Give & Take
Give & Take | Erin McMahon, Gina Greenwood, HITECH, Health Information Technology for Economic and Clinical Health, Stimulus Package, American Recovery and Reinvestment Act of 2009, HIPAA, Health Insurance Portability and Accountability Act, HIPAA Fines, Privacy and Security

Stimulus Package Offers More Healthcare IT Dollars, Stiffer HIPAA Penalties</h3>Nineteen billion dollars... that's the magic number topping newscasts regarding funding for the promotion and adoption of electronic health records (EHRs) in the recently-passed stimulus package.

When Congress signed off on the American Recovery and Reinvestment Act of 2009, it included the HITECH Act – Health Information Technology for Economic and Clinical Health – to offer much-needed funding and guidelines to help providers across the country move toward EHRs. What hasn't received as much attention, however, is that the new law signed by President Obama on Feb. 17, also includes much stiffer penalties for those who breach the HIPAA privacy and security regulations, as well as a slew of new requirements. Furthermore, those penalties and requirements now extend beyond covered entities to include business associates and vendors.

With the push for the broad-based adoption of EHRs, comes a rising unease over security and privacy breaches. From the T.J. Maxx credit card debacle to the recent laptop loss containing the health information of thousands of veterans, lawmakers are increasingly aware that personal information is potentially at risk.

"Congress is very concerned that entities handling electronic health information be doubly careful that this information not end up in the wrong hands," said Gina Greenwood – HIPAA compliance specialist and attorney with Baker, Donelson, Bearman, Caldwell & Berkowitz, PC, which has 17 offices.

Although HIPAA was passed more than a decade ago and implementing regulations regarding security standards went into effect in 2005, many covered entities still aren't fully compliant. What has largely been a slap on the wrist in the past could potentially become a knockout punch if covered entities, business associates and vendors don't get their HIPAA house in order in record speed.

Attorney Erin B. McMahon, a partner with Wyatt, Tarrant & Combs, LLP, which has offices in five states, focuses her practice on HIPAA compliance. Based out of the firm's Lexington, Ky. office, McMahon conducts compliance audits and works with hospitals and physicians to implement HIPAA policies.

"Although the HIPAA regulations were drafted with the best of intentions, I seriously doubt there's anyone in total compliance with every one of those regulations anywhere in America," she said, adding the uphill battle just got harder. "The amendments to HIPAA are pretty startling for those of us who've been in the business since the Act was passed back in 1996."

Greenwood, who is based in Baker Donelson's Atlanta office, underscored the impact this legislation would have on healthcare suppliers and service providers and explained that prior to the passage of HITECH, a business associate executed a contractual document with the covered entity including an agreement to protect the privacy of the information. However, those business associates – typically professionals who need protected health information from a covered entity in order to do a job on behalf of the provider – were not actually bound directly by HIPAA... now that has changed.

"In the past, there was no direct liability under HIPAA for privacy or security violations," Greenwood explained. "It was all contractual obligations. Business associates will now be subject to statutory liability for breaches of certain HIPAA Privacy Rule and Security Standards."

McMahon added most of these new playing rules go into effect by Feb. 17, 2010, giving business associates a short window to execute the 18 security rule standards and their 36 implementation specifications.

Another major component of the new law affecting both covered entities and business associates are the data breach notification requirements. While many states have some type of data breach law, which is often tied to financial information such as a Social Security or credit card number, HITECH adds that mandate to HIPAA.

"Now covered entities will be required to notify each individual whose unsecured, protected health information has been... or is reasonably believed to have been... accessed, acquired or disclosed," Greenwood said.

Furthermore, she noted, covered entities will now have to immediately notify the Secretary of HHS if the breach involves the acquisition or disclosure of 500 or more individuals' unsecured, protected health information. Even if only a few records are potentially at risk, those incidences will have to be logged and reported to HHS annually. Business associates have the responsibility of notifying the covered entity if such a breach occurs on their watch.

McMahon pointed out that under the new mandates, not only must individuals and HHS be notified of major potential breaches, but the covered entity must also notify "prominent media outlets serving a state" if a breach affecting more than 500 residents of the state occurs.

"Now covered entities will have a HIPAA obligation to admit to the patients that a security mistake has been made – which could cause major public relations issues, as well as huge administrative costs to try to mitigate any potential damage from patients' protected health information having been disclosed," Greenwood said.

Since violators must self-report breaches to the oversight agency, both attorneys said it makes it quite easy for HHS to pinpoint offenders and levy fines.

 "The other thing this law does is really expand how HIPAA can be enforced," McMahon added. "Up to this point, the Office of Civil Rights – which enforces the privacy rules – and the Centers for Medicare and Medicaid Services – which enforces the security rules, except in the most egregious circumstances – have been willing to work with the entity to achieve compliance. With this law, it not only increases the penalties for violations but broadens HHS' and CMS' ability to decide what they are going to do with the violator.

"Before, in the universe of things for which healthcare entities could be held liable, HIPAA was (pretty far) down the list. Now, HIPAA has moved way up."

One concern, McMahon continued, is that the new provisions in the stimulus package suggest that HHS will implement a variation on the <i>qui tam</i> laws allowing individuals who assist a prosecution to receive a portion of any penalty imposed. The new law calls for the Secretary of HHS to promulgate regulations within the next three years establishing a manner in which a person harmed by a violation might receive a percentage of any civil monetary penalty or settlement collected. Although individuals still won't be able to sue under HIPAA, there is now an incentive to complain to the government about how they were harmed by a violation so that they might participate in any financial settlement or fine.

While there are several provisions for regulations to be adopted, which will more clearly outline the law by the end of the summer, the penalty portion of HITECH is evidently immediately enforceable. "Most of the law, with respect to the HIPAA amendments, goes into effect next February 17 except for the penalties, which go into effect now," McMahon opined.

Prior to HITECH, McMahon said there were simple monetary penalties for HIPAA infractions. Typically, a covered entity could be fined $100 for each violation not to exceed $25,000 for the same breach in a calendar year.

"Now that's changed, and there are different tiers of violations and different levels of monetary penalties based on intent and steps taken to solve the problem," she explained.

By McMahon's interpretation, those who have breaches considered to be caused by willful neglect and that have not been corrected would fall into Tier D penalties. At this highest level, those guilty of infractions would be fined $50,000 for each violation not to exceed $1.5 million in a calendar year for multiple violations of any one requirement or prohibition. Tier C – violations due to willful neglect but that have been corrected – are punishable by fines ranging between $10,000-$50,000 per violation not to exceed between $250,000-$1.5 million in a calendar year for multiple violations of the same requirement or prohibition. Tier B – violations due to reasonable cause but without willful neglect – call for fines of $1,000-$50,000 per violation not to exceed between $100,000-$1.5 million for multiple violations of the same requirement or prohibition in a year.

The lowest level, Tier A, uses the more familiar fine structure of at least $100 per incident not to exceed $25,000 for multiple violations of the same breach, but the law now gives the agencies discretion to impose fines of up to $50,000 for each violation not to exceed $1.5 million in a calendar year for multiple violations of any one requirement or prohibition. For a Tier A breach, an offender would have to prove they didn't know... and by exercising diligence wouldn't have known... they had committed a violation of HIPAA and that there was no willful negligence. McMahon said she frankly couldn't even think of an example of this type of infraction as ignorance of the law isn't a viable defense.

Who Is a Business Associate

Presumably business associates know who they are, but just to be clear a business associate is any person or company that performs functions for a covered entity that requires the use or disclosure of protected health information (PHI) or provides services that require a covered entity to disclose PHI in order for those services to be rendered.

Examples include claims processing, quality assurance, benefit management, accounting services, billing agencies, medical malpractice defense legal services, practice management, third-party administration of health plans, medical transcription, software programmers, interpreters and collection agencies, among others. These individuals and companies must comply with the HITECH provisions, as well as most of the HIPAA security rule and portions of the HIPAA privacy rule, by Feb. 17, 2010, or be subject to penalties set forth under HITECH.


If information is adequately protected, however, then presumably a lost laptop or stolen PDA wouldn't lead to a security breach and therefore, in McMahon's opinion, would probably not be reportable... no harm, no foul.

"I've been encouraging clients to go ahead and encrypt not only their laptops and PDAs that travel with them outside their offices but also their data that resides on their server. Even though HIPAA doesn't require encryption, I think we're headed toward that de facto standard," McMahon said.

Among the frustrations healthcare attorneys have on behalf of clients... and themselves... is a lack of exact definitions for many of the new requirements and myriad deadlines.

"Every little piece of the Act has a different deadline and many sections are subject to rulemaking," said Greenwood. However, she continued, most parts will need to be in place by February 2010. She added there was no money specifically made available for covered entities and business associates to enact the many HIPAA changes, which will require revisions to contracts, privacy notices, policies and procedures and much more.

Despite the costs and short turnaround, Greenwood said, "One thing is clear, covered entities and business associates are strongly advised to come into compliance with the HIPAA Privacy Rule and Security Standards as soon as possible."

McMahon warned, "With this new law, if you're not taking the appropriate steps to comply with HIPAA, there will be serious consequences. Get your house in order... and get it in order now!"