In order to maintain our compliance with HIPAA's Security and Privacy Rules, The 123 Page would like you to be aware of new regulations affecting all of our members. Important changes to HIPAA were enacted recently as part of the "Economic Stimulus Act" (the ARRA). Most of the actual changes to HIPAA are contained in the "HITECH Act", which is Title XIII of the ARRA, the "American Recovery
and Reinvestment Act". Both became law on February 17, 2009. The major changes listed below have come into effect as of February 17, 2010.
New HIPAA Penalties
Effective: Immediately (2009).
- Increased penalties for violations.
- Penalties calculated on variety of factors.
- Four tiers of penalties, depending on nature of offense:
Tier A - Offender didn't know, and by reasonable diligence would not have known, that he or she violated the law:
* $100 per violation
* $25,000 annual maximum total per violator
Tier B - Violation due to reasonable cause and not willful neglect:
* $1,000 per violation
* $100,000 annual maximum total per violator
Tier C - Violation due to willful neglect but was corrected:
* $10,000 per violation
* $250,000 annual maximum total per violator
Tier D - Violation due to willful neglect and was not corrected:
* $50,000 per violation
* $1,500,000 annual maximum total per violator
Breach Notifications to Consumers (2009)
* Covered entities (CE), Business Associates, and PHR Vendors are subject to breach
* Notify consumers if "unsecured" PHI was accessed, acquired, or disclosed in breach.
* "Unsecured" essentially means "unencrypted" data, including all physical media.
* Notices must be sent "without reasonable delay" - no later than 60 days after breach.
* Minimum content of notifications is specified in the regulations.
* Notices sent by 1st class mail - email only if consumer stated a preference for email.
* If 10 or more victims can't be located, notice on website or in media must be posted.
* Breaches involving > 500 victims: Mandatory, immediate reporting to HHS
* Breaches involving < 500 victims. Entity keeps log, provides to HHS annually.
* If over 500 victims, HHS will publicly post on Internet
* PHR breaches get reported to FTC, and FTC in turn notifies HHS.
* Guidance from Sec of HHS within 60 days after enactment.
Business Associates Must Comply with HIPAA Security Rule. (2010)
* Business Associates subject to same civil & criminal penalties as Covered entities.* Business Associates must comply with Administrative, Technical, and Physical Safeguards.
* Business Associates must establish and maintain appropriate policies and procedures.
* Business Associates must document all Security Rule compliance activities.* Business Associates must report breaches just like Covered entities.* BUSINESS ASSOCIATE Contracts must be created or amended to include new requirements.
* Business Associates don't comply with Privacy Rule, but are restricted from PHI uses and disclosures not in compliance with BUSINESS ASSOCIATE contract. This represents "de-facto" Privacy compliance.
* PHR Vendors and Health Information Exchanges become Business Associates.
New Right to Obtain Copies of Electronic Health Records
* When CE uses an EHR, individual has Right to an electronic copy of their records.
* Individual can direct CE to send an electronic copy directly to another party or entity.
* Maximum fees are the direct labor costs associated with fulfilling the request.Expanded Right to Privacy Restriction
* Covered entities must agree to individual disclosure restriction requests - previously was optional.
* Some exceptions exist with regard to health plans and payments.
* Much CE confusion, some push-back expected over this.New Restrictions on Marketing & Fundraising
* Definition of "Marketing" clarified.
* Recipients must have clear & conspicuous way to "opt out" of future communications.
* Opt-out must be regarded as "revocation of authorization" to market-to.
* Restrictions apply to communications made after Feb. 17, 2010. (12 mo. >
enactment)No Selling of PHI
* HIPAA previously allowed payment to CE for PHI as long as disclosure was otherwise
lawful and permitted by Privacy Rule.
* CE will not be able to receive payment for PHI, even if disclosure is permitted, without
an auth from patient that includes permission to sell from patient.
* A number of exceptions exist, for research, public health activities, sale or transfer of
Priority for Limited Data Sets and De-identified Data
* Limited Data Set (LDS) disclosures are preferred over "minimum necessary"
* Provides a simpler, clearer approach to de-identifying data for uses and disclosures
not involving treatment or payment.
Clarification of Minimum Necessary Rule
* Aims to clarify definition and practical use of "Minimum Necessary" and LDS's.
* Scope of PHI requests from one CE to another treating same patient was major
* No Covered entities or Business Associates held to new standard till new Guidance is
Disclosure Accounting Includes TPO Disclosures if EHR Used
Effective: January 01, 2011 and January 01, 2014.
* If EHR used, patient has new Right to accounting of disclosures for TPO.
* Such accounting can go back 3 years from date of request.
* Can charge reasonable fees for accounting, but no greater than direct labor cost.
* HHS must adopt & publish standards within 6 months from enactment.
For any additional information please contact your compliance officer or visit http://www.hipaa.com or http://www.hhs.gov/ocr/privacy
By clicking below, you are acknowledging that you have received, read, and understood the information provided.