Tucked into the far-reaching American Recovery and Reinvestment Act — the federal stimulus package — are new provisions that expand and update the 2003 law that governs the privacy of medical information about patients.
The rules beef up enforcement tools and penalties and expand the types of organizations covered by the Health Insurance Portability and Accountability Act. While the act was first enacted in 1996, its privacy rules went into effect in 2003.
The purpose of HIPAA’s privacy paragraphs is “to put parameters around the uses of the individual’s health information, define what are permitted uses, who can share the information, who can use it and for what purposes,” explained Norbert Kugele, a lawyer at Warner Norcross & Judd who specializes in privacy law. “Other uses need permission from the individual.”
Kugele said the new language gives the federal Department of Health and Human Services, as well as state attorneys general, bigger sticks for enforcing HIPAA. But with a record of little use of the enforcement provisions it already had, Kugele said, the HHS may not be any more likely to use the new ones.
Among the new provisions are bigger fines and periodic audits of HIPAA compliance for entities covered under the law, he said. Those entities include any health care organization that does electronic billing, from hospitals and physician offices to laboratories and health insurance companies.
Because Medicare requires electronic billing, HIPAA applies to just about every health care organization that does business with the federal health coverage program for those 65 and older, Kugele noted.
The changes to the law also expand covered entities to include business associates of those health care organizations, such as billing agencies, health information exchanges and e-prescribing services, he added.
The High Information Technology for Economic and Clinical Health section of the stimulus package provides for a significant increase in the monetary penalties for HIPAA violations.
“You’re not going to get as much or as good of compliance until people perceive there is a threat of monetary penalties,” Kugele said. “The other part of the criticism was that the monetary penalties weren’t enough,”
Just twice since 2003 have offending organizations been assessed fines, he said. Most of the HHS’s penalty action was focused on corrective action in responding to complaints. Fines started at $100 and were capped at $25,000 per calendar year per violation. Now the cheapest fine is $1,000 and the cap doesn’t kick in until $1.5 million, Kugele said. The penalties are divided into three categories, and get progressively higher. The first “unknown” violation category is currently vague and undefined, Kugele said. The second is “reasonable cause” violations, and the final, most expensive category is violations due to “willful neglect.”
The changes also state that people can be criminally prosecuted under HIPAA, a point that had previously been unclear, Kugele said. It also explicitly allows state attorneys general to enforce HIPAA privacy rules.
While the HHS has always been able to conduct audits, the HITECH provisions in the stimulus bill demands periodic privacy compliance audits. But, Kugele said, guidance has yet to be issued to indicate details such as the frequency or scope of the audits.
“I would say certainly if the HHS is getting complaints about a particular covered entity, it means they are more likely to land on the radar screen for an audit,” Kugele said.
The widening of the HIPAA privacy net to “business associates” of previously covered organization is a major change and is likely to require changes to existing business contracts, he added. Those rules go into effect in August.
“There were a lot of organizations that were getting protected health information that were not directly subject to HIPAA,” Kugele said. They might have been asked to promise, in a contract, to honor privacy provisions but were not subject to penalties in cases of violations, he said. Now, not only are they subject to the penalties, the health care organizations will be required to terminate their relationship when violations are found.
Another piece of the law requires organizations that fall under HIPAA to notify individuals when their privacy has been comprised, Kugele said, similar to the requirement banks face when financial information is breached. That aspect goes into effect next year.