MedCity Influencers

New HITECH rules, deadlines should shake health providers out of ‘HIPAA fatigue’

Attorney Brian M. Murray warns that health providers who have “HIPAA fatigue” need to re-awake for new privacy and security rules in the Health Information Technology for Economic and Clinical Health Act (HITECH). The deadlines are approaching sooner than you may think.

Brian M. Murray is a partner in Calfee, Halter and Griswold’s Employee Benefits and Executive Compensation and Health Care & Life Sciences practice groups.

Several years ago, hospitals, health care practitioners, pharmacies, insurance companies and health plan sponsors spent an enormous amount of time and money bringing their medical practices, claims administration procedures and group health plans into compliance with HIPAA’s privacy, security and electronic transaction rules.

Third-party service providers that created or handled their protected health information of covered entities also spent an enormous amount of time and money figuring out their obligations as “business associates” under those rules.  But with the onset of “HIPAA fatigue,” and as it became apparent that the government’s short-term focus would be on education and voluntary compliance rather than strict enforcement, many covered entities and business associates have become complacent.

Thanks to the Health Information Technology for Economic and Clinical Health Act, which is often referred to as the “HITECH Act” due to Congress’s penchant for groan-inducing acronyms, the time has come to revisit HIPAA and your privacy and security practices.  While the new privacy and security rules in the HITECH Act are generally effective on Feb. 17, a few changes become effective much sooner and deserve your immediate attention.

Raising the stakes

The HIPAA compliance stakes have been raised considerably.  If imminent audits and formal investigations of complaints do not get your attention, Congress also authorized state attorneys general to sue for breaches of privacy and security requirements — with harmed individuals being entitled to share in the judgment or settlement amounts under rules yet to be issued, provided enhanced civil monetary penalties for those breaches and “clarified” (clarification by Congress rarely being a good thing) that criminal penalties may be applied to employees of covered entities.  Since these changes are already effective, we could soon witness the emergence of a HIPAA crusading, politically ambitious state attorney general not unlike the one Wall Street had a few years ago.

Against this background, the federal government is clearly stepping-up its enforcement efforts.  In January, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) teamed up to investigate the privacy practices of a national pharmacy chain.  Apparently they concluded that nefarious elements, if they were so inclined, could infiltrate the company’s trash dumpsters and recover prescriptions and prescription bottles.  The company paid a hefty fine and agreed to implement a Corrective Action Plan.  More recently, on July 16, 2009, HHS announced that it is expanding its health information privacy enforcement team through the addition of two “health information privacy specialists” (read:  investigators and auditors).

Alert the media!

If you accidentally disclosed individuals’ medical records, your first response would probably not be to make a public announcement about it on local radio and television stations and in the local newspaper.  Nor, we suspect, would you be inclined to prominently display information about the disclosure on your company’s home page or notify HHS so that it could do likewise on its website and highlight your improper disclosure in its annual report to Congress.  Well, you may be surprised to learn that, under certain circumstances involving improper disclosures of protected health information, you may have to do just that.  These notice requirements become effective not later than September 15, 2009, and possibly earlier depending on the timing of agency action.

!#&%@&*$!# (Encryption)

Fortunately, these disclosure requirements can be avoided by using prescribed methods to secure protected health information.  In April, HHS announced that these methods are “encryption and destruction.”  Encryption must be performed in a manner consistent with the HIPAA security regulations.  Since there are many ways to encrypt data, and there are safe harbor processes based on publications of the National Institute of Standards and Technology (NIST), even entities which already use encryption should review this guidance to ensure that all of the requirements are being satisfied.  As my children will gladly demonstrate, there are also many ways to destroy things.  So HHS has prescribed specific NIST standards for that too.

Administrative requirements

A very significant change under the stimulus bill is that business associates are directly subject to the privacy and security rules.  So business associates and covered entities should revisit and, if necessary, dust off, their business associate contracts.  Business associates will have a keener interest in ensuring that they have business associate contracts in place with their clients and customers.

Companies will need to amend their privacy practices and procedures to conform to several new requirements.  For example, individuals are entitled to accountings of electronic disclosures of their protected health information made to carry out treatment, payment and health care operations in the three years preceding the request.  Previously, these disclosures were excluded from the accounting requirement.  Since there is a strong governmental push to have all health records be in electronic form, this could become a significant undertaking for health care providers, insurance companies and group health plans.

Material changes to privacy practices and procedures necessitated by the rule changes will require the revision of Notices of Privacy Practices (and, at least for self-insured group health plans, their distribution within 60 days of the changes).  Workforce training must be performed within a reasonable period of time after the changes to privacy practices and procedures.

Stay tuned

The HITECH Act is just the tip of the iceberg as far as regulation of electronic medical records and the privacy and security of health information are concerned.  There will be frequent and significant legislative and regulatory changes in this area over the next few years and compliance will remain a moving target.  HIPAA privacy and security officers and others responsible for the privacy and security of their business’ health information should educate themselves about these rules because more voluminous and complex rules will quickly follow.

<a href=”″>Brian M. Murray</a> is a partner in <a href=”Calfee,”>Calfee, Halter and Griswold’s</a> Employee Benefits and Executive Compensation and Health Care &amp; Life Sciences practice groups.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.