A lot of attention has been paid to timelines for achieving meaningful use starting in 2011. But there are some parts of the HITECH Act that will be enforced much sooner. The act became law on Feb. 17, 2009. On its first anniversary, covered entities must comply with several aspects having to do with privacy and security. While not all of these new guidelines will have major implications for CIOs, some definitely will.
Over the last several months, law firms with strong healthcare practices, including Baker Donelson and Lindquist and Vennum, have published handy online reminders about the upcoming changes.
Here is a brief summary of a few of their reminders about changes taking effect Feb. 17:
• Heightened enforcement; increased penalties
Starting Feb. 17, the HHS Office for Civil Rights will investigate personal health information (PHI) data breaches. Civil penalty amounts will increase based on the level of intent and neglect. For violations due to willful neglect that are not corrected within 30 days, penalties start at $50,000 per violation. State attorneys general also are authorized to enforce HIPAA rules.
• Personal health information in electronic format
HIPAA already requires covered entities to provide individuals with a copy of their personal health information in the format requested by the individual, but only if it is readily producible. Under the HITECH Act individuals have the right to obtain a copy of their PHI in an electronic format from a covered entity that uses an electronic health record. Also, patients may designate another recipient without having to sign an authorization. Is your organization ready to provide patients such information in an electronic format?
• Requests on restriction of sharing health information
Previously HIPAA has allowed individuals to request restricted uses or disclosures of their personal health information for certain purposes, but covered entities have not been required to agree to such a request. Effective Feb. 17, covered entities must comply with restriction requests if the disclosure is not related to treatment and the individual has paid in full for the services. Some people do not want to share certain information about a condition with their health insurer, at least until laws are changed about patients being penalized for pre-existing conditions. Will this require segregating that EHR data somehow?
• Restrictions on sales and marketing
The rules regarding marketing to patients and the sale of PHI are complex, and the HITECH Act narrows the exceptions to the definition of "marketing communications" and further limits the exceptions under which any PHI may be sold. Legal counsel will have to provide guidance here.
Baker Donelson’s reminder includes several action items that hospitals should have taken by now, including amending business associate agreements to establish the rights and responsibilities associated with security breach notification.
The law firm also notes that by March 1, 2010, the first annual breach notification reports of breaches of unsecured PHI involving fewer than 500 individuals is due to HHS. Does your organization have audit logs established for the submission of such reports and to answer questions about whether corrective actions have been taken?
For more information: