It is old news that President Obama signed the American Recovery and Reinvestment Act, popularly known as the Stimulus Package, into law last month. What hasn’t made the news are the dramatic changes the law makes to HIPAA (Health Insurance Portability and Accountability Act) Security Rules. The changes subject business associates to the rules, requires notifications for breaches, expands who may seek damages and increases penalties for violations. These changes are called the Health Information Technology for Economic and Clinical Health Act (HITECH)
Here are just some of the biggest changes to the HIPAA Security Rules.
Arguably the biggest change is the expansion of who is covered under HIPAA. The law now places the same security requirements to business associates as covered entities. This includes the administrative, physical, and technical safeguards mandated by the Security Rule. This will require every business associate to appoint a security official, develop written procedures, and train its workforce on safeguarding private health information. In short they need better data security from creation to shredding. A business associate is now also subject to civil and criminal penalties under HIPAA.
A second major change to the law is the addition of a security breach notification requirement. Now covered entities and business associates must notify individuals of security breaches. A security breach occurs when protected health information is exposed through accidental exposure or theft. Notification must be in the form of mail or email depending on the preferences of the individual. For large security breaches, defined as more than 500 individuals, a “prominent media outlet” must also be notified. The Department of Health and Human Services (HHS) must also be notified. The law mandates a website run by HHS for public disclosure of breaches.
Penalties for security violations have also been significantly increased. The fine per violation grew from $100 per individual with a cap of $25,000 to $1,000 per individual with a cap of $100,000. There can also be a fine of $10,000 for willful neglect that caps at $250,000. Topping the list of fines is $50,000 if problems are not corrected properly with a cap of $1.5 million per calendar year.
The law expands who may bring suits for HIPAA violations. It is now possible for fines to go to individuals and their lawyers. This dramatically increases the incentives for lawyers to bring lawsuits. State attorney generals can also bring about action against covered entities and business associates on the behalf of their residents. This change is significant from the current system where only individuals could seek action by the HHS. It is not hard to imagine a land rush as lawyers and state attorney generals race to file suits against medical offices that violate the Security Rule.
But there is some good news for the medical industry. The HHS is now required to provide annual guidance for the most effective and appropriate information safeguards. The guidance must specify the technologies and methodologies that should keep private medical information secure. The goal is to reduce the confusion of what is and isn’t acceptable electronic security.
Most of the new rules go into effective on February 17, 2010. However, some of the provisions have different effective dates that are unclear. Business associates and covered entities should examine each provision carefully to see which apply.