How to understand the new HIPAA requirements to make sure you’re in compliance

Jeff Porter, Director, Kegler, Brown, Hill & Ritter

The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the stimulus bill, contains the HITECH Act that amends the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.
“When HIPAA was first enacted, the health care industry was paper driven,” says Jeff Porter, a director with Kegler, Brown, Hill & Ritter. “HITECH is addressing some long-standing issues with HIPAA, as well as some newer issues that have arisen as a result of the advent of electronic health records and the online transfer of health information.”
Among the significant changes are the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions. In addition, penalties can now be imposed on individuals as well as entities.
Smart Business asked Porter for more information about the changes to HIPAA.
Who is covered by HIPAA?
You or a legal representative can determine whether you are a covered entity. The website for the U.S. Department of Health & Human Services (HSS.gov) and the Office of Civil Rights (OCR) provide good guidance in this regard. Covered entities typically include hospitals, nursing homes, medical offices that provide treatment and bill for those services, health insurance plans, and health care clearinghouses (e.g., companies that convert health records and other information into the coding necessary for billing and research). If you are a business associate of a covered entity (e.g., a medical billing firm or a home health care agency), and you are obtaining information for a purpose the covered entity might use it for, you fall under the HIPAA provisions which apply to business associates.
What changes have been made regarding penalties for noncompliance?
The penalties have changed in a couple of significant ways. First, in regard to enforcement, previously penalties could only be imposed on covered entities – now penalties can be imposed on individuals as well. If someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Second, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.
What is the impact on state privacy laws?
Although many believe that HIPAA is the sole controlling authority related to patient privacy, it does not however preempt state privacy laws and regulations. If provisions in the state privacy laws are more restrictive, then those provisions apply in addition to HIPAA. For example, Ohio has some of the stricter state privacy laws in regard to disclosure of protected health information. These laws have to be evaluated and reviewed to determine what additional actions might be needed in terms of notification and disclosures. The question for the future is whether states with these stricter privacy measures will impact exchange of health information with other states. In coming years, if we are going to have more free-flowing medical information, these issues will need to be addressed.
What is considered protected health information?
Protected health information is identifiable information related to treatment of a patient and that is maintained by a covered entity. In certain circumstances covered entities can release this information without authorization, for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.
What is a permissible disclosure?
Information can be disclosed if a patient authorizes it. Information must be disclosed by a protected entity if the HHS requests that information as part of an investigation. Permitted disclosures also include treatment information (to help treat a patient); information used to seek payment; or information used in the health care operations category if that information will improve the quality of care overall or part of the business overall.
Do patients have any new rights?
Patients will have a greater ability to try to find out who has accessed their protected health information. Past experience is that most patients never request such information. However, there will now be a greater ability for patients to request an accounting of disclosures. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.
How can covered entities best keep up with the changes and protect themselves?
1) Keep an eye on releases from HSS about changes. 2) Consult with your legal representative. 3) Make sure your designated privacy officer is properly trained and that he or she is training your employees. 4) Keep open lines of communication with business associates and make sure any contracts you have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.
JEFF PORTER is a director with Kegler, Brown, Hill & Ritter. Reach him at (614) 462-5418 or [email protected].