Group items tagged

Those who are superstitious may believe that bad things happen on Friday the 13th, but we will leave it to each individual and entity to formulate conclusions regarding the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which Congress passed late on Friday, February 13, 2009, and President Obama officially signed into effect on February 17, 2009. The HITECH Act addresses various aspects relating to the use of health information technology (H.I.T.), including providing for federal funding by way of grants and incentive payments in order to promote H.I.T. implementation. This Alert focuses, however, on Subtitle D of the HITECH Act, which includes important, new and far-reaching provisions concerning the privacy and security of health information that will materially and directly affect more entities, businesses and individuals in more diverse ways than ever before. These changes are further elaborated upon below, but this Alert can only highlight certain prominent issues under the HITECH Act and is by no means a comprehensive review of this lengthy and complex Act. For questions and additional guidance on the HITECH Act, contact your Fox Rothschild attorney or the authors of this Alert. New Privacy and Security Requirements * Security Breach Notification Requirements: Security breach notification requirements under the HITECH Act go into effect 30 days after the date that interim final regulations are promulgated, which will be no later than 180 days after the date of enactment of the HITECH Act (August 16, 2009). Covered entities, business associates and vendors who handle personal health records are required to abide by breach notification requirements. Violations of this requirement by vendors would be treated as an unfair and deceptive act or practice in violation of the Federal Trade Commission Act. If a breach affects more than 500 individuals of a particular state, notice also must be provided to prominent media outl

"The U.S. Department of Health and Human Services issued an interim final rule to beef up penalties for violations of the Health Insurance Portability and Accounting Act (HIPAA), as several Congressmen criticize the agency for leaving dangerous loopholes in the law. The new rules significantly increase penalty amounts that the U.S. Department of Health and Human Services can impose for HIPAA violations of patient privacy, according to a statement from HHS. The new rules reflect requirements enacted in the Health Information Technology for Economic and Clinical Health (HITECH) sections of the American Recovery and Reinvestment Act (ARRA) of 2009. Before HITECH, maximum penalties were $100 for each violation or $25,000 for all identical violations of the same provision. A covered health care provider, health plan, or clearinghouse could be exempt from civil financial penalties if it demonstrated it did not know it violated the HIPAA rule. The HITECH act increases civil financial penalties by establishing tiered ranges of increasing minimum penalties, with a maximum $1.5 million for all violations of identical provisions. And a "covered entity" can plead ignorance as a protection only if it fixes the violation within 30 days of discovery."

"In a sign that state attorneys general may be flexing the HIPAA enforcement muscle granted by the HITECH Act provisions in the Recovery Act, the Connecticut and Arizona attorneys general are investigating health plans that recently experienced data breaches that they failed to disclose for several months. Typically, state attorneys general prosecute only violations of state laws, but they now have authority to investigate and levy fines for violations of HIPAA and the HITECH Act, which requires mandatory notifications within two months of knowledge of a breach. Connecticut Attorney General Richard Blumenthal (D) has emerged as possibly the first AG to take on a HIPAA investigation, and Arizona's AG may also be pursuing a similar course. The larger of the two breaches that have come to the AGs' attention was experienced by Health Net, Inc., which lost a portable external hard drive containing seven years of data for 446,000 Connecticut residents. The lost data came from 1.5 million individuals in total, who also hailed from New Jersey and New York. Health Net reported the loss to the Connecticut AG on Nov. 19, and on the same day Blumenthal issued a scathing statement demanding answers and promising action. He specifically said he was investigating whether Health Net may have violated "federal laws," as well as his state's own data protection laws."

CSOs in healthcare organizations know that the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in February 2009, includes new privacy requirements that experts have called "the biggest change to the health care privacy and security environment since the original HIPAA privacy rule." These include: New requirements that widen the definition of what Personal Health Information (PHI) information must be protected and extend accountability from healthcare providers to their business associates; Lower thresholds, shorter timelines, and stronger methods for data breach victim notification; Effective immediately, increased and sometimes mandatory penalties with fines ranging from $25,000 to as much as $1.5 million; More aggressive enforcement including authority to pursue criminal cases against HIPAA-covered entities or their business associates. No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization's credibility and can carry huge medical and financial risks to the people whose data is lost. We've managed hundreds of data breaches and helped thousands of identity theft victims. Through this we've learned firsthand that compliance doesn't necessarily equal low risk for data breach. For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to securing PHI.

A rule requiring healthcare providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals of a breach of their unsecured protected health information will become effective September 23, 2009. The "breach notification" regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009 (ARRA). The new "breach notification" regulations apply to HIPAA-covered entities and their business associates. HIPAA covered-entities include health plans, healthcare clearinghouses, and healthcare providers. A business associate is a person or entity (such as a healthcare benefits broker) who, on behalf of the covered entity, performs a function involving the use or disclosure of individually identifiable health information.

