Customer Support: 800-526-4902
 
Sign In Contact Us
Home > Legal Library > Article




Join Matindale-Hubbell Connected


The New HIPAA Provisions: Health Care Providers and Business Associates Know Your Risks and Expand Requirements!




by:
Deborah C. Hiser
Ana E. Cowan
Brown McCarroll, L.L.P. - Austin Office

 
March 25, 2009

Previously published on March 5, 2009

The Economic Stimulus Plan[1], signed by President Obama on February 17, 2009, creates new and significant privacy protections for patient, and requirements for covered entities ("Providers") and their business associates.  If you use electronic health records ("EHR"), you are now subject to increased civil penalties and exposure if you violate HIPAA.

Additional requirements for health care providers:

  • Accountings.[2] Providers must now maintain accountings of all disclosures of protected health information ("PHI"), not just disclosures made for purposes other than treatment, payment or health care operations. Patients now have the right to request accountings of such disclosures made in the prior three years.
  • Notification of security breaches. Providers who experience a security breach are now required to notify affected patients following the discovery of a breach.
  • Publication of security breaches.[3] HHS will maintain a website where security breaches are posted.
  • Notice to HHS and the Media. Providers must immediately notify HHS if there is a security breach involving the PHI of more than 500 individuals. If more than 500 individuals are affected by a security breach in a given state or jurisdiction, notice in major print or broadcast media is required. When the breach involves fewer than 500 individuals, Providers must maintain of log of such breaches and submit the log annually to the Secretary of HHS.
  • Notice to Patient. Providers must notify patients of security breaches within 60 days. The Notice must include the date of the breach, date that Provider knew of the breach, and steps taken to mitigate against any harm that may result from the breach.
  • Expanded definition of security breach. The definition of "breach" now includes "unauthorized acquisition, access, use, or disclosure of PHI."
  • Technical Assistance. HHS is required to issue, and annually update, guidance on technologies and methodologies that make PHI unusable, unreadable, or indecipherable to unauthorized individuals.
  • Expanded application of the "Minimum Necessary" rule. Providers must rely on a "limited data set," to the extent that is viable.[4]
  • Restrictions. Providers must restrict disclosure of PHI to payors upon request of the patient if the PHI requested relates to an item or service that the patient has paid for in full, without submitting a claim for.

New requirements for Business Associates of Providers:

  • Compliance with the Privacy and Security Rules to the same extent as covered entities.
  • Duty to implement administrative, physical and technical safeguards to protect PHI
  • Duty to develop HIPAA Privacy and Security policies and procedures.
  • Liability for civil penalties for violations of HIPAA.
  • Reporting all security breaches to Providers and notifying patients.

Civil Penalties and Enforcement:

  • Maximum penalty for a violation increases from $25,000 to $1.5 million.
  • Patient's whose PHI is illegally used or disclosed can recover a percentage of any penalties collected by the Office of Civil Rights.
  • HHS will audit compliance with the Rules, altering the current complaint driven enforcement system.
  • State attorneys general given authority to enforce HIPAA.

What both Providers and Business Associates must do:

  • Review all relationships with contractors to assess whether Business Associate Agreements are in place and are compliant with the new requirements.
  • Providers must amend current HIPAA policies and procedures.
  • Business Associates must develop HIPAA Privacy and Security policies.
  • Retrain your work forces.

--------------------------------------------------------------------------------

[1]  The "American Recovery and Reinvestment Act of 2009".

[2]  Current users of EHRs must comply by January 1, 2014.  If you  acquire EHRs, the effective date is January 1, 2011, or the date of EHR acquisition,  whichever is later.

[3] HHS must issue breach notification regulations within 180 days of  passage of the Stimulus Plan and  notification provisions become effective 30 days after publication.

[4] HHS will issue guidance on what constitutes "minimum necessary" within 18 months of passage of the Plan.



 

The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.
 

View More Library Documents By...

 
Practice Area
 
Health Care
 
Brown McCarroll, L.L.P. Overview


 

Practice Area Resource Centers
Visit our Practice Area Resource Centers to view practice area specific content compiled from a variety of legal sources. Find related articles, podcasts, industry leader insights and much more. We currently offer the following Practice Areas: Litigation; Intellectual Property; Real Estate; Corporate Law; Criminal Law; Bankruptcy; Immigration; Business Law; Insurance; Taxation; Labor & Employment; Commercial Law; Medical Malpractice; Trusts & Estates; Securities; International Law ; Health Care; Environmental Law; Construction Law; Workers' Compensation

Printer Friendly Version
Featured Services
About Us
LexisNexis© Digital Network
Follow Us

Terms & Conditions | Privacy | Copyright © 2012 LexisNexis, a division of Reed Elsevier Inc. All rights reserved.