Notable Changes To HIPAA Included in the Stimulus Bill!

April 12 , 2009 in Industry News

Included in the recently enacted Stimulus Bill were a number of provisions that change the nature of the enforcement side of HIPAA.

Fort Docs will be attending a national seminar on this in May and will provide some updates coming out of the seminar.

In the meantime, here is a summary of some of the key changes:

1. HIPAA is now directly enforceable against business associates.

Until now, HIPAA was only enforceable against a covered entity i.e., a health plan, a health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA.

A business associate is any person or entity, other than a member of the workforce of a covered entity, who:

  • a. performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or any other function or activity regulated by HIPAA; or
  • b. provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, where the provision of the service involves the disclosure of individually identifiable health information from the covered entity, or from another business associate of the covered entity, to the person.

2. Notice of breach is now required.

  • Until now, a covered entity was only required to maintain records of any breach of confidentiality covered by HIPAA; no notice was required. Now, when a covered entity discovers a breach, the covered entity must, without unreasonable delay and no later than 60 calendar days after discovery of the breach, notify each individual whose unsecured protected health information (PHI) has been or is reasonably believed to have been accessed, acquired or disclosed as a result of the breach. If the unsecured PHI of more than 500 State residents has been or is reasonably believed to have been accessed, acquired or disclosed, notice must be provided to prominent media outlets serving the State. When a business associate discovers a breach, the business associate must notify the covered entity. In all cases of breach, notice must be provided to the Secretary of HHS, who will publish on the internet the instances of breach involving 500 or more individuals.

3. Civil monetary penalties (CMPs) have been increased.

  • Until now, civil monetary penalties for HIPAA violations were set at $100 per violation. Now, the CMPs are tiered. The first tier CMP is $100 per violation, not to exceed $25,000 per calendar year for an identical violation; the second tier is $1000 per violation, not to exceed $100,000 per calendar year for an identical violation; the third tier is $10,000 per violation, not to exceed $250,000 per calendar year; and the fourth tier is $50,000 per violation, not to exceed $1,500,000 per calendar year. Persons who did not know and by exercising reasonable diligence would not have known that the person violated the HIPAA provision are subject to a minimum of a first tier CMP and a maximum of a fourth tier CMP. Violations due to reasonable cause and not willful neglect are subject to a minimum of a second tier CMP and a maximum of a fourth tier CMP. Violations due to willful neglect that have been corrected are subject to a minimum of a third tier and a maximum of a fourth tier CMP. Violations due to willful neglect that have not been corrected are subject to a minimum of a fourth tier CMP.

4. State Attorneys General may now enforce HIPAA violations.

  • State Attorneys General may bring a civil action in federal court on behalf of state residents in any case in which the AG has reason to believe that an interest of one or more State residents has been or is threatened or adversely affected by any person who violates the HIPAA privacy and security rules, to enjoin the violation and for damages (up to $100 per violation, up to $25,000 per violator per calendar year), costs, and attorney fees.

5. Effective date: These amendments apply to all violations occurring after February 17, 2009.