Federal Stimulus Means New HIPAA Privacy and Security Mandates

Posted by on August 21, 2009 · Leave a Comment 

“We will make the immediate investments necessary to ensure that within five years, all of America’s medical records are computerized.” President Barack H. Obama, January 8, 2009.

In line with this audacious promise, the American Recovery and Reinvestment Act of 2009 (ARRA) expands, enforces, and enhances the privacy and security safeguards required by the Health Insurance Portability and Accountability Act (HIPAA) for certain individually identifiable health information. The tightening of these safeguards is critical to building the network of computerized record-keeping systems that will service the whole nation. Most businesses will be affected by these changes to some degree. Some of the key changes made by the new law include:

  1. Business Associates subject to HIPPA
  2. Breach notification requirements under HIPPA
  3. States attorneys general will enforce HIPPA violations
  4. Individual rights are expanded under this rules change

Business Associates Become Directly Subject to HIPAA. Generally, individuals and entities are treated as “business associates” when they provide services to “covered entities” under HIPAA. Prior to ARRA, business associates were not directly subject to the privacy and security regulations under HIPAA, but had obligations with respect to HIPAA through the terms of agreements entered into with covered entities.

Under ARRA, beginning 12 months from February 17, 2009 (“date of enactment”), business associates become directly subject to certain requirements under the HIPAA privacy and security regulations in the same manner as those requirements apply to covered entities. These changes likely will require modifications to existing business-associate agreements.
Additionally, ARRA subjects business associates to the same civil and criminal penalties as covered entities for violations of the privacy and security requirements.

Breach Notification Requirement Added to HIPAA and Beyond. As breaches of personal information continue to affect millions of individuals across the United States, the ARRA adds a breach notification requirement to HIPAA. The new requirement follows the general framework established by states that adopted similar laws over the past few years, with some important distinctions:

  • A breach requiring notification does not occur where the unauthorized person who receives a disclosure of protected health information would not reasonably be able to retain the information.
  • Unless a delay in notification is permitted for law enforcement purposes, notification may not be provided later than 60 days after discovery of the breach.
  • If the breach involves 500 or more individuals, covered entities must notify the Secretary of Health and Human Services immediately.
  • Breaches involving 10 or more individuals for whom there is insufficient or out-of-date contact information require conspicuous posting on the covered entity’s website or notice in major print or broadcast media.

The notification requirement applies only to breaches of “unsecured” personal health information, which, subject to future guidance, generally means it is not secured by a technology standard, developed or endorsed by an accredited organization that would render the information unusable, unreadable, or indecipherable. The ARRA directs the Department of Health and Human Services (HHS) to promulgate regulations within 180 days of the date of enactment to carry out this new notification requirement.  The new regulations will apply to breaches discovered on or after the date that is 30 days after final interim regulations are published.
The ARRA also added a similar breach requirement for certain vendors of personal health records.  Vendors include those entities that are not covered entities under HIPAA, but access information in a personal health record or send information to a personal health record. Perhaps with an eye towards a national standard for data breach notification, the breach notification requirement for these vendors will cease to be effective on the effective date of regulations that implement new legislation establishing such a national standard.

State Attorneys General to Enforce HIPAA and Other Enforcement Provisions. Under the ARRA, effective immediately, State Attorneys General may bring a civil action in federal court to enforce the privacy and security regulations under HIPAA. These actions may seek damages on behalf of State residents.  Damages are determined by multiplying the number of violations by $100, subject to a calendar year cap for violations of identical requirements or prohibitions equal to $25,000. If successful, a State Attorney General also could recover attorneys’ fees.

