The American Recovery and Reinvestment Act (the ARRA, commonly known as the stimulus bill) included $19 billion in funding for adoption of electronic medical records (EMRs). Proponents of health information technology believe that widespread adoption of EMRs will help control health care costs and enhance quality, especially as providers begin to share patient information electronically. However, privacy advocates worry that as more and more patient information is kept electronically, we will see more instances of patient information getting into the wrong hands. While the security of paper records can be far from perfect1], most large-scale security incidents in recent years involved electronic records (such as lost laptops containing unencrypted protected health information (PHI), and PHI improperly secured in web-based applications and exposed online). So as the stimulus bill, with its incentives for EHR adoption, moved through Congress, privacy advocates sought to strengthen security protections for electronic PHI. They succeeded – and as a result, practices will need to dust off their Health Information Portability and Accountability Act (HIPAA) privacy and security manuals, and strengthen protections for electronic PHI.
What to do first about HIPAA security
The practice's first priority should be to review and update HIPAA security procedures. The ARRA provides for greatly increased penalties for security breaches involving electronic PHI, and these are in effect now.
Under the HIPAA enforcement rule published in 2006, providers who violated HIPAA could be assessed a maximum civil monetary penalty of $100 per violation, up to $25,000 during a calendar year for identical violations. Under the ARRA, there will be a three-tier system for determining the penalty. The previous rate of $100 per violation/$25,000 per year will apply for innocent mistakes (if the provider did not know, and would not have known if exercising reasonable diligence, that the violation occurred). If it was not an innocent mistake, but the provider was not guilty of willful neglect, the penalty goes up to $1,000 per violation, not to exceed $100,000 per year. For violations due to willful neglect, the penalty can be as much as $50,000 per violation, not to exceed $1.5 million per year.
Suppose a laptop with unencrypted information on ten patients is lost. Under the previous HIPAA enforcement rule, the maximum penalty would have been $1,000. Under current law, the maximum will be either $10,000 or $500,000, depending on whether the loss of the laptop was considered "willful neglect". This is a significant liability that is likely not covered under the practice's insurance.
There is another change in enforcement that may increase the likelihood that health care providers will encounter these penalties. While enforcement of HIPAA was previously the exclusive domain of HHS, the ARRA now allows state attorneys general to bring enforcement actions. HHS had been criticized for alleged lax enforcement of HIPAA, because the agency had not conducted regular security audits of providers but had focused on responding to patient complaints.
In addition to the substantial increase in penalties for HIPAA violations, the ARRA introduces a requirement to notify the Secretary of Health and Human Services and affected patients, if there is a breach of unsecured PHI. PHI is considered unsecured if it is not secured through use of a technology that renders the information unusable, unreadable or indecipherable to unauthorized persons. Some states have had a security breach requirement for years, but in most cases, this applied only if the information disclosed was the type that could be used for identity theft (such as the social security number). The notification requirement under the ARRA is much broader, since it applies to improper disclosure of any PHI. This requirement will apply to business associates as well as covered entities (providers, health plans and clearinghouses). The security breach notification requirement will come into effect when HHS has published regulations, but no later than September 15, 2009.
If there has been an inappropriate disclosure of unsecured PHI, the provider must notify the patient by mail. If the disclosure affected more than 500 persons in a state, a notice must be published in a local newspaper, and will also be published on the HHS website. This would be, of course, a public relations nightmare for a practice that has to notify patients that their private information has been disclosed.
If you haven't reviewed your HIPAA policies since they were first adopted, now is the time to revisit them, especially in light of problems encountered by other providers. Here are a couple of suggestions:
- Make sure any PHI contained on laptops, PDAs or other portable devices is encrypted or password-secured.
- If any web-based services are used to transmit PHI (for example, some types of electronic billing), make sure the service uses secure encryption technology and follows state-of-the-art security practices.
- See "Computer security for physicians."
Next steps: revising HIPAA policies
The next task for practices should be to revise HIPAA policies, in light of some new patient rights provided under the ARRA. Under HIPAA, providers were permitted to disclose PHI for purposes of patient treatment, payment, or health care operations. Patients had the right to request restrictions on such disclosures, but the provider was not obligated to grant the patient's request. Under the ARRA, patients will now have the right to prohibit disclosure of information to the payor, if the patient pays out-of-pocket for a service. This provision will take effect February 17, 2010. In the intervening months, practices should revise their HIPAA and medical record policies to specify how, if a patient makes this request, information on a procedure paid out-of-pocket can be flagged or segregated so it is not inadvertently disclosed to a payor auditing the record for other reasons.
Future developments in HIPAA regulations
The ARRA provides for other enhancements to patient rights, but allowing some lead time for HHS to develop regulations, and for developers of electronic medical records to build into their systems the capability to comply. HIPAA currently gives patients the right to request an accounting of disclosures of their PHI, but there are several exceptions. Currently, health care providers do not have to include disclosures for treatment, payment or health care operations in the accounting. The ARRA will now require providers with EMRs to produce an accounting that does include these disclosures. Because the EMR itself will probably have to be modified to capture this information, the effective date is delayed. Providers that already have an EMR must be able to produce an accounting covering disclosures for treatment, payment and health care operations made after January 1, 2014. This date may be extended by HHS, but to no later than 2016. Providers that acquire an EMR after January 1, 2009 must provide an accounting of disclosures after the later of the acquisition date, or January 1, 2011. Again, the law permits HHS to extend this deadline, but no later than 2013.
The ARRA also changes the definition of "health care operations" to remove some disclosures for marketing and fund-raising purposes. Since under HIPAA, disclosures for health care operations did not require the patient's authorization, the effect is that greater restrictions are imposed on these disclosures.
The ARRA also prohibits the sale of PHI without the patient's authorization, with certain exceptions, such as research. Privacy rights advocates were concerned that providers were selling patient data to pharmaceutical companies and other commercial interests. HHS will develop regulations to implement this restriction by no later than February 17, 2010.
Finally, the ARRA greatly expands the reach of HIPAA. Previously, HIPAA applied only to "covered entities": health plans, clearinghouses, and health care providers that used electronic transactions. HIPAA will now apply directly to business associates of covered entities, such as billing companies, record storage companies, and other firms that handle PHI.
While vendors of personal health records will not be covered under HIPAA, they will be required to notify individuals of a security breach affecting their personal information. The Federal Trade Commission will be responsible for enforcement of this requirement.
Patient privacy issues clearly have Congress's attention. They will likely be a focus of regulatory interest for HHS in coming years.
 A significant recent enforcement action under the Health Insurance Portability and Accountability Act (HIPAA) was the $2.25 million penalty recovered from CVS Pharmacy, Inc. CVS was found to have disposed of patient information, such as old prescription labels, in unsecured dumpsters.
 Many of the privacy and security provisions adopted in the ARRA were originally proposed in a bill introduced in the last Congress, known as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act).
 71 Fed. Reg. 8389 (Feb. 16, 2006).
About the Author
Patricia King is a health care attorney in Illinois, and principal of the web-based business Digital Age Healthcare LLC (http://www.digitalagemd.com/).