Sources say that the Office of Civil Rights (OCR) will soon direct a new round of random audits to verify compliance with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (the HITECH Act).
OCR is responsible for enforcing the HIPAA Privacy and Security Rules by conducting compliance reviews on covered entities. In 2011, OCR established an HITECH Act Audit Program. The program assesses the controls and processes covered entities have implemented to comply with HIPAA and HITECH Act. Here is a list of enforcement results by State.
What is the HITECH Act? The Act was enacted as part of the American Recovery and Reinvestment Act of 2009. It was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. HITECH significantly expands the HIPAA Privacy Rule and Security Standards and adds new requirements concerning privacy and security to safeguard protected health information (“PHI”).
To whom does HITECH apply? HITECH amends HIPAA. HIPAA applies to “Covered Entities” and “Business Associates” of covered entities. Attorneys, executives and managers in HR departments as well as persons responsible for HIPAA compliance in hospitals and other health care facilities would be included.
What is a “covered entity”? “Covered entities” generally include health care providers, health plans, and health care clearinghouses (45 CFR 160.103).
Who is a Business Associate? A “Business Associate” is a person or entity that performs or assists in performing a function or activity that involves the use or disclosure of PHI on behalf of a covered entity, or covered product (45 CFR 160.103). Examples of Business Associates include, but are not limited to, sales agents/brokers, third-party administrators, and vendors who have access to PHI.
What is PHI? Any “individually identifiable health information” that is created, transmitted, or maintained by a Covered Entity. “Identifiable” means that the information could reasonably be used to identify an individual.
What are the key compliance requirements under HIPAA and the HITECH Act? Covered Entities and Business Associates must:
- comply with the restrictions on use and disclosure of PHI set forth by HIPAA Privacy Rule;
- limit uses and disclosures to the “minimum necessary”;
- provide a Privacy Practices Notice. Each covered entity, with certain exceptions, must provide a notice of its privacy practices as set forth by HIPAA Privacy Rule. The notice shall contain and describe certain elements (use and disclosure of PHI; covered entity’s duties to protect privacy; notice of privacy practices, individuals’ rights; point of contact for information and complaints);
- comply with the administrative, physical, and technical safeguards for electronic PHI set forth by HIPAA Security Rule;
- develop and establish a written data security program for electronic PHI;
- comply with the security breach requirements which require Covered Entities and Business Associates to notify any breach of “unsecured PHI”. “Unsecured PHI” is information that has not been encrypted or otherwise rendered unusable, unreadable, or indecipherable to unauthorized individuals in accordance with guidance issued by HHS.
What are the enforcement and penalty provisions of HITECH? The HITECH Act established four categories of violations based on intent, as well as corresponding tiers of penalty amounts that reflect increasing levels of culpability and fines for each violation. The penalties range from $100 per violation for unknowing violations to $50,000 per violation due to “willful neglect”. HITECH also expands the HIPAA Privacy Rule’s enforcement provisions by giving State Attorneys General the ability to enforce violations with injunctions and civil damages.
HITECH provides for the designation of Regional Office Privacy Advisors to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules. More information and contacts of the designated authorities are available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/ropadesignation.html
More information for Covered Entities and Business Associates available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html