In February 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act expands enforcement of HIPAA’s privacy and security requirements, and creates obligations for breach notification, information sharing, and business associate relationships.
Most significant are the changes to the HIPAA enforcement structure, including increased sanctions for violations and explicit authority for state attorneys general to pursue private claims on behalf of individuals. Long-term care facilities need to take steps now to ensure compliance with the notification and business associate requirements which are in effect at this time.
Notification requirements include:
- Increasing a covered entity’s obligation to contact individuals affected by an information breach.
- Any breach of unsecured protected health information must be reported to the individual whose health information has been, or is reasonably believed to have been, accessed, acquired or disclosed.
- Notification must be made within 60 days of the discovery of the breach.
- Notice of the breach must include as much of the following information as possible:
- A brief description of what happened, including the dates of the breach and discovery
- A brief description of the types of information involved
- Steps that the individual should take to protect against improper use of the disclosed information
- A brief description of the actions taken by the covered entity in response to the breach
- And contact procedures for the individual to request more information
- Compliance with the new notification requirements will require a careful assessment and revision of covered entities’ breach notification policies to ensure they are adequate under the updated rules.
- Notification requirements apply only to unsecured protected health information.
Business associate requirements include:
- The revised HIPAA rules carry new obligations for business associates and alter their relationships with covered entities.
- All privacy requirements that apply to covered entities also apply to any business associates that obtain or create protected health information pursuant to a written contract or agreement.
- As of February 2010 these requirements must be incorporated into all business associate contracts between associates and covered entities.
- Business associates also have a separate obligation to notify the corresponding covered entity of information breaches within 60 days of discovering the breach, effectively requiring business associates to assist the covered entity in the notification process.
Penalties for non-compliance include:
- Penalties ranging from $100-$50,000 for an inadvertent violation, up to a $50,000 minimum for each case of willful neglect that goes uncorrected, with an annual cap per entity of $1.5 million.
- State attorney generals will now have the ability to bring civil actions on behalf of residents of their respective states who have been adversely affected by any HIPAA violation, and may seek injunctive relief and damages of $100 per violation, up to $25,000 annually for violations of identical requirement or prohibition, plus attorney fees.
All long term care should review their HIPAA policy and business agreement and revise them as soon as possible. Following the revision, training of the staff and business partners must be completed. The AssuredPartners NL clinical risk management team can help you ensure that your organization is fulfilling all aspects of compliance. To learn more about RMS, visit: AssuredPartners NL Risk Management Solutions.
*The RMS team is presenting distance leaning on compliance on Dec. 2, 2013 from 2 to 3 p.m. EST. Visit www.rmsol.com for more info, or contact the RMS office at 1-800-664-0772.