Today U.S. President Barack Obama signed into law a $787 billion economic American Recovery and Reinvestment Act of 2009 that includes provisions for heightened enforcement of HIPAA and stiffer penalties for privacy and security violations, as well as sets aside billions of dollars to invest into electronic health records (EHR) implementation and exchange. The Act also calls for extended HIPAA security provisions to business associates (BA).
According to a February 13 release on the Web site of Waller Lansden Dortch & Davis, LLP, a law firm based in Nashville with extensive HIPAA and healthcare regulatory experience, to ensure the security of protected health information (PHI) the Act includes provisions requiring BAs to implement:
The Act suggests that Congress recognizes the need to move to EHRs but with stricter enforcement and protection of patient privacy, according to John Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, Ellicott City, MD, and chairperson of the team that created the HIPAA security rule.
Penalties to facilities that have privacy breaches range from $100 to $50,000 per violation, depending on whether the facility could have reasonably avoided the breach. The Act also gives states' attorney generals the power to seek civil damages and attorney's fees for HIPAA privacy breaches.
"Because [the Act] speaks to privacy and security breach notifications, increased enforcement of patient privacy, audit trails, encryption, and a definite concern for driving the attainment of an EHR while protecting patient information, it emphasizes the critical ingredient in fostering widespread implementation, acceptance, and use of e-health: trust," Parmigiani says. "This includes trust among patients, providers, and payers to effectively and efficiently deliver healthcare and share healthcare information."
The HIPAA provisions in the economic stimulus Act fall under the Health Information Technology for Economic and Clinical Health (HITECH) Act. According to Waller Lansden Dortch & Davis, the Act also includes:
Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA, says the HIPAA provisions in the Act is "HIPAA Administrative Simplification taken to the next level.
The Administrative Simplification provisions of HIPAA (HIPAA, Title II) required HHS to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers.
"The Act contains billions to fund health IT for expanding the implementation and exchange of electronic records," Borten adds. "To do that successfully and safely, Congress recognizes the need for broader and stronger, more explicit privacy and security controls."
Experts say one of the major changes for providers is the law's requirement for BAs to adhere to the security requirements of HIPAA. "HIPAA covered entities are no longer their 'brothers' keepers' since business associates will become directly subject to the HIPAA privacy and security rules, as well as to the penalties which have become stricter," Borten says.
It also makes BAs adhere to the same provisions as covered entities. "This enforces the 'chain of trust' concept envisioned by the crafters of the security rule," Parmigiani says. "So, in a way, it modernizes HIPAA to make it more in tune with an emerging e-health environment."
The Act further strengthens rules for the marketing and release of patient information, according to Parmigiani. For example, patients can now opt out of fundraising communications by hospitals. Parmigiani also believes the Act signals the new administration's focus on more rigorous regulatory enforcement.