Skip to Search
Skip to Main Content
Main Content

 

News & Publications

 

Godfrey & Kahn Updates

 

Press Room

Announcement

Stimulus Package Brings Sweeping Changes to HIPAA; Here's Your Compliance Checklist

April 20, 2009

Introduction
On Tuesday, February 17, 2009, President Obama signed into law a $787 million economic stimulus package, officially known as the American Recovery and Reinvestment Act of 2009 ("ARRA"). ARRA includes the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"). The HITECH Act contains numerous provisions that significantly expand the scope of the security and privacy rules under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Collectively, these provisions will bring about sweeping changes in the way covered entities ("Covered Entities") and business associates ("Business Associates") maintain, use and disclose "protected health information" ("PHI"). For a detailed analysis of these provisions, see our February 23, 2009 - Healthcare Team Update on Health Information Technology and HIPAA under the ARRA.

While many of the provisions under the HITECH Act will not be effective until February 17, 2010 or later, one significant provision - breach notification - is scheduled to become effective before the end of this year. Moreover, many of the provisions will require significant time and resources in order to implement. For these reasons, Covered Entities and Business Associates must develop and put into place concrete plans of action now to ensure their organizations are fully compliant by each of the applicable deadlines. To assist Covered Entities and Business Associates with this effort, we have prepared the following list of action items that must be completed and the dates by which they must be completed:

A. Covered Entities and Business Associates
1. Breach Notification:

Under the HITECH Act, Covered Entities and Business Associates must report to the U.S. Department of Health and Human Services ("HHS") breaches of "unsecured protected health information," defined as protected health information that is not secured through the use of a technology or methodology specified by HHS.

To comply with this requirement, Covered Entities and Business Associates must create and implement policies and procedures for identifying, tracking and reporting breaches of "unsecured protected health information." Such policies and procedures must comply with the notification requirements specified in the HITECH Act, such as methods of notification and timeliness of the notification.

Due date: HHS must promulgate regulations by August 17, 2009-due date is 30 days after regulations have been promulgated.

2. Restrictions on Disclosures:

The HITECH Act requires Covered Entities and Business Associates to honor an individual's request to restrict disclosures of PHI to health plans for payment or health care operations purposes if the PHI pertains solely to items and services paid for by the individual in full.

To comply with this requirement, Covered Entities and Business Associates must create and implement policies and procedures for receiving and processing requests from individuals to restrict disclosures of PHI to health plans.

Due date: February 17, 2010.

3. Minimum Necessary:

Under the HITECH Act, Covered Entities and Business Associates must limit their uses, disclosures or requests for PHI to a "limited data set," if practicable, or, if needed, the minimum necessary to accomplish the intended purpose of the use, disclosure or request.

To comply with this requirement, Covered Entities and Business Associates must educate their workforce members about the new minimum necessary and limited data set standards.

Due date: February 17, 2010.

4. Accounting for Disclosures:

Under the HITECH Act, Covered Entities and Business Associates making disclosures of an individual's PHI from an electronic health record ("EHR") for treatment, payment and health care operations ("TPO") are required to account for such disclosures if requested by the individual. The term EHR is defined as "an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff."

To comply with this requirement, Covered Entities and Business Associates must develop policies and procedures for tracking disclosures of PHI from an EHR for TPO. Covered Entities and Business Associates must also develop a system for receiving and processing requests from individuals for an accounting of such disclosures.

Due date: For Covered Entities and Business Associates currently using EHR, the accounting requirement would apply to disclosures made on or after January 1, 2014. For Covered Entities and Business Associates yet to acquire EHR, the accounting requirement would apply to disclosures made on or after January 1, 2011, or the date EHR are acquired, whichever is later.

5. Prohibition on Sale of PHI:

Under the HITECH Act, Covered Entities and Business Associates are prohibited from receiving, directly or indirectly, any remuneration in exchange for PHI, except pursuant to a valid HIPAA authorization signed by the individual or pursuant to one of the exceptions listed in the act.

To comply with this requirement, Covered Entities and Business Associates must review their exchanges of PHI to determine whether any remuneration is received, and if so, whether the receipt of the remuneration complies with the requirements under the HITECH Act. Covered Entities and Business Associates should also develop policies and procedures to ensure that no PHI is exchanged for remuneration unless the receipt of the remuneration complies with the requirements under the HITECH Act.

Due date: HHS must promulgate final regulations by August 17, 2010-due date is six months after the date final regulations are promulgated.

6. Individual Access to PHI in EHRs:

Under the HITECH Act, Covered Entities and Business Associates using or maintaining EHRs with respect to PHI of an individual are required to provide the individual with a copy of his information in electronic format, upon request.

To comply with this requirement, Covered Entities and Business Associates must develop a system for receiving and processing requests from individuals for electronic copies of their PHI.

