CSO Newsflash 03.04.09
By Dom Nicastro (submitted to the group by Rick Ensenbach, State of Minnesota):
February 27, 2009
American Recovery and Reinvestment Act of 2009 Impact for CSOs
Today U.S. President Barack Obama signed into law a $787 billion economic American Recovery and Reinvestment Act of 2009 that includes provisions for heightened enforcement of HIPAA and stiffer penalties for privacy and security violations, as well as sets aside billions of dollars to invest into electronic health records (EHR) implementation and exchange. The Act also calls for extended HIPAA security provisions to business associates (BA).
According to a February 13 release on the Web site of Waller Lansden, Dortch & Davis, LLP, a law firm based in Nashville with extensive HIPAA and healthcare regulatory experience, to protect the security of protected health information (PHI) the Act includes provisions requiring BAs to implement:
- Security policies and training
- Physical security safeguards (e.g., door locks)
- Technical security safeguards (e.g., computer encryption and password protection)
- The Act suggests that Congress recognizes the need to move to EHRs but with stricter enforcement and protection of patient privacy, according to John Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, Ellicott City, MD, and chairperson of the team that created the HIPAA security rule.
Penalties to facilities that have privacy breaches range from $100 to $50,000 per violation, depending on whether the facility could have reasonably avoided the breach. The Act also gives states’ attorneys general the power to seek civil damages and attorney’s fees for HIPAA privacy breaches.
“Because [the Act] speaks to privacy and security breach notifications, increased enforcement of patient privacy, audit trails, encryption, and a definite concern for driving the attainment of an EHR while protecting patient information, it emphasizes the critical ingredient in fostering widespread implementation, acceptance, and use of e-health—trust,” Parmigiani says. “This includes trust among patients, providers, and payers to effectively and efficiently deliver healthcare and share healthcare information.”
The HIPAA provisions in the economic stimulus Act fall under the Health Information Technology for Economic and Clinical Health (HITECH) Act. According to Waller Lansden, Dortch & Davis, the Act also includes:
- New security breach notification requirements. The government wants to expand security breach law with increased notification to patients.
- Covered entities that experience a breach involving 500 or more patients must immediately report it to the secretary of HHS, who will then post the name of the provider or insurer on its public Web site.
- Covered entities that experience a breach involving 500 or more patients who reside in the same area must report it to the local media.
- BAs must report a notice of a breach, including the identity of the patient(s) whose PHI was accessed, acquired, or disclosed to the provider or health plan with which it partnered.
- Vendors using personal health records must notify patients and the Federal Trade Commission of any breach caused by their products or services.
- HIPAA pre-emption on new provisions. Providers and health plans must comply with state security breach laws “to the extent that they exceed the new security breach notifications provisions of the [Act],” according to the law firm.
Restricting access to PHI. A patient can now restrict access to his or her PHI, so long as the patient request meets certain requirements.
Right to accounting on EHRs. Currently, patients can request an accounting of PHI disclosures dating back six years from the request and HIPAA doesn’t require disclosures for treatment, payment and healthcare operations to be included in the list. The new Act allows patients to go back three years but requires covered entities to include treatment, payment and healthcare operations disclosures.