Travis Software Official Blog

The HITECH Act was signed by President Obama on February 17, 2009, coincident with the ARRA law. Most of the HITECH provisions go into effect on February 17, 2010, and HITECH makes significant changes to the HIPAA laws and rules, many of which will significantly impact the relationships between group health plans (and other “covered entities”) and their Business Associates. HITECH adopts a number of changes to HIPAA to significantly broaden the definition of a breach of Protected Health Information (PHI), defines what needs to be done when breaches of PHI occur, and for the first time impose some mind-boggling penalties for breaches of PHI.

The U.S. Department of Health and Human Services (HHS) is the primary enforcement agency for HITECH. HHS has recently clarified what the HIPAA breach notification that would trigger HIPAA’s elaborate new procedures for notifying individuals when their protected health information (PHI) is “breached.”

The HHS has also said that an unauthorized PHI use or disclosure is a “breach” if it violates HIPAA’s now-expanded privacy rules and “poses a significant risk of financial, reputational, or other risk to the individual,” according to the acting final rules HHS issued August. 24, 2009. These new rules took effect September 23, 2009, but are effectively delayed until February 22, 2010.

HIPAA-covered entities must perform and document a risk assessment of the level of harm that can be caused by the improper use of PHI. Strong documentation of the risk assessment is a KEY factor in proving compliance with HITECH, and the burden of proof is on the Covered Entity and/or Business Associate.

The HHS has given the example that if the PHI includes only a person’s name and an indication the individual received hospital services, it would constitute a privacy rule violation but not a “breach.” However, if the violation is considered a breach, even if it is unintentional, the new notice requirements are particularly onerous. The breach has to be discovered and notified to all whose PHI was released within 60 days of the breach, unless individuals have consented to receive electronic correspondence regarding breaches the notices must be sent via first-class mail, and now the HHS must be notified of the breach as well. In fact, if the breach involves information on more than 500 people, local media (television stations, radio, and newspaper) must be notified of the breach.

The first real exposure on the part of employers, administrators, and Business Associates from the HITECH law is the new penalties. Civil monetary penalties for violating HIPAA were significantly increased into four tiers, with the top tier fine of $50,000 for each violations, up to a maximum fine per calendar year of $1.5 million. Also, now State attorneys general can now bring civil action on behalf of state residents whose PHI was released. Those penalties are actually in effect today, although they have not been given much attention by the press.

The second exposure is the new requirement that HHS perform “periodic audits” to ensure that both Business Associates and covered entities are compliant with the new rules. HHS has now been funded to do these audits, where in past years they were not funded adequately for audits so the audits were rare.

Travis Software is currently developing “TravisHITECH” which is a new web-based system that will allow our users to gather and store the information needed to prepare the risk assessments, help you prepare for audits, manage Business Associate agreements, notify all who need to be notified when a breach of PHI occurs, and try to keep your exposure under HITECH mitigated and under control. We will have this system made available early in 2010 and will keep you informed of its progress as we go through the development and testing cycle.