How Will New HITECH Penalties Impact your Heatlthcare Business and What Can You Do to Protect Your Assets?

Introduction

In 2009, President Obama enacted new onerous rules and exponentially increased penalties for healthcare providers and their business associates who handle personal health information. As a significant expansion of HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH), presents new technical challenges, costs, risks and liabilities threatening your bottom line. However, advice is available to help you implement efficient and cost-effective protections.

What HITECH Requires you to do Differently:

For HIPAA Covered Entities (these are healthcare providers including doctors, clinics, dentists, nursing homes and pharmacies but only if they transmit information electronically. Health plan providers such as HMOs and health insurance companies are also covered entities.)
• Breach Notification Requirements - Prior to HITECH, the HIPAA mandated that covered entities secure all personal health information (PHI). If PHI is accessed, acquired or disclosed by or to an unauthorized person, the covered entity must notify those affected parties and the Department of Health and Human Services. If the breach affects more than 500 residents of the same state, they must publish notice in prominent media outlets. If the breach pertains to a smaller number and 10 or more of those affected cannot be located then they must post notice in major print media.

For Business Associates (anyone who performs certain functions or provides services that involves the use of disclosure of PHI to a HIPAA covered entity)
• The Act extends the security and privacy provisions of HIPAA to business associates. Prior to HITECH, HIPAA did not apply to business associates and they had no direct accountability for security breaches into personal health information. Now, business associates are directly accountable for violations, must give notice of breaches and are subject to the penalties outlined below.

What Happens if You Fail to Comply:
• Increased Penalties for Privacy violation - Previously, the HHS could fine a covered entity up to $100 per violation and a maximum of $25,000 per year for failure to comply with privacy requirements. Post HITECH, the HHS may penalize an entity and/or a business associate anywhere from $100 to $50,000 per violation with a cap of $1,500,000 per year. However, penalties will vary significantly depending on a variety of factors including the date of the violation and whether the entity knew or should have known of the failure to comply.
• Increased Risk from Lawsuits - Forthcoming regulations (within 3 years) will allow harmed individuals to collect damages (acquired from the above penalties) combined with the pervasive notice requirement create a potential hazardous situation. HITECH creates a situation where many individuals know they have a claim and where to find the money they are owed. Failure to operate proactively before a violation may cost the entity or business associate massive litigation fees defending against personal and class action lawsuits.

What’s the Best Way to Protect Yourself:
Covered entities and business associates should act quickly to limit potential exposure. While the HHS is still issuing guidance on HITECH’s provisions, companies can be proactive by doing the following:
• Consult with counsel to assess your company’s compliance with HITECH requirements and ability to respond in the event of a breach.
• Renegotiate contracts with Business Associates as well as HIPAA privacy policies and procedures to reflect HITECH requirements.
• Review HHS Guidelines on most appropriate electronic safeguards for protecting personal health information so breaches do not occur and when they do, they are less likely the result of willful neglect.
• Implement and test software security measures to ensure PHI is unusable unreadable or undecipherable to unauthorized individuals.
• Talk with your broker about insurance options to providing coverage for, attorneys’ fees, expense and third-party liabilities resulting from increased exposure.

For additional information contact Chris White of White & Co, LLP.