The American Recovery and Reinvestment Act of 2009 (ARRA) mandates several changes to the patient information and privacy rules required by the Health Insurance Portability and Accountability Act (HIPAA). This impacts health care organizations in general and doctor practices in particular.
The new rules require practices using EHR systems to track all disclosures of patient health information, including those for purposes of treatment, payment, and health care operations. Patients have the right to request such information for up to three years. The practice, if using EHR, must provide the information, upon request of the patient, in electronic format, and the patient may direct that the information be transmitted to a designated third party.
ARRA now extends HIPAA privacy and security requirements to business associates that use, process, or handle patient information on behalf of the practice, which includes billing companies, HIT vendors, and contractors. These parties could be subjected to the same criminal and civil penalties as previously covered entities.
The new rules require practices to notify patients of all security breaches that expose their information to unauthorized parties outside the practice. The notification must be made in writing within 60 days of the occurrence. If the breach affects 10 or more patients, the practice must also post the news on its Web site. If the breach affects 500 or more patients, the practice must also disclose it to the local news media and immediately to the Department of Health and Human Services.
Patients may restrict disclosures of certain health information for purposes other than treatment providing the patient has paid in full, out of pocket.
The law requires the HHS secretary to develop regulations restricting the ability of a practice to use identifiable patient data for certain health care operations.
Fairly severe civil penalties can result from failure to comply with the law. There is a four tier penalty provision as follows:
Tier 1: Violation where the person did not violate (and by exercising reasonable diligence would not have known) that they violated the provision. Penalties: $100 for each violation to a maximum of $25,000 per year.
Tier 2: Violation that was due to reasonable cause and not to willful neglect. Penalties: $1,000 for each violation to a maximum of $100,000 per year.
Tier 3: Violation due to willful neglect, and the issue is corrected. Penalties: $10,000 for each violation to a maximum of $250,000 per year.
Tier 4: Violation due to willful neglect, and the issue is not corrected. Penalties: $50,000 for each violation to a maximum of $1.5 million per year.
As with other provisions of the law, clarification and final regulations are yet to be published. Interim final regulations on the breach notification provisions are expected no later than July, with an effective date of 30 days after the date of publication of the interim final regulations.
The effective date for the accounting for disclosures provision is January 1, 2011 for those practices with EHR systems in place as of January 1, 2009. For those practices that acquire an EHR system after January 1, 2009, the compliance date is the later of January 1, 2011 or the date the practice acquires the EHR system.
The new law also has a ‘whistleblower’ provision whereby individuals would receive a percentage of penalties collected.
The complexity of these new rules and mandates places well-meaning doctors in the crosshairs of litigation claims. Before complying with patient notification requirements, doctors first need to be made aware that a security breach has occurred. Currently, very few, if any, EHR systems have this capability. These system requirements should be added to your list of upgrades to be discussed with EHR vendors, along with the other requirements mandated by the new legislation.
James B. Calnan, CPA, is partner-in-charge of the Health Care Services Division of Meyers Brothers Kalicka, P.C. in Holyoke.