"The United States House of Representatives took a major step this week toward enacting a national data breach notification law. H.R. 2221, the Data Accountability and Trust Act (DATA), cleared the House with a voice vote. In its current form, DATA requires businesses to notify customers and the Federal Trade Commission (FTC) if sensitive information has been exposed to a security breach. If the U.S. Senate can reconcile its own approach to data breach notification legislation with DATA, a new federal standard will emerge. If signed into law by President Barack Obama, a federal data breach ¬law would pre-empt the jumbled mass of dozens of state laws. "You'd be better served by federal legislation if the federal legislation has teeth and doesn't pre-empt the state's law," said California state senator Joe Simitian, speaking to executive editor Scot Petersen in September. "If there was a meaningful standard at the national level, I think many states would be happy to accept it." Aside from the data breach notification required by the HITECH Act, DATA would put into place the first national law of its kind. H.R. 2221 was sponsored by House Subcommittee Chair Rep. Bobby L. Rush of Illinois. The bill specifically states that: "Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data -- 1. notify each individual who is a citizen or resident of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security; and 2. notify the Federal Trade Commission."

Congress has been dithering over the adoption of a federal data security breach notice law for the last several years without coming to an agreement on a national standard for reporting breaches in the security of personal and financial data, but on February 17, data breach notice provisions applicable to health information were signed into law as part of the HITECH Act provisions of the massive economic stimulus legislation, H.R. 1 (111th Cong., 1st Sess. Feb. 17, 2009). Beginning no later than September 16 of this year, "covered entities" under the Health Insurance Portability and Accountability Act (HIPAA) will be required to give notice of breaches in the security of protected health information, and "business associates" of HIPAA-covered entities will be required to report such breaches to the covered entities. §13402(a) & (b). Currently, California and Arkansas are the only states that require that notification be given in the case of a breach in the security of medical or health insurance information. The HIPAA Privacy Rule currently does not contain a requirement that individuals be notified in the event of such as breach. However, some covered entities interpret the existing HIPAA Privacy Rule requirement that covered entities mitigate harmful effects of uses or disclosures of health information in violation of either the Privacy Rule or the entity's policies and procedures as suggesting that such notice be given, and many covered entities currently provide such notification.

Feds would spend $20 billion on health IT if Senate and House agree in coming weeks. The House-passed version of the economic stimulus bill includes about $20 billion in spending for health IT. The bill, known as H.R. 1 or the American Recovery and Reinvestment Act of 2009, would make Medicare and Medicaid providers and hospitals eligible for incentive payments for using certified e-health records technology. It also supports health information exchanges, standards development and conformance testing, a chief privacy officer for health IT and other aspects of health IT. The portion of the bill called the Health Information Technology for Economic and Clinical Health Act -- the Hitech Act, for short -- and health IT spending provisions passed largely unchanged from the bills introduced earlier this month. The Senate is expected to take up a similar bill in the first week of February. The Senate bill now calls for $23 billion in health IT spending. Once it is passed, a House-Senate conference will need to resolve differences between the bills. Congressional leaders aim to send President Barack Obama the bill by mid-February.

Hospital CIOs, chief information security officers, and privacy officers are working diligently to keep their names off that wall. But they are dealing with a regulatory environment that is still in flux. A final rule that will strengthen HIPAA privacy and security safeguards is due out before the end of the year. HHS also has proposed a rule for the accounting of disclosures from electronic records. The biggest shift under way may be a new enforcement regime as the HHS Office for Civil Rights (OCR) shifts gears from only reacting to data breach reports to begin random audits of the privacy and security safeguards of large and small providers and their business associates. Another new wrinkle under the HITECH Act is that state attorneys general can file civil lawsuits for HIPAA violations.

"It has been a bad past couple of months for healthcare information security. In October and November, multiple healthcare organizations announced patient data losses that made headlines in their communities, and national news in a few of the most egregious instances in which breaches involved hundreds of thousands of records."

Both panels that advise the national coordinator for health IT plan to focus on privacy and security standards needed to support meaningful use of electronic health records when they meet later this month, according to notices in today's Federal Register. The Health IT Policy Committee, led by Dr. David Blumenthal, the national coordinator for health IT, will direct more of its discussion at its upcoming Sept. 18 meeting on health information privacy and security as it makes progress in defining meaningful use under the stimulus law, according to the notice. Likewise, the companion Health IT Standards Committee, which meets Sept. 15, will concentrate on refining standards recommendations made by its privacy and security work group. At the Standards Committee's previous meeting Aug. 20, its privacy and security workgroup presented standards for authentication, authorization, auditing and secure data transmission of health information in EHR products as well as the infrastructure that hosts them. The work of the panel includes protecting data inside an enterprise as well as data exchange between enterprises, "because security is an end to end process," noted Dr. John Halamka, the committee's chairman in a post on his blog, "Life as a Healthcare CIO."

Health IT industry leaders and privacy advocates are watching carefully to see how the federal government will enforce expanded health data breach notification rules set to take effect this week, Federal Computer Week reports. HHS' breach-notification rule, which applies to HIPAA-covered entities and business associates, is scheduled to take effect tomorrow. The Federal Trade Commission's companion rule, which applies to personal health record vendors and other non-HIPAA-covered entities, is scheduled to take effect Thursday. The federal economic stimulus package mandated the creation of both rules.