Law means rethinking how you protect patient data

In a previous article, I described how the American Recovery and Reinvestment Act, part of the federal stimulus package, expanded the reach of the Health Insurance Portability and Accountability Act for physicians and anyone else dealing with patient information.

With that in mind, there needs to be some reworking and rethinking by covered entities and business associates, the terms that HIPAA created for the parties dealing with health information. Physicians, hospitals, health plans and health care clearinghouses are covered entities, which transmit health information. Business associates are those who use health information as they are performing services on behalf of a covered entity, such as legal, accounting, consulting or administrative work.

One of the biggest changes comes in notification if either a covered entity or business associate believes data have been compromised or breached. The change is that you have to notify someone, as spelled out in the Health Information Technology for Economic and Clinical Health Act.

If the covered entity discovers a security or privacy breach of an individual's health information, the covered entity must inform the individual of the breach within a specified time frame.

If the business associate discovers the breach, it must notify the covered entity within a certain period of time.

In general, whoever discovers the security or privacy breach is required to notify the appropriate party, according to the HITECH Act, "without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach."

Additionally, the HITECH Act prescribes the appropriate method of notification (for example, first-class mail, e-mail, mass-media communications) and content of the notification (description of what happened, date of the breach, date of the discovery of the breach, description of the types of unsecured health information involved in the breach -- name, Social Security number, date of birth, home address, account number, disability code).

The business associate agreement, which the associate signs with the covered entity, should describe in detail the time frame, method and content of the notification.

In the event of a security breach of personal health records, PHR vendors are now required to notify each U.S. citizen or resident whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of the security breach and the Federal Trade Commission.

Additionally, third-party service providers that offer or maintain PHRs and that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHR identifiable health information in such a record are required to notify the vendor in the event of a security breach.

Disclosing information

The HITECH Act also strengthens protections for those who want to limit how their information is shared.

If an individual requests that a covered entity restrict the disclosure of his or her information, the entity must comply with the request under certain circumstances. For example, patients are allowed to opt out of their information being used in fundraising or marketing materials. They also can ask for records dating back up to three years that note every time their electronic health record has been accessed (although they may be charged with labor costs relating to that request).

Under the HITECH Act, a covered entity that uses or maintains electronic health records is required to provide an individual with an accounting of the disclosures of his or her information, if the disclosure was for treatment, payment or a health care operation, and if the disclosure was made during the three years prior to the date the accounting was requested.

Upon request of an accounting, a covered entity is required either to provide an accounting of the disclosures of information made by the covered entity and by business associates acting on behalf of the covered entity or it must provide an accounting of the disclosures of information made by the covered entity and provide a list of all business associates (and their contact information) acting on behalf of the covered entity.

While the covered entity selects which of the two options to provide, this decision should be predetermined and stated in the business associate agreement. In general, covered entities and business associates are prohibited from directly or indirectly receiving remuneration in exchange for an individual's information, unless the covered entity obtains a valid authorization from the individual whose information is at issue. The authorization must specify that the information may be exchanged for remuneration.

While this is the general rule, there are exceptions when the purpose of the exchange is for public health activities, research, treatment of an individual, a health care operation, payment from a covered entity to a business associate, or other reasons determined by the Dept. of Health and Human Services.

When a covered entity uses or maintains an EHR that contains an individual's information, the individual has the right to obtain a copy of such information from the covered entity in electronic format.

Penalties and enforcements

The HITECH Act imposes penalties for noncompliance due to willful neglect and authorizes HHS to investigate any complaint of suspected noncompliance. In the event of noncompliance, the violating party may be subject to tiered civil monetary penalties based on the amount of neglect and intent -- from $100 to $1.5 million per violation.

The HITECH Act also requires HHS to perform periodic audits to ensure that covered entities and business associates are complying with the act.

The consequences of noncompliance are too severe to ignore. Be sure your business associate agreement complies with requirements of the new federal law.