MUSC The Catalyst
MUSC arial view

 

MUSCMedical LinksCharleston LinksArchivesCatalyst AdvertisersSeminars and EventsResearch StudiesPublic RelationsResearch GrantsCatalyst PDF FileMUSC home pageCommunity HappeningsCampus NewsApplause

MUSCMedical LinksCharleston LinksArchivesCatalyst AdvertisersSeminars and EventsResearch StudiesPublic RelationsResearch GrantsMUSC home pageCommunity HappeningsCampus NewsApplause

 

return to The Catalyst home page


Stimulus plan strengthens privacy

by Mike Wheeler
University Compliance Office
The American Recovery and Reinvestment Act of 2009 (ARRA), referred to as the federal stimulus package, contains provisions strengthening the Health Insurance Portability and Accountability Act (HIPAA). The package contains new provisions that enhance both privacy and information technology security regulations. 
 
Under ARRA, patients must be notified of an unauthorized acquisition, access, use or disclosure (or breach) of unsecured protected health information with a brief description of what happened and the steps individuals should take to protect themselves. This notification must be made without unreasonable delay and in no case later than 60 calendar days after discovery.
 
If a breach involves more than 500 records (for example, a lost laptop containing unencrypted protected health information), the U.S. Secretary of the Department of Health and Human Services (HHS) and the local media must be notified. In addition, the HHS secretary’s office must be provided a yearly listing of all breaches. Individual employee “snooping” into records is a breach and must be reported.
 
The stimulus package also provides for heightened enforcement actions. Penalties for violating HIPAA and other patients’ rights laws are based upon the level of intent, and can range from $100 to $1.5 million. Courts also can award damages, court costs and attorneys’ fees. State attorney generals are provided enforcement authority to bring civil actions on behalf of any state resident adversely affected by an unauthorized acquisition, access, use or disclosure of protected health information. Most importantly, individuals can be subject to criminal and civil liability for intentional breaches or willful neglect.
 
Business associates (i.e., a contracted transcription service) must meet additional HIPAA requirements for both privacy and information technology security. Business associates must also report any unauthorized acquisition, access, use or disclosure of a patient’s protected health information. For these reasons, most current business associate agreements must be revised. In addition, business associates can now be subject to criminal and civil liability.
 
ARRA also contains provisions affecting fundraising activities, accounting rules changes for disclosures of electronic medical records, changes to the right to request a restriction to the disclosure of protected health information to a health plan, changes on the conditions concerning communications about a product or service and establishes the right for a patient to obtain a copy of electronic medical records in an electronic format. Since the final regulations are scheduled to be issued in the next few months, additional staff training will be accomplished using the CATTS system.




Friday, April 24, 2009


The Catalyst Online is published weekly by the MUSC Office of Public Relations for the faculty, employees and students of the Medical University of South Carolina. The Catalyst Online editor, Kim Draughn, can be reached at 792-4107 or by email, catalyst@musc.edu. Editorial copy can be submitted to The Catalyst Online and to The Catalyst in print by fax, 792-6723, or by email to catalyst@musc.edu. To place an ad in The Catalyst hardcopy, call Island Publications at 849-1778, ext. 201.