Latest News and Industry Interest

The Health Information Technology for Economic and Clinical Health (HITECH) Act has been signed into law on February 17, 2009. It serves to promote the adoption and meaningful use of health information technology and addresses the privacy and security concerns associated with the electronic transmission of health information. It does so through provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

This interim final rule amends several provisions of the Enforcement Rule, subpart D, to conform its language regarding HHS’ imposition of civil money penalties to section 1176 of the Act, specifically section 13410(d) of the HITECH Act revised as of February 18, 2009. Subtitle D of the HITECH Act, which specifically pertains to privacy, contains several other provisions crafted to strengthen enforcement. Some but not all pertain to HHS’ implementation of the Enforcement Rule.

Many of the enforcement provisions of the HITECH Act became effective as of February 18, 2009. Other enforcement provisions, however, have yet to become effective under the HITECH Act and are therefore subject to future rulemaking.

Among the main points of the Act include:

• Striking the affirmative defense for violations in which the covered entity did not know, or by reasonable diligence would not have known, of the violation (such violations are now punishable under the first tier of penalties);

• Providing penalties even in cases when the person did not know (and by exercising reasonable diligence would not have known) that such person violated such provision; penalties for violation due to reasonable cause and not to willful neglect; and penalties for violations due to willful neglect.

• Revising the subsection that provides an affirmative defense for a 30-day time period of correction to only require that the covered entity demonstrate the violation was not due to willful neglect (the statute previously also required a showing that the violation was due to reasonable cause).

For other important provisions you can view the complete text of the Interim Final Rule here.

Secretary delegates HIPAA Security Rule to OCR

On July 27, 2009, Secretary of the Department of Health and Human Services (HHS) Kathleen Sebelius delegated authority for the administration and enforcement of the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) to the Office for Civil Rights (OCR). This action was implemented to improve HHS’ ability to protect individuals’ health information by combining the administrative and enforcement authority pertaining to Federal standards for health information privacy and security called for in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Privacy Rule is also administered and enforced by OCR.

Congress mandated improved enforcement of the Privacy Rule and Security Rule in the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA). Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing the efficiency of investigations and resolutions of failures to comply with both rules. Moreover, combining the administration of the Security Rule and the Privacy Rule is consistent with the health care industry’s increasing adoption of electronic health records and the electronic transmission of health information.

The transition of authority for the administration and enforcement of the Security Rule is expected to be seamless with no interruption in the management or processing of any complaints filed prior to the transition. Consumers may continue to submit HIPAA security complaints using the on-line resource – the Administrative Simplification Enforcement Tool (ASET). New security complaints may also be sent to the Office for Civil Rights. For more information and detailed instructions on how to submit a complaint to OCR, visit the OCR web site. The transition of security complaints from CMS to OCR has no impact on how complaints about Transactions and Codes Sets or Unique Identifiers are filed or processed. CMS retains its enforcement authority for these other HIPAA rules. www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html November 30, 2009

Entities covered by the HIPAA Privacy Rule. The Privacy Rule applies only to covered entities. Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Privacy Rule's requirements to protect the privacy of health information and must provide individuals with certain rights with respect to their health information.

A covered entity is one of the following:

1. A Health Care Provider, including providers such as:

Doctors
Clinics
Psychologists
Dentists
Chiropractors
Nursing Homes
Pharmacies

...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

2. A Health Plan, including:

Health insurance companies
HMOs
Company health plans
Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs.

3. A healthcare clearinghouse, including entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Source: www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html November 30, 2009