Although HIPAA has been in effect for 24 years, confusion remains about some aspects. The passing of the HITECH act earlier this year added a few wrinkles and brought this issue back to the forefront.
Do you know the difference between HIPAA and HITECH?
The Health Insurance Portability and Accountability Act(HIPAA), sets the standard for protecting sensitive patient data. HIPAA was introduced in 1996 by the late Senator Edward Kennedy (D-MA) and former Senator Nancy Kasselbaum (R-KS). The legislation focused on simplifying administration and processing of medical billings, protection of privacy and obtaining insurance at new jobs with a pre-existing condition. The legislation was co-sponsored by 25 additional US Senators. President Clinton signed into law on August 21, 1996.
The HITECH Act supports the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act is in response to health technology development and increased use, storage and transmission of electronic health information.
We will lay out the details below to help clarify these laws. But the takeaway for medical practices is this: you must know exactly what to do in the event of a patient-information breach.
Before creating an action plan, you may want to bring in an outside consultant to evaluate your current security practices. Complete compliance with current rules will lessen the potential for a breach, and an in-depth review will help you determine the best plan should a breach occur. As a proactive approach, you should conduct an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of sensitive information held by your office. All offices need to understand how this affects them and their part in structuring a level of protocol and not negating their responsibility.
HIPAA prohibits doctors, nurses, and healthcare institutions from releasing protected health information to anyone, including health insurers, without patient consent. Health organizations are responsible for training all employees who have contact with medical records in HIPAA compliance.
The exceptions to HIPAA include:
- Disclosure of health information in response to a court or administrative order regarding a lawsuit
- Disclosure to a law enforcement official in response to a summons/warrant/subpoena, to help identify or locate a suspect, regarding a death believed to be the result of criminal conduct, about criminal conduct on your premises or in emergency circumstances to report a crime
- Disclosure to a medical examiner or funeral director to identify a deceased person or determine the cause of death
- Disclosure of inmate health information to the institution providing the patient with healthcare (or to protect the patient’s health and safety)
In 2009, in response to HIPAA’s unclear and unenforced security provisions; Congress passed the Health Information for Technical and Clinical Health Act (HITECH), which dramatically strengthened HIPAA data security requirements as well as the enforcement provisions.
HITECH raises the penalties for HIPAA violations and extends the HIPAA provisions to business associates of HIPAA-covered entities. Business associates are any person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of a covered entity. The act is a response to the increased use, storage and transmittal of electronic health information.
HITECH also requires covered entities to report data breaches affecting 500 or more individuals to the Health and Human Services department, the media, and the affected individuals. Guidelines and protocols should be in place regarding when, where, who and how these are reported and under what conditions. This is not something that is reported without all information and critical steps in place when reporting this breach to be in place.
- Covered entities must comply with most of the new provisions (i.e., not their business associates agreements—see below)
- PHI disclosures become subject to the new restrictions on the sale of PHI.
- Covered entities must bring all of their business associate agreements into compliance with the rules. This includes business associates’ agreements with their covered subcontractors.
Clearly, now is the time to ensure that all the agents and independent contractors that furnish services to your practice are aware of the new rules and when they take effect. As it is important for everyone in your office to know the policy, guidelines, and penalties due to non-compliance.
It is very important to be aware of the different terms of HIPAA because failure to comply with any of these can lead to criminal and civil penalties.
The violations are classified in four groups and the penalty varies to the offense:
- This is due to ignorance of the policy, in which the individual unknowingly violated any of the terms of the HIPAA. Penalty : $119-$59,522 per violation, with a $1,785,651 annual maximum for repeat violations
- The second type is due to reasonable cause for violation. Penalty: $1,191-$59,522 per violation, with a $1,785,651 annual maximum for repeated violations
- This violation is due to willful neglect, but is corrected within the period of time required by law or in 30 days. Penalty: $11,904 – $59,522 per violation, with a $1,785,651 annual maximum for repeat violations
- The last and most severe violation one is due to willful neglect where no corrective action was taken. Penalty: $59,522 per violation, with a $1,785,651 annual maximum
- Level 1 violations can result in up to one year in person.
- Level 2 violations of violating private health information can result in up to 5 years in prison.
- Level 3 & 4 violations can result in up to ten years in prison.