The HITECH Act, passed in February as part of the American Recovery and Reinvestment Act of 2009 (ARRA), significantly expanded the reach of HIPAA and increased the penalties for HIPAA violations, as noted in the Waller Lansden bulletin available at this link. Many details, however, were left undefined when the legislation was signed into law. A clearer picture of the HITECH Act’s impact on healthcare providers is now beginning to emerge, and highlights of recent developments are provided below. In addition, new developments are pointing to increased enforcement activities with the consolidation of enforcement responsibilities to the Office for Civil Rights and substantial fines imposed in two "record peeking" incidents.
Waller Lansden’s Healthcare practice will present a breakfast briefing on Oct. 8, 2009 to assist healthcare providers, health plans, and their business associates in understanding and responding to the HITECH Act’s impact on their policies and procedures. To register for this complimentary seminar, please contact Aja Hendrix via email or by calling 800-487-6380. New Breach Notification Regulations The U.S. Department of Health and Human Services (HHS) has published new regulations that implement HITECH Act provisions requiring healthcare providers, health plans and other entities covered by HIPAA to notify individuals when their unsecured protected health information is breached. The new regulations mandate that such notification occur within a reasonable period after discovery, not to exceed 60 days. Additionally, HIPAA covered entities must immediately notify the HHS Secretary and the media of breaches affecting more than 500 individuals. Business associates of HIPAA-covered entities are required to notify covered entities of breaches. These regulations will take effect on Sept. 23, 2009; however, HHS has announced that it will delay imposing penalties on violators until Feb. 22, 2010. Consolidation of Enforcement Activities into Office for Civil Rights The ARRA allocated $24 million to the government to increase enforcement efforts and fund mandatory periodic audits of healthcare providers and health plans. On August 4, 2009, HHS announced that authority for enforcement of the HIPAA security rule had been transferred from CMS to the Office for Civil Rights (OCR) in an effort to improve efficiency. OCR is currently responsible for enforcing the HIPAA privacy rule, which is handled through OCR’s 10 regional offices; enforcement of the security rule is expected to be handled in the same manner. The HHS press release announcing the move is available at this link. Record Peeking In addition to the regulations emerging in the wake of the HITECH Act’s passage, recent “record-peeking” incidents indicate a developing trend toward stricter enforcement and greater penalties for privacy violations, even for less significant occurrences. For example, in July 2009, a doctor and two former hospital employees pled guilty to HIPAA violations, punishable by up to a year of prison time and fines of up to $50,000, when all three individually accessed and peeked at a patient’s records without any legitimate purpose. The individuals were prosecuted despite their failure to disclose the information to any third parties or use the information to their advantage. In the Department of Justice release discussing the prosecution, U.S. Attorney Jane Duke emphasized, “The HIPAA privacy protections are real, and we hope that through vigorous enforcement of HIPAA’s right-to-privacy protections and swift prosecution of those who violate HIPAA, we can deter those in the medical industry who have access to protected health information from searching others’ medical records merely to satisfy their own curiosity.” Another notable “record peeking” penalty occurred in May 2009, when Kaiser Permanente was fined $250,000 under California’s privacy laws after 23 hospital employees of Los Angeles-based Bellflower Hospital accessed and viewed the medical records of “Octomom” Nadya Suleman, the highly publicized mother of octuplets. After the first few incidents of “employee peeking” were discovered, the company added a warning notice to Suleman’s records that authorization was required for access. The notice, intended to deter other employees from peeking, was unsuccessful, and the California Department of Public Health determined that Kaiser was at fault for failure to take adequate steps to protect the records from inappropriate peeking. |