Since the original effective date (April 14, 2003) of the HIPAA privacy regulations, few, if any, “civil penalties” have been assessed against covered entities. The HHS generally has taken a compliant-driven approach to enforcement. However, provisions of the ARRA seek to change this pattern:

  • Effective immediately, penalties for violations are increased through a tiered structure. For example, a violation due to “reasonable cause”, but not “willful neglect”, may bring a penalty of as little as $1,000 but not more than $1,500,000. Even where the person did not know (and, by exercising reasonable diligence, would not have known) of a violation, a penalty of as little as $100 but not more than $1,500,000 may result.
  • Two years after the date of enactment of ARRA, penalties will be required in cases of willful neglect.
  • Where in the course of a preliminary investigation HHS believes a complaint indicates a possible violation due to willful neglect, it must commence a formal investigation.
  • Within three years of enactment of ARRA, a method will be in place to share civil penalties with the individuals harmed.

Increase in Individual Rights with Respect to Protected Health Information. The HIPAA privacy and security regulations outline certain rights individuals have with respect to their protected health information. These rights include a right to request access and restrictions on certain disclosures. The ARRA enhances some of these rights.  For example:

  • A requirement that covered entities comply with certain requested restrictions, despite the existing rule that generally permitted covered entities to decline to grant restriction requests.
  • Increased obligations for covered entities maintaining electronic health records to account for disclosures of protected health information.
  • Limitations on the ability to receive remuneration in connection with an exchange of protected health information.
  • Increased access to protected health information maintained in electronic format.

* * *

Regulation of the use, disclosure and safeguarding of privacy and security of personal information, particularly personal health information, will continue to grow, whether at the federal or state level. Businesses should evaluate the kinds of information they maintain both for their business and their employees in order to determine the extent to which these laws may apply. Implementation of appropriate policies and procedures, among other steps, such as developing a breach response plan, can go far to reducing potential liability. We will be providing more information about the changes under ARRA in the coming weeks.  Members of our Workplace Privacy Group are available to assist your business to understand your obligations and plan accordingly.

Filed under Healthcare Reform · Tagged with , , ,

Getting Health Care Reform Right

Posted by on August 7, 2009 · Leave a Comment 

right wrong_rThe year was 1992 and politicians were touting managed care as the solution to the country’s double-digit healthcare inflation. Managed care was described as the magic bullet that would ensure quality healthcare, access and affordability for millions of Americans.

Fast forward 17 years and it’s clear that managed care was not the panacea that everyone hoped it would be. Our nation’s politicians are once again looking for that magic bullet to solve an ever-increasing list of problems with our healthcare system, including a record number of uninsured Americans and spiraling costs. We are being told that this time, healthcare reform will ensure quality healthcare, access and affordability. This latest push for reform didn’t start with President Obama taking office. Throughout the race for the White House, it was one of the hottest and most widely debated of issues. 

There’s no question that Americans want healthcare reform. This fact was supported by a Service Employees International Union (SEIU) commissioned healthcare poll. According to that poll, conducted by Lake Research Partners, both Democrats and Republicans said that healthcare is this county’s top domestic issue and the second most important issue overall. (The war was identified as the number one overall issue.) Of those polled nationally, a vast majority (71 percent of Republican voters and 88 percent of Democratic voters) agreed with the statement, “We need to move beyond piecemeal reform because our healthcare system needs to be fundamentally overhauled.”

While Americans are anxious to see real reforms from our elected leaders, there appears to be no well-defined or comprehensive resolution on the horizon. Instead, what we are hearing about from our representatives in Washington are packages that contain a compilation of compromises and financial guesswork.

Personally, I find it perplexing that Congress is even considering moving forward with legislation that carries such an enormous price tag while this country continues to deal with the worst economic downturn since the depression, a ballooning deficit, a credit crunch, and two ongoing wars. Frankly, in more than 20 years in organized medicine, I have rarely met a member of Congress or a legislative staff member who truly understood the economics of our healthcare system.

Those who do understand the economics of healthcare know that a system that provides every man, woman and child unlimited and unfettered access to medical care is, ultimately, unsustainable. This fact is not being discussed by our federal legislators, however. Instead, they are minimizing all publicity relating to the financial limitations that will be inherent in any universal healthcare proposal. These same politicians know that to mention the idea of healthcare rationing would be a poison pill for any legislation and would create a public uproar. So they choose not to explain how they plan to cut costs and improve quality while insuring an additional 47 million Americans. Cleary, something has to give.

