FOR IMMEDIATE RELEASE                 

        

MUST READ – HITECH ACT

 

 

 Covered entities (CE) and Business Associates (BA) are required to amend existing BA contracts or negotiate new contracts. Contracts executed prior to the HITECH Act do not comply with the interim breach notification rule or the new BA-related statutory requirements. The breach notification requirements for BAs became effective September 23, 2009, and many of the other BA-related requirements become effective February 17. Covered entities and BAs should amend contracts based on requirements in the statute and the interim final breach notification rule. They should not wait for the Office of clinical research (OCR) to publish rules related to BA contract requirements. In the absence of rule, statute governs. Therefore, BAs are already required to notify covered entities within a set period of time if they experience a breach. It is wise to update or amend contracts as soon as feasible to meet the February 17 statutory deadline and the interim breach notification rule requirements.

 HITECH Act of 2009 mandates additional guidelines for the Health Insurance Portability and Accountability Act (HIPAA):

 Extends privacy & security rules to parties exchanging PHI

 Requires BAs to develop and implement written PHI security policies

 Establishes a federal breach notification requirement for unencrypted PHI

 Treats violations as unfair or deceptive acts or practices

             Same enforcement and penalty provisions as violations under FACTA

             Effective for breaches discovered on or after September 23, 2009

 Enhances patients rights over their PHI

 Prohibits CEs and BAs from directly or indirectly receiving payments for PHI without the patient’s approval

 
What’s Changed? 

 

•          Establishes criminal and civil penalties for non-compliance

       •          Now applies privacy & security rules DIRECTLY to BAs

       •          Establishes mandatory breach reporting for CEs and BAs

  What is a breach?  

Unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”

 

 Exclusions from this definition are the following:

 (1) any unintentional breach by an employee or individual acting under the authority of a covered entity or business associate if the acquisition was made in good faith and the PHI is not further used or disclosed; and

 (2) any inadvertent disclosure by a covered entity or business associate to another individual at the same entity if the PHI is not further used or disclosed.

 HITECH Breach Notification

 

 Requires CEs to notify individuals when PHI in their control (or in their BAs control) has been or is reasonably believed to have been, accessed, acquired, or disclosed. A breach is considered to be "discovered" as of the first day on which the breach is known by any member of the workforce.

 

 If more than 500 individuals – notification includes individuals, HHS Secretary and the media

 

If fewer than 500 individuals are affected, breach notification of the HHS  Secretary is only required on an annual basis

 

 

The regulations also require business associates of covered entities to notify the covered entity of breaches by the business associate. 

 

 

Notice Requirements:

 

Within 60 days of discovery of a breach, a covered entity must provide notice via first class mail to the affected person’s last known address. Among other things, the notice must include:

 

(1) a description of what happened and the date of the breach,

 

 (2) a description of the information involved in the breach,

  

(3) the steps the person should take to protect himself or herself, and

 

 (4) a description of the covered entity’s investigation and mitigation efforts.

 

 Instructions for Submitting Notice of a Breach to the Secretary

  

The breach notification interim final rule requires covered entities to provide the Secretary with notice of breaches of unsecured protected health information (45 CFR 164.408).  The number of individuals affected by the breach determines when the notification must be submitted to the Secretary.  Please review the instructions below for submitting breach notifications.  Please note: only covered entities may submit notification using this form.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html

 

 

What is required?

  

Reviewing and updating Notice of Privacy Practices

 Obtaining an inventory of current business associates and vendors

 Identifying entities with which your practice shares PHI – BA’s that are subject to the same privacy and security rules as CEs

 

 Drafting new legal agreements for BAs to comply with the HITECH Act

 

 

Updating HIPAA privacy & security policies and procedures

 

 

Mapping PHI data to critical systems and assessing whether the systems can meet new standards (workstations, servers, databases, networks, etc.)

  

Reviewing existing and planned systems to ensure the standards’ reporting requirements are fulfilled (adequate login procedures, passwords, user tracking, show segregation of duties, logs record appropriate information such as dates, times, how information was accessed, etc.)

 

 Developing or modifying an existing Breach Notification Policy to comply with state and federal provisions.

 

 Enforcement:

 Based on a reason to believe that in interest of one or more of the residents of a state have been or is threatened or adversely affected by any person who violates the provision of HIPAA, the State Attorney General may bring a civil action on behalf of residents of the state in a U.S. District Court

 

 The court may award an Attorney General reasonable costs for bringing an action with attorney’s fees and

 

 DHHS may contract with an independent firm to perform compliance reviews against higher risk organizations or those with previous security breaches.

 Non-Compliance: 


 Civil monetary penalties

 Penalties will be determined by nature and extent of both the violation and the harm resulting from the violation, so they could be substantial

  

Civil monetary penalties feature tiered increases

  

Unintentional or inadvertent - At least $100 for each violation, but no more than $25,000

 

Reasonable cause, but no willful neglect - At least $1,000 for each violation, but no more than $100,000

 

 Willful neglect, but violation is corrected - At least $10,000 for each violation, but no more than $250,000

 

 Willful neglect, violation not corrected - At least $50,000 for each violation, but no more than $1,500,000

 

 

 

 

 

 


©2008 Copyright CompMDconsult.com
Website Design and Development by WebDesignerExpress.com