Although HIPAA has been in effect for 24 years, confusion remains about some aspects. The passing of the HITECH act in 2009 added a few wrinkles and brought this issue back to the forefront.
Do you know the difference between HIPAA and HITECH?
The Health Insurance Portability and Accountability Act(HIPAA), sets the standard for protecting sensitive patient data. This legislation focused on simplifying administration and processing of medical billings, protection of privacy, and obtaining insurance with a pre-existing condition. It was co-sponsored by 25 additional US Senators. President Clinton signed into law on August 21, 1996.
The HITECH Act supports the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. HITECH Act is in response to health technology development and increased use, storage and transmission of electronic health information.
We will lay out the details below to help clarify these laws. But the takeaway for medical practices is this: you must know what to do in the event of a patient-information breach.
Before creating an action plan, you may want to bring in an outside consultant to evaluate your current security practices. Complete compliance with current rules will lessen the potential for a breach, and an in-depth review will help you determine the best plan should a breach occur. You should conduct an accurate and thorough assessment of the risks and vulnerabilities regarding the sensitive information held by your office. All offices need to understand how this affects them and their part in structuring a level of protocol and not negating their responsibility.
HIPAA
HIPAA prohibits doctors, nurses, and healthcare institutions from releasing protected health information to anyone, without patient consent. Health organizations are responsible for training all employees who have contact with medical records in HIPAA compliance.
The exceptions to HIPAA include disclosing:
- Health information in response to a court or administrative order regarding a lawsuit
- To a law enforcement official in response to a warrant or circumstances surrounding a crime
- To a medical examiner or funeral director to identify a deceased person or determine the cause of death
- Of inmate health information to the institution providing the patient with healthcare (or to protect the patient’s health and safety)
HITECH
In 2009, Congress passed the Health Information for Technical and Clinical Health Act (HITECH), which dramatically strengthened HIPAA data security requirements. HITECH raises the penalties for HIPAA violations and extends the HIPAA provisions to business associates of HIPAA-covered entities. Business associates are any person or entity that performs certain functions involving the use or disclosure of protected health information on behalf of a covered entity. The act is a response to the increased use, storage, and transmittal of electronic health information.
HITECH requires covered entities to report data breaches affecting 500+ individuals to the Health and Human Services department, the media, and the affected individuals. Guidelines and protocols should be in place regarding when, where, who and how these are reported and under what conditions.
- Covered entities must comply with most of the new provisions (i.e., not their business associates’ agreements—see below)
- PHI disclosures become subject to the new restrictions on the sale of PHI.
- Covered entities must bring all of their business associate agreements into compliance with the rules. This includes business associates’ agreements with their covered subcontractors.
Now is the time to ensure that all the agents and independent contractors that furnish services to your practice are aware of the new rules and when they take effect. It is also important for everyone in your office to know the policy, guidelines, and penalties due to non-compliance.
It is very important to be aware of the different terms of HIPAA because failure to comply with any of these can lead to criminal and civil penalties.
The violations are classified in four groups and the penalty varies to the offense:
- This is due to ignorance of the policy, in which the individual unknowingly violated any of the terms of the HIPAA.
Penalty : $119-$59,522 per violation, with a $1,785,651 annual maximum for repeat violations - The second type is due to reasonable cause for violation.
Penalty: $1,191-$59,522 per violation, with a $1,785,651 annual maximum for repeated violations - This violation is due to willful neglect, but is corrected within the period of time required by law or in 30 days.
Penalty: $11,904 – $59,522 per violation, with a $1,785,651 annual maximum for repeat violations - The last and most severe violation one is due to willful neglect where no corrective action was taken.
Penalty: $59,522 per violation, with a $1,785,651 annual maximum
It is also important to note that criminal penalties such as imprisonment can also be decided for covered entities that violate HIPAA.
- Level 1 violations can result in up to one year in person.
- Violations of Level 2 can result in up to 5 years in prison.
- Level 3 & 4 violations can result in up to ten years in prison.
The American Medical Association mentions how punishments can also extend to health plans, clearinghouses, prescription card sponsors, and providers that transmit e-claim forms. Ensure that your practice maintains the highest standards of HIPAA and HITECH compliance.