The Health Information Technology for Economic and Clinical Health Act (HITECH Act) made some important changes to the privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s privacy rule enforces standards for the use and disclosure of protected health information (PHI), whereas security rule enforces standards for the protection of electronic PHI. The most noteworthy change to the Privacy and the Security Rule is the requirement that HIPAA covered entities, along with health care providers must notify individuals when their unsecured PHI has been breached.In 2013, the Department of Health and Human Services (HHS) published the HIPAA Omnibus Rule, which covered a set of final regulations modifying the HIPAA Privacy, Security, and Enforcement Rules to implement various provisions of the HITECH Act. The regulations require changes in several areas of operation, including HIPAA breach notification and security, health information management, marketing, and fundraising, to name a few. Many of the changes will require considerable effort to implement. The notable changes for medical offices have to do with changes to individual rights under HIPAA, which necessitate changes in policies and procedures and must be listed in an entity’s Notice of Privacy Practices (NPP).Penalties for Security BreachesHIPAA-covered providers need to update their policies and procedures, or face stiff penalties. HIPAA-covered entities that currently provide NPPs must update it to reflect the changes in individual rights-violations are subject to enforcement that can include fines up to $50,000 per day.
There is a new four-tier violation schedule with increased minimum and maximum fines that has replaced the previous enforcement rules, now mandatory fines for willful neglect of compliance start at $10,000.
Violations that are not promptly corrected carry mandatory minimum fines starting at $50,000 and can reach $1.5 million for any particular violation.
For a violation due to reasonable cause and not to willful neglect, a penalty of not less than $1,000 or more than $50,000 for each violation is mandatory.
How to Remain Compliant Under the New RuleHIPAA-covered entities and business associates need to update their business associate agreements and notices of privacy practices. BA needs to conform with the Security Rule with regard to electronic PHI, and they must also report breaches of unsecured PHI to covered entities. Business associates need to make sure that any subcontractors that create or receive PHI on behalf of the business associate must agree to the same conditions that apply to the business associate with respect to such information.In addition, the physicians also need to diligently review and update HIPAA policies and procedures, mainly those regarding privacy breaches and reporting. Business associates must meet the terms of the Security Rule with regard to electronic PHI. For Notice of Privacy Practices, the HIPAA Omnibus Rule requires that they include a statement indicating that authorization is required for uses and disclosures of PHI for marketing purposes and disclosures that constitute a sale of PHI. Since these changes represent material changes under the HIPAA regulations, the revised NPP need to be provided to all new patients and made available to existing patients upon request, and also to be displayed in office website and offices.