by Mike Wheeler
University Compliance Office
The American Recovery and Reinvestment Act of 2009 (ARRA), referred to
as the federal stimulus package, contains provisions strengthening the
Health Insurance Portability and Accountability Act (HIPAA). The
package contains new provisions that enhance both privacy and
information technology security regulations.
Under ARRA, patients must be notified of an unauthorized acquisition,
access, use or disclosure (or breach) of unsecured protected health
information with a brief description of what happened and the steps
individuals should take to protect themselves. This notification must
be made without unreasonable delay and in no case later than 60
calendar days after discovery.
If a breach involves more than 500 records (for example, a lost laptop
containing unencrypted protected health information), the U.S.
Secretary of the Department of Health and Human Services (HHS) and the
local media must be notified. In addition, the HHS secretary’s office
must be provided a yearly listing of all breaches. Individual employee
“snooping” into records is a breach and must be reported.
The stimulus package also provides for heightened enforcement actions.
Penalties for violating HIPAA and other patients’ rights laws are based
upon the level of intent, and can range from $100 to $1.5 million.
Courts also can award damages, court costs and attorneys’ fees. State
attorney generals are provided enforcement authority to bring civil
actions on behalf of any state resident adversely affected by an
unauthorized acquisition, access, use or disclosure of protected health
information. Most importantly, individuals can be subject to criminal
and civil liability for intentional breaches or willful neglect.
Business associates (i.e., a contracted transcription service) must
meet additional HIPAA requirements for both privacy and information
technology security. Business associates must also report any
unauthorized acquisition, access, use or disclosure of a patient’s
protected health information. For these reasons, most current business
associate agreements must be revised. In addition, business associates
can now be subject to criminal and civil liability.
ARRA also contains provisions affecting fundraising activities,
accounting rules changes for disclosures of electronic medical records,
changes to the right to request a restriction to the disclosure of
protected health information to a health plan, changes on the
conditions concerning communications about a product or service and
establishes the right for a patient to obtain a copy of electronic
medical records in an electronic format. Since the final regulations
are scheduled to be issued in the next few months, additional staff
training will be accomplished using the CATTS system.
Friday, April 24, 2009