There are multiple healthcare reform bills currently under consideration, although H.R. 3200 is the bill that seems to be gaining the most acceptance at this time. This bill has an exorbitant price tag and falls significantly short of the president’s goal of insuring 97 percent of our population. The AARP initially speculated that healthcare reform would cost $600 million. Recent reports estimate a $1.5 trillion price tag over 10 years. According to GOP leader Mitch McConnell, “Every proposal we’ve seen would cost a fortune by any standard.” Even with this excessive expenditure, the Congressional Budget Office estimates that roughly 15 million to 20 million people will remain uninsured at the end of the decade.  Regardless of the cost and the inability to achieve universal coverage, President Obama claims that this investment is critical in order to fix our dysfunctional healthcare system. The president has also said that healthcare reform will not increase the federal deficit. That comment begs the question, “How, then, are we going to pay for it?”

The methods of paying for healthcare reform are still very sketchy, but Congress is considering multiple mechanisms, including: an income tax surcharge for single people and households (Congress will set the thresholds for the tax), certain cuts in Medicare and Medicaid, and financial penalties on individuals and employers who don’t obtain coverage. According to House Speaker Nancy Pelosi, “Many members think that there’s more to be squeezed from hospitals, pharmaceutical companies, and docs.” In other words, Congress plans to reduce the promised levels of reimbursement to these groups after gaining their support.

We should look at the three-year history of the Massachusetts universal healthcare project to gain insight into what we face nationally when it comes to healthcare reform. Massachusetts has unexpectedly incurred a 70 percent increase in costs over three years for insuring the previously uninsured population. It has been determined that once the state provided health insurance to the uninsured, utilization skyrocketed. This increase is being balanced by a reduction in payments to hospitals. In fact, Boston Medical Center has filed a lawsuit against the state because its reimbursement has been reduced to 64 cents on the dollar for low-income patients. The lesson here is that we should anticipate an increase in utilization and a corresponding increase in costs. One must wonder whether our politicians have factored these possible outcomes into their budgets.

As I began to write this article, I had the opportunity to read the results of a July Gallup poll in USA Today. It revealed that the American public is losing trust in the way the president is handling healthcare reform. A majority of those polled (50 percent to 44 percent) stated they disapproved of how the president is handling healthcare reform. Perhaps it’s time for both Democrats and Republicans to educate themselves further and refine their positions before proposing changes that will no doubt have long-term, far-reaching, and possibly irreversible consequences for the American people.

The American Society of Anesthesiologists made the following comments about the leading proposal before Congress, H.R. 3200 (Please see the ASA’s talking points on this bill below).

  • It would be unsustainable for the medical specialty of anesthesiology to operate within a public plan option based on Medicare payment rates.
  • Payment levels for anesthesia services provided through the new “public health insurance option” must be fixed.

 Contrary to the political spin coming from Washington, every healthcare reform proposal under consideration appears to come up short. Any suggestion that one of these bills will fix the system is simply fiction. In the government’s haste to pass legislation, I fear that our leaders will fall short on the promise of universal coverage, will exceed all estimates on cost, and ultimately will do very little to address quality.

 Whether you agree or disagree with the idea of universal healthcare, everyone should agree that change is coming. Every one of us has a stake in the outcome of this debate, especially those who currently have health insurance. It’s imperative that physicians remain part of the debate. There will never be a better opportunity to help shape the future of the delivery of healthcare in this country. There has never been a more important time to support your political action committee, NYAPAC.

 Stuart A. Hayman, MS serves as executive director of the New York State Society of Anesthesiologists (NYSSA). He has graciously agreed to share his recent article published in Sphere with my blog members.

Filed under Healthcare Reform · Tagged with , , ,

« Previous PageNext Page »