This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Enforcement Before and After HITECH Prior to HITECH, focus was almost exclusively on
achieving voluntary compliance Now there is a significant punitive element HITECH increased penalties
– For the most egregious violations (those caused by willful neglect which are not timely corrected), HITECH provides civil penalties of at least $50,000 per violation up to a maximum $1.5 million a year for the same violation
– Frequently the same incident involves violations of multiple provisions
Mass General Hospital (Feb 2011) Employee left PHI on a subway (a patient schedule
and billing encounter forms containing names and medical record numbers for 192 infectious disease patients, including diagnosis for 66 of those patients, some of which had HIV/AIDS).
Paid $1 million and entered into a Resolution Agreement
(1) Unauthorized disclosure caused by (2) inadequate safeguards (3) compounded by failure to train and (4) absence of employee sanctions
Examples of Criminal Violations Employee at UCLA who accessed medical records
of celebrities out of curiosity – Paid $2000 and spent 4 months in prison
Doctor in Arkansas pled guilty to a HIPAA violation after logging in to the medical record of a murdered news anchor – Paid $5000 and sentenced to 50 hours community
service educating professionals on HIPAA A nurse who accessed a patient’s records, without
authorization, at the request of a psychologist evaluating the patient’s fitness to have custody,
SAG Actions by Conn. & Vermont HealthNet lost a hard drive containing more
than 500,000 individuals’ records, including clinical data and social security numbers
Paid $250,000, with possibility of another $500,00 if it is determined that information is accessed and used illegally – Settlement noted that HealthNet had spent $7
million investigating and had not found evidence that the data had been accessed
Additional HITECH Act Requirements Breach notification requirements Enforcement of HIPAA privacy and security compliance on
downstream entities – Business Associates (BAs) (including subcontractors), Health
Information Organizations, E-Prescribing Gateways, other persons that provide data transmission services, Personal Health Record vendors if service provided for Covered Entity (CE)
– Expanded definition of “workforce member” to include volunteers, trainees, others
Restrictions on uses of PHI – Restrictions on marketing, fundraising, prohibitions on sale of PHI – Minimum necessary requirements
– Requirements for Business Associate Agreement (BAA) defined in regulation
– BAAs imposed contractual liability on BAs for meeting the requirements set forth
– CE was liable for its own acts and for the acts of its BAs who met the federal common law definition of an “agent” unless the requirements for a BAA were met, the CE did not know of a pattern or practice of the BA violating the agreement, and the CE did not fail to act as required by HIPAA in response to the violation
Additional Privacy & Security Requirements for Business Associates Directly subject to certain Privacy Rules
– Disclose PHI to HHS for compliance purposes – Disclose PHI in electronic format for access to PHI – Provide accounting for disclosures in Electronic Health
Record (EHR) – Comply with minimum necessary standard – Take reasonable steps to cure a material breach of
subcontractor Directly subject to Security Rule
– Implement administrative, physical, and technical safeguards, and meet policy and documentation requirements
– HITECH changes (including requirements for BAs) in Subtitle D generally effective February 1, 2010
– Proposed Rule provides for compliance date of 180 days after effective date of Final Rule
– Transition provision would grandfather existing BAAs for up to one year beyond the compliance date of the Final Rule, if not BAAs not modified between effective date and compliance date of Final Rule
HIPAA Restrictions on Marketing Previous HIPAA framework for marketing
– Authorization required to use or disclose Protected Health Information for marketing
– Marketing means A communication about a product or service that encourages
recipients of the communication to purchase or use the product or service (with certain exceptions), or
An arrangement whereby the Covered Entity discloses Protected Health Information to a third party for marketing in exchange for direct or indirect remuneration
Marketing communications allowed without authorization if – Face-to-face communication – Promotional gifts of nominal value to the individual
HIPAA Restrictions on Marketing Pre-HITECH Did Not Include as Marketing
– Health care operations communications to describe a health-related product or service that is provided by or included in a plan of benefits of, the CE making the communication; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits
– Communications for case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual
– Communications for the treatment of the individual – Even if indirect or direct payment from a third party was
HITECH Revised Framework for Marketing Permits individuals to opt out of treatment communications
(including case management and care coordination) if remuneration is received in exchange for making the communication – Requires that the Notice of Privacy Practices inform individuals
about the remuneration and provides them the right to opt out of receiving further communications; and
– The treatment communication must also disclose the remuneration and provides a clear and conspicuous opportunity to opt out of further communications.
Permits communications to provide prescription refill reminders or about a currently prescribed drug, provided the amount of the remuneration to the CE is reasonably related to the CE’s cost in making the communication
HITECH Revised Framework for Marketing HITECH clarifies prohibition on sale of PHI
– CE or BA may not receive “direct or indirect” remuneration in exchange for disclosure of PHI, unless valid authorization provided (with certain specified exceptions, e.g., treatment, payment, public health, research, for sale/transfer/merger consolidation of CE, to or by a BA on behalf of the CE, to an individual, required by law, or for copies of PHI.)
Proposed Rule requires that the individual authorization state that the disclosure will result in financial remuneration to the CE
HITECH Revisions to Fundraising Individuals have right to opt out
– Proposed Rule require that a CE provide, with each fundraising communication, a clear and conspicuous opportunity to opt out of receiving future fundraising communications No undue burden on individual CE cannot condition treatment or payment on an individual's
choice to receive or not to receive fundraising communications When an individual has opted out of receiving fundraising
communications, CE may not send such information to them (reasonable efforts are insufficient)
– Must include information about fundraising communications in Notice of Privacy Practices