Due date: February 17, 2010.

7. Use of PHI for Marketing:

The HITECH Act prohibits Covered Entities and Business Associates from receiving remuneration, either directly or indirectly, for disclosing PHI for marketing purposes that previously qualified as "health care operations," unless certain requirements have been met.

To comply with this requirement, Covered Entities and Business Associates must review their disclosures of PHI for marketing purposes and determine whether they receive any remuneration in exchange for such disclosures. If remuneration is received, Covered Entities and Business Associates must determine whether the receipt of the remuneration complies with the requirements under the HITECH Act. Covered Entities and Business Associates should also develop policies and procedures to ensure that no remuneration is received in exchange for the use or disclosure of PHI for marketing purposes, unless the receipt of the remuneration complies with the requirements under the HITECH Act.

Due date: February 17, 2010.

8. Use of PHI for Fundraising:

Under the HITECH Act, Covered Entities and Business Associates may only use and disclose PHI for fundraising communications as a permitted "health care operation" if the recipient of the communication is provided with an opportunity to opt-out of receiving further communications. Such opportunity must be provided in a clear and conspicuous manner.

To comply with this requirement, Covered Entities and Business Associates must determine whether they use and disclose PHI for fundraising purposes, and if so, provide the recipients of the fundraising communication with the opt-out notice required under the HITECH Act.

Due date: February 17, 2010.

9. Business Associate Agreements:

The HITECH Act requires that each of the new obligations identified above be incorporated into business associate agreements entered into by Covered Entities and Business Associates ("Business Associate Agreements"). In our opinion, this means that Business Associate Agreements must be amended to affirmatively incorporate the new obligations into the old agreements, or that new Business Associate Agreements containing the new obligations must be entered into.

To comply with this requirement, Covered Entities should identify and maintain a list of each of their Business Associates. Business Associates should do the same for its Covered Entities. The parties should then work with each other to negotiate, draft and sign amendments to current Business Associate Agreements or new Business Associate Agreements. Finally, new Business Associate Agreements incorporating the new obligations under the HITECH Act should be drafted for use by Covered Entities and Business Associates on a go-forward basis.

Due date: February 17, 2010.

B. Covered Entities
In addition to the action items that apply to both Covered Entities and Business Associates, Covered Entities must do the following:

Notice of Privacy Practices:

The HITECH Act does not impose any requirements with respect to Notice of Privacy Practices. However, because the HITECH Act includes provisions that restrict the way Covered Entities may use and disclose PHI and grant additional rights to individuals with respect to their PHI, we recommend that Covered Entities review and revise their Notice of Privacy Practices to reflect these changes.

Due date: The HITECH Act does not specify a due date, but we recommend February 17, 2010, the earliest date on which some of the provisions governing use and disclosure of PHI and individuals' rights with respect to PHI become effective.

C. Business Associates
In addition to the action items that apply to both Covered Entities and Business Associates, Business Associates must do the following:

Information Safeguards under the Security Rule:

The HITECH Act requires Business Associates to implement each of the three information safeguards under the HIPAA security rule that currently apply to Covered Entities. These safeguards are administrative, physical and technical. The HITECH Act further requires Business Associates to implement and maintain written policies and procedures documenting compliance with the information safeguards.

To comply with this requirement, Business Associates must undertake a detailed analysis of the standards and implementation specifications under each of the three information safeguards and them implement then as appropriate for their organizations. Business Associates must then develop, implement and maintain written policies and procedures that document their compliance with the information safeguards.

Due date: February 17, 2010.

Conclusion
As evidenced by the checklists above, the work required to comply with the new requirements under the HITECH Act is substantial for both Covered Entities and Business Associates. While the predominant deadline, February 17, 2010, seems a long way away, the deadline will arrive all too quickly and Covered Entities and Business Associates must begin developing and implementing concrete plans of action now to ensure they will be compliant.

If you have questions regarding compliance with the new requirements under the HITECH Act, contact Choua Vang (cvang@gklaw.com or 920-831-6351) or any other member of Godfrey & Kahn's Healthcare Team.

To view the complete Health Law Vantage Point, Click Here.

Practice Areas

Media Contact 

If you have a media request or need an attorney with particular knowledge for comment, please contact Susan Steberl, Director of Marketing, at 414.287.9556 or ssteberl@gklaw.com.

Subscribe.

Subscribe today to receive firm newsletters and blogs, client updates, seminar announcements, and more according to your preferences and areas of interest.

Recent Updates

Please wait while we gather your results.

Recent News

Please wait while we gather your results.

Disclaimer and Legal Notices

Copyright © 2018 Godfrey & Kahn, S.C.

Attorneys at Law - All rights reserved.

 

Client Login

 

top