HIPAA on Steroids!

Protecting a patient’s privacy has always been important, but now it rises to a new critical level. The Health Information Technology for Economic and Clinical Health Act (“HITECH”) put the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules on steroids. Specifically, HITECH created financial incentives for healthcare providers to adopt and implement electronic health records, increased the penalties for breaches of HIPAA Privacy and Security rules and mandated the government to audit healthcare plans, clearinghouses, healthcare providers and business associates for compliance with HIPAA.

First, providers are eligible for financial incentives if they adopt, implement and “meaningfully use” electronic health records. In order to be deemed a “meaningful user”, the providers must attest to satisfaction of specific objectives and measures. The objectives are based upon five specific policy priorities; one of which is ensuring the protection of the privacy and security of patient information. In order to achieve financial incentives, providers must engage in a risk assessment of their EHR. Part of this risk assessment is ensuring that there are reasonable administrative, physical and technical safeguards to protect the patient identifiable information while it is in rest and transit. The federal policy and monetary incentives to encourage the use of Electronic Health Records (“EHR”) is balanced by federal regulations and required safeguards that restrict how and why patient information may be electronically used, disclosed or transmitted.

Back in 2003, when the HIPAA Security rule became effective, HIPAA required for each provider to implement reasonable safeguards to protect the security of patient identifiable information when it was being electronically transmitted. Each provider was required to perform a risk analysis to identify and evaluate vulnerabilities within his or her system and to implement reasonable safeguards to protect the security and privacy and patients’ information. Many providers in 2003 engaged in an initial risk analysis and have not looked at that risk analysis since that time. Now, if the risk analysis has not been updated, properly documented and the potential risk mitigated, it is possible that the provider will be subjecting their practice to lose the meaningful use financial incentives and to fines and penalties.

In 2009, HIPAA expanded and increased the fines and penalties associated with HIPAA breaches. If providers fail to perform a risk analysis, assess their potential vulnerabilities and take actions to mitigate potential threats to patient information, the providers may be found to be in reckless disregard or willful neglect of ensuring the privacy and security of their patient’s information. In the event the government finds that a provider has engaged in reckless disregard or willful neglect, the fines and penalties could range from $250,000 to $1.5 Million dollars per year, on the high end. Accordingly, the importance of ensuring patient information is secure and the security risk assessment has been completed and documented is essential to a provider’s financial bottom line.

Moreover, because the government is encouraging the implementation and use of electronic health exchanges, the government also mandated audits of providers to ensure proper security safeguards are in place. The government has contracted with two contractors. The contractors will perform on-site interviews and security audits of providers to ensure proper protections have been implemented. All providers should be aware of the risk assessment requirements on the administrative safeguards that are set forth by HIPAA and the HITECH statutes. As providers adopt, implement and utilize EHR, the providers should review what privacy and security protections are in place to ensure that only proper individuals are permitted to use and disclose the information.

The age of the EHR has brought potential financial incentives to the providers, but is also bringing additional requirements to ensure privacy and security. This is a foundational component of any healthcare practice. As the dynamic healthcare environment morphs, protecting the privacy and security of patient information is a priority that has escalated to heightened importance for all healthcare providers in all settings.