HHS Proposes HIPAA Regulatory Changes to Address HITECH.

August 19, 2010 Advisory

HHS Proposes HIPAA Regulatory Changes to Address HITECH. More Expansive Enforcement Heightens Need for Enhanced Checks and Balances.

On July 14, 2010, the U.S. Department of Health and Human Services (HHS) published long-awaited proposed amendments (the Proposed Rule) to the HIPAA privacy, security and enforcement regulations to implement requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH modified HIPAA in several important ways, including making business associates directly subject to the HIPAA Security Rule, imposing new breach notification requirements and increasing penalties for HIPAA violations. Most of HITECH's privacy and security provisions went into effect this past February. The Proposed Rule expands on many of these provisions and requests comments from the public, which are due to HHS by September 13, 2010. For a more detailed discussion of the Proposed Rule, click here to link to Wiggin and Dana's advisory.

Entities covered by HIPAA, including business associates, must immediately ensure compliance with the new statutory HITECH requirements; however, it is equally imperative that they ensure overall compliance with applicable provisions of the HIPAA Privacy Rule and Security Rule. It has been over seven years since the initial HIPAA Privacy Rule compliance deadline and a little over five years since the initial HIPAA Security Rule compliance deadline. Although many covered entities and business associates devoted time and resources to their initial HIPAA implementation, on-going HIPAA compliance monitoring has not necessarily been a priority. It is critical that covered entities, business associates and others affected by HIPAA and HITECH take the time to assess and audit their overall privacy and security programs and implement remedial measures, as necessary, to ensure compliance.

Why HIPAA Compliance is More Important than Ever

First and foremost, your reputation is at stake. Patients and customers have high expectations for the protection of their health and personal information; failure to satisfy those expectations diminishes patient and customer trust in your organization. Recent headlines show that privacy and security breaches are on the rise and/or are increasingly being discovered, made public and subject to enforcement action:

  • In late July, HHS settled with a national pharmacy chain accused of failing to protect the privacy of financial and medical information of its customers. In addition to paying a $1 million fine, the pharmacy is required to conduct internal monitoring and obtain an independent assessment of its compliance for three years.
  • HHS also recently entered into a multi-million dollar settlement with another health care provider to address alleged deficiencies in the provider's policies and procedures for safeguarding protected health information. The settlement required the provider to engage an independent third-party to conduct on-going privacy and security assessments for three years.
  • Earlier this year, HHS required a health plan to pay a fine and to agree to implement a corrective action plan. The corrective action plan required the health plan to revise its policies and procedures, retrain its entire workforce, and increase its self-auditing efforts. HHS also required the health plan to agree to independent monitoring and reporting requirements.
  • This past January, Connecticut's Attorney General brought an action against a health plan alleging various HIPAA violations. This was the first HIPAA enforcement action by a state Attorney General.

In addition, HITECH has significantly expanded HIPAA's enforcement mechanisms:

  • HIPAA violators are now subject to increased civil and criminal penalties ranging from $100 to $50,000 per violation, capped at $1.5 million per calendar year
  • Business associates are now directly subject to HIPAA and face the same penalties for non-compliance as covered entities
  • Previously, enforcement by the federal government was complaint-driven; now, the federal government is required to audit for compliance with HIPAA
  • Individuals who violate HIPAA may face criminal penalties that include fines and/or imprisonment
  • State Attorneys General can now enforce HIPAA
  • Aggrieved individuals soon will share in HIPAA penalties, creating an incentive for individuals to file HIPAA complaints

How We Can Help You

Our HIPAA practice is sophisticated, and our attorneys highly qualified to address HIPAA and related federal and state privacy and security requirements. Not only have we advised clients for over a decade on HIPAA, we are a business associate ourselves and therefore have first-hand experience implementing the HIPAA Security Rule as well as other business associate-specific privacy requirements. Whether you are a covered entity or a business associate, we can help:

  • develop HIPAA Privacy Rule and/or Security Rule policies and procedures and assist with training and implementation
  • audit for compliance with HIPAA and/or facilitate the development of an effective internal auditing program
  • develop remedial steps and corrective action plans to achieve compliance
  • assist with breach investigations and provide advice on breach notification requirements, including interactions with your state Attorney General, HHS and the FTC, as applicable and appropriate
  • assess and address compliance other applicable privacy and security requirements, such as the Gramm-Leach-Bliley Act, FTC Rules, the Red Flags Rule, and state breach notification requirements