Health Law MonitorOn February 17, 2010, HHS will begin to enforce changes to the HIPAA enacted through the HITECH Act. The new requirements imposed by the HITECH Act will have a significant impact on the privacy and security of personal health information and compliance efforts of affected healthcare Covered Entities and their Business Associates. The HITECH Act has expanded the direct applicability of the Privacy and Security Rules to Business Associates. Significant changes may be necessary to comply with the new requirements.
On February 17, 2010, the Department of Health and Human Services (“HHS”) will begin to enforce changes to the Health Information Portability and Accountability Act (“HIPAA”) enacted through the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The new requirements imposed by the HITECH Act will have a significant impact on privacy and security of personal health information and compliance efforts of Covered Entities under HIPAA, as well as their Business Associates. While HIPAA applied only to Covered Entities such as treatment providers, health plans, and healthcare clearinghouses, the HITECH Act has expanded the direct applicability of the Privacy and Security Rules to Business Associates. Significant changes maybe necessary to demonstrate compliance with HIPAA and the HITECH Act.
The following summary outlines the new requirements when HHS enforcement begins and the steps necessary to comply.
Breach Notification Policies
Covered Entities and Business Associates should immediately develop, adopt, and implement Data Breach Notification policies and procedures to comply with the breach notification requirements in effect under the HITECH Act. In the event a breach of unsecured information occurs, the Covered Entity must provide notice to all affected individuals that (1) describes what happened; (2) describes the information involved; (3) lists steps the individuals should take to protect themselves from potential harm from the breach; (4) includes a summary of the entity’s investigation and mitigation efforts; and (5) includes the applicable contact information for questions. The notice must be provided within 60 days of discovering the breach, and the entity must notify HHS of the nature of the breach. If the breach affects more than 500 individuals, additional media notices and more stringent HHS notice timelines must be met. In the case of a breach committed by a Business Associates, it must notify the Covered Entity, who then must notify the affected individuals. Although the rule has been in effect since September 2009, enforcement will begin February 17, 2010.
Business Associate Privacy and Security Requirements
Business Associates must now comply directly with (1) HIPAA Security Rules and (2) the Business Associate provisions of the HIPAA Privacy Rules. Business Associates must also make sure their agreements with Covered Entities meet the new HITECH Act requirements. To comply, Business Associates need to implement administrative, physical and technical safeguards to protect information. This includes adopting and implementing HIPAA-compliant security policies and procedures, adopting and implementing policies and procedures to comply with the Business Associate provisions of the Privacy Rule, reviewing and updating Business Associate agreements as necessary to comply with the changes, and training workforce on compliance with these new policies. Business Associates will also need to appoint a Privacy Officer in order to comply with HIPAA.
Covered Entity Obligations
As of February 17, 2010, Covered Entities also face a number of changes with which they must comply, including new marketing restrictions; minimum necessary use and disclosure requirements; and stricter requirements relating to accounting for disclosures. Provider Covered Entities must also permit an individual to prohibit disclosure of protected health information (PHI) from that provider to a health plan, if the PHI pertains solely to healthcare items or services for which the individual pays entirely out-of-pocket. To ensure compliance, each Covered Entity should: (1) review and revise its HIPAA Privacy and Security Policies and Procedures, and implement any necessary additional safeguards; (2) update personnel training to inform staff of the changes and new requirements for Covered Entities and their Business Associates; and (3) review and update its Notice of Privacy Practices.
The changes facing Covered Entities and Business Associates are many and at times complex. Health care providers must be ready to comply, or they will face the heightened civil penalties discussed in our November 5, 2009, Alert.
Comments