Preparing for HITECH and HIPAA Compliance

October 13, 2010 by John DeGaspari

| Reprints

Interview: Amy M. Gordon, Health and Welfare Benefits Expert, McDermott Will & Emery

HCI: Do you recommend that there be a contract between all players?

Gordon: Absolutely. Under HIPAA now, you [as a covered entity] have to have a contract with your business associate. So that contract is definitely required.

The other thing is, as you go downstream, and you have a business associate that contracts with another business associate or a subcontractor, what happens there. The rules don‘t necessarily require the covered entity to have a contract with those business associates or subcontractors. But it does require a business associate who is using that other business associate or subcontractor to have an agreement in place. And that is new.

One of the other things that the proposed rules do is expand the definition of what a business associate is. They expanded it also to organizations that provide data transmission services. For example, more and more insurance companies are receiving reimbursement electronically. So, there is data transmission to substantiate those bills and fees. If there is an entity involved, they would probably need a business associate agreement. And then, more with the states, for example, regional health information organizations, those are typically state-run organizations that require sending and receiving PHI [protected health information], sending and receiving them electronically. These other entities will be business associates as well.

Even though HIPAA was passed in 2004 and became effective in 2006, it really was not as focused on electronic transmission, not so much as it is now. I think they just sort of focused on the low-hanging fruit at first.

HCI: How has the protection of deceased individuals’ protected health records changed under the proposed regulations?

Gordon: In the past, deceased individuals were treated just like regular individuals. Now, somebody can actually claim on their behalf; [for example] their estate can claim [their privacy rights] on their behalf. Your information still remains private even though you have died. So, for example, if you died of AIDS and you don’t want your family members to know that, there is this enhanced protection. The [deceased] privacy rights have been enhanced slightly.

HCI: What are the obligations of covered entities now to provide individuals with greater access to electronically stored information now, under the proposed rules?

Gordon: You always had the right to access your protected health information. That hasn’t really changed. But you always only had access to what was considered designated record set. Again, that has not changed. The change that happened with HITECH is, now you get an additional access ability when your information is maintained in an electronic, designated record set. So what you can do, in addition to getting a paper copy or just access to your file, you could request that the covered entity transmit the copy of electronic health information to you or to a designated person in an agreed upon formal format.

HCI: Lets talk about culpability and penalties.

Gordon: The past rules were insignificant. There were civil penalties of $100 per violation up to a $25,000 per violation per year. Criminal penalties were fines ranging from $50,000 and $250,000 and then present from one to 10 years, if somebody knowingly obtained and disclosed protected health information. And these new enforcement rules put things into four new categories. Before the categories were civil, criminal, that was it, and you didn’t see much enforcement action.

And I would expect that you would see a lot more enforcement action now, because previously, CMS [the federal Centers for Medicare and Medicaid Services] was required to enforce HIPAA, but they didn’t really have the manpower to enforce it. And there was never a private right of action on the individual. It was always, they had to go to CMS, and CMS would enforce it. Now there are new penalties, and there is also kind of a whistleblower incentive, so that if somebody actually reports somebody who has violated somebody else’s privacy rights, they could actually share in some of the penalties.

The states are now charged; the state attorney generals are now charged with actually enforcing HIPAA.

HCI: The level of enforcement could be uneven.

Gordon: Yes, right. You might find that some states are a lot more aggressive and some states aren’t. You could be in a state that is really an enforcement state, in which case the judge will throw the book at you; and then you could be in a state that’s so lax, that you could do the same thing or something worse, and not get any penalties.

Right now, we are not seeing any enforcement, because, although they could start, they are just not [doing so]. I think that everybody is so tied up with healthcare reform that they can’t even focus on this right now. But I think there will be a lot of state attorneys general, that will realize this is the way to get the spotlight on people to pay attention, so you might find some more aggressive behaviors down the road.

HCI: What are the levels of culpability under the proposed rules?

Preparing for HITECH and HIPAA Compliance

More like this

Most Popular

GUEST BLOG: Can Entrepreneurs “Cure” Healthcare With Technology?

Improving the Doctor-Patient Relationship with a Ping

Leveraging Big Data to Improve the Standard of Care

Congratulations on your EMR-Now take this clipboard full of forms and go fill them out

Webinars & Whitepapers

Do's and Don'ts of Successful Data Management for Population Health Management

Creating Connections with Population Health Management: Bringing Together People, Places and Information

mHealth Technology: Four Key Steps

Healthcare's Future Depends on Data-Driven look at Individual Behavior

How to Put Data and Analytics to Work in the Era of Healthcare Reform

Current Issue

September 2013

Poll