PHI breach affecting less than 500 patients, which was reported by a hospice provider after the theft of a laptop. The most common compliance deficiency revealed as a result of recent enforcement actions is the lack of written policies and procedures. Covered Entities and Business Associates can only expect their exposure to increase as a result of the HITECH Rule.
Wolff & Samson is fully prepared to assist clients with all their HIPAA/HITECH compliance needs, such as developing or revising policies, procedures and Business Associate Agreements, and providing workforce training. Should you have any questions regarding your HIPAA/HITECH obligations, please do not hesitate to contact an attorney in our Health Care and Hospital Group.