Online Continuing Education

Health Providers Facing Stiff HIPAA Regulations

The Physician’s Corner
HIPAA: A Refresher and Update

By Henry Tulgan, M.D. FACP

The implementation of the federal privacy rule under the Health Insurance Portability and Accountability Act (HIPAA) in 2003 codified the limits on accessing an individual’s health information. Covered entities under HIPAA include health care providers, health care plans and clearing houses. Over the past seven years, patients have been handed notices of compliance whenever they visit their physicians, dentists, pharmacies, hospitals and other covered entities in the wake of these new privacy protections that cover medical records, verbal communications, computerized health information and even billing.

Providers have become quite adept in developing safeguards, procedures and training programs to ensure HIPAA compliance. Patients have been given the right to see and receive copies of their medical records, with certain material redacted in some instances, and they may ask to change information they find incorrect. HIPAA also includes rules about how medical information may be shared, again with allowances for providers to do so without permission in special circumstances, including public health and legal reasons, upon a patient’s death and in certain protected research projects. Now, stricter and broader HIPAA coverage has been implemented under the Health Information Technology for Economic and Clinical Health Act (HITECH), a part of the economic stimulus legislation, the American Recovery and Reinvestment Act (ARRA), which was signed into law in early 2009.

Here are the highlights of the changes:

  • Increased requirements surrounding notification of a privacy breach.

This change was implemented in February 2010. Under this provision, if a breach in protecting a patient’s protected information occurs, he or she must be notified within 60 days of the discovery of the breach. Major breaches involving more than 500 individuals – such as the theft or loss of electronic devices containing medical information – must also be reported to the Department of Health and Human Services (HHS) and to a major media outlet in the region. Providers are also required to maintain a list of violations and report them within 60 days of the end of a calendar year.

  • More providers are considered business associates.

The previous definition of a business associate under HIPAA has been expanded so that almost any person or entity that offers services for covered providers is also potentially liable.  This may include such obvious relationships as those between covered providers and their accountants and information technology providers, but it also may extend to less obvious ones, such as answering services and record storage facilities if they access, maintain, retain, modify, records, store, destroy or disclose protected health information.

  • HHS audits are mandatory.

Under the prior Act, HHS audits of providers for HIPAA compliance were permitted, but the HITECH Act makes these audits mandatory as of February 2010. HHS is now required to conduct periodic audits of business associates and covered entities under the HITECH Act to ensure that they are complying with the act. The details of how this will be accomplished will continue to unfold.

  • The fines and penalties for violations have increased.

Here are the new penalties for HIPAA violations:

  • $100 minimum per violation that an entity was not aware of.
  • $1000 minimum per violation resulting from “reasonable cause.”
  • $10000 minimum per violation for “corrected willful neglect.”
  • $50,000 minimum per violation for “uncorrected willful neglect.”

The maximum annual penalty has increased from $25,000 to $100,000 per year. Additionally, state attorneys general may now bring civil suits for data breaches on behalf of patients.

  • 5010 and ICD-10

Beginning on Jan. 1, 2012, HHS requires the implementation of the X12 Version 5010 standard, which will require certain changes to software and hardware for billing, claims and other measures, such as plan enrollment or disenrollment and referrals. ICD 10 will replace ICD 9 in October 2013, and will include significantly more codes. Covered HIPAA entities will be required to have mechanisms in place to implement this update.

X12 version 5010 of the HIPAA standards includes changes in the data content, such as improved eligibility responses and better search options. It also includes improvements for the reporting of clinical data.  The new standard will differentiate ICD–10–CM diagnosis codes and ICD–10–PCS procedure codes, which will distinguish between codes for principal diagnosis, admitting diagnosis, external cause of injury and patient reason for visit. These changes will improve the analysis of clinical data and provide better monitoring of mortality rates, patient outcomes and lengths of stay for specific illnesses.

Health care providers must familiarize themselves with these new requirements, some of which have already been implemented, and take steps to ensure compliance. Training programs may need to be updated and business associate contracts may need to be strengthened and expanded. Plans should also me made for the necessary software and hardware changes. The fiscal and legal penalties are much more severe and every effort must be made to avoid them. 

Next: CME Instructions
Share on Facebook Share on LinkedIn   Printer-Friendly Version

Copyright 2012. Massachusetts Medical Society, 860 Winter Street, Waltham Woods Corporate Center, Waltham, MA 02451-1411 781-893-4610 | 781-893-3800 | Member Information Hotline: 800-322-2303 x7311 info@massmed.org