800.242.1131
Ipad menu

Our Locations

Anesthesia Business Consultants Locations

View Locations

March 2, 2009

HIPAA Privacy and Security Expanded by the Stimulus Bill: The Health Information Technology for Economic and Clinical Health Act (“HITECH Act” or the “Act”) included in the “Stimulus Bill” significantly expands HIPAA privacy and security provisions. These provisions will impact anesthesia and pain practices and many other entities in the health care industry.

Some of the key aspects of the privacy and security portions of the Act include the following:

  • Required Notification for Information Breaches:

    Effective 30 days after the Secretary of the Department of Health and Human Services (“HHS”) publishes interim final regulations (which regulations are due within 180 days from the enactment of the legislation), covered entities and business associates will be required to follow certain notification protocols when a person’s unsecured protected health information has been breached. This includes individual notification to consumers and, depending on the number of individuals whose information is involved, media notification. Notification must also be made to the Department of HHS immediately if the breach involves 500 or more individuals. If the breach involves less than 500 individuals, the provider can maintain such information on a log, which must be provided annually to HHS.

  • Required Accounting of Disclosures Involving Electronic Health Records:

    As many providers are aware, under the current HIPAA regulations providers need not provide individuals with an accounting of disclosures of their health information if the disclosure is related to treatment, payment activities or health care operations (“TPO”) of the provider. Although the implementation date is set into the future, under the HITECH Act, providers who use or maintain electronic health records will be required to account for TPO disclosures. In such cases however, the accounting period is limited to three (3) years prior to the date on which the accounting is requested. The Act directs the Secretary of HHS to implement regulations on what information has to be collected about each disclosure. The effective dates for this new requirement are dependent upon whether the provider acquired an electronic record as of January 1, 2009 or after January 1, 2009.

  • The Minimum Necessary Rule:

    With regard to non-treatment situations, the current HIPAA regulations require providers to only use and disclose the minimum amount of PHI necessary to accomplish a permitted task. Until the government issues guidance on the meaning of minimum necessary, the HITECH Act includes a provision that in order for a provider to be in compliance with the minimum necessary rule; (1) to the extent practical, uses and disclosures must be limited to the “limited data set”; or (2) if needed by such entity, to the minimum necessary to accomplish the intended purpose. A limited data set is still considered PHI but involves data that has been stripped of certain identifiers. Note that the current exceptions to the minimum necessary rule still apply (e.g., treatment purposes).

  • The Stakes Are Raised-Increased Enforcement:

    The Act contains provisions so that penalties that apply to covered entities for violations also apply to business associates. Additionally, the HITECH Act revises and expands the current penalty provisions. The Act contains new provisions related to noncompliance due to “willful neglect” and requires the government to formally investigate any complaint of a violation if a preliminary investigation of the facts indicates a possible violation due to willful neglect. The HITECH Act also replaces the current penalty of $100 per violation with a new tiered-penalty system.

    Of particular importance, the Act also includes a provision authorizing enforcement by State Attorney General offices if the attorney general of a State has reason to believe that an interest of one or more residents of that State has been or is threatened or adversely affected. In such cases, the Attorney General can bring a civil action on behalf of the state residents to enjoin any continuing violation or to obtain damages on behalf of the residents. The court may also award costs and reasonable attorney fees to the State.

  • Business Associates:

    The HITECH Act extended certain HIPAA requirements to business associates. Specifically, the Act applies the administrative, physical and technical safeguard requirements of the HIPAA security regulations to business associates. It also imposes obligations related to policies, procedures and documentation requirements.

  • Prohibitions on Sale of Electronic Health Records or PHI:

    In general, unless one of 6 exceptions apply, a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained a valid HIPAA authorization from the individual that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving the PHI. The exceptions to the general prohibition include when:

    • The purposes of the exchange is for public health activities, as defined by the HIPAA regulations;
    • The purpose is for research and the price charged reflects the costs of preparation and transmittal of the data for such purpose;
    • The purpose is for treatment, subject to additional protections promulgated by regulation;
    • The purpose is in connection with a transaction and due diligence involving the sale, transfer or merger of a Covered Entity;
    • The purpose of the exchange is for remuneration that is provided by the Covered Entity to a Business Associate related to the Business Associate's activities involving the exchange of PHI that the BA undertakes on behalf of and at the request of the covered entity pursuant to the BA agreement;
    • The purpose of the exchange is to provide an individual with a copy of the individual's PHI.

    The Secretary is also authorized to develop additional exceptions. Notably, the effective date applies 6 months after the date of the promulgation of final regulations (the Secretary is responsible for promulgating regulations no later than 18 months after the enactment date of the Act).

Access to Information In Electronic Format:

With regard to the current regulation allowing individuals access to their records, in the case that a covered entity uses or maintains an electronic health record, the individual has the right to obtain such information in electronic format, and if the individual so chooses, to direct the covered entity to transmit such copy to a designated person.

Your feedback is always important to us. We invite you to send us questions and concerns; we will try to address those of general interest in future Alerts.

Sincerely,

Tony Mira
President and CEO
Anesthesia Business Consultants, LLC

 
Please see our new Privacy Policy