Quadax   
May 2009 Newsletter
Table of Contents
Quadax Is Getting Greener!
Refine Manual Receipt Posting for Productivity Gains
ARRA: Big Healthcare Compliance Changes
Effective RAC Management with Audit ControlX
Online Payments through MyDrBill or MyLabBill
Future Requirements: ANSI 5010
Xpeditor Enterprise User Conference
Quadax Retiree Mary Campagna
Other News
Bulletins
Newsletters
News Index
  

May 2009 Newsletter

American Recovery and Reinvestment Act: Big Healthcare Compliance Changes

By: Catherine Sicker, Corporate Compliance Officer

Author's pictureYou may not have realized it, but the stimulus package, formally named the American Recovery and Reinvestment Act (ARRA), imposes new healthcare compliance obligations. These new privacy and security provisions fall under the Health Information Technology for Economic and Clinical Health (HITECH) Act, and include:

  • New requirements for Business Associates (BA):
    HIPAA Security Rule will apply directly to BAs of Covered Entities (providers, payers and clearinghouses)
  • New breach and disclosure notification requirements [ARRA defines a breach of protected health information (PHI) as the unauthorized acquisition, access, use, or disclosure of PHI.]:
    Notify each person whose unsecured PHI is disclosed in a breach.
    Send notices to media outlets if the breach involves more than 500 residents in a state or jurisdiction.
    Notify the Department of Health and Human Services (HHS) immediately of a breach that involves more than 500 people.
    Submit an annual report to HHS documenting any breaches that involve fewer than 500 people during the year.
    BAs are required to notify Covered Entities of any breaches.
  • Mandates that HHS post annual list of Covered Entity’s fines, corrective actions, and technical assistance requirements.
  • Increase in civil penalties
  • Funds and mandates audits
  • Permission for patients (non-Medicare) to pay out of pocket for a healthcare service and request nondisclosure of the rendered service.
  • Enforcement authority granted to state attorneys general to bring civil actions in federal courts against individuals who violate HIPAA.

Another focus of HITECH is the security of PHI. HHS and the Federal Trade Commission (FTC) both recently issued proposed regulations to satisfy their obligation under HITECH. The information security guidances relate to two sets of breach notification regulations. The first, applicable to covered entities and BAs was issued by HHS and the second, applicable to vendors of personal health records and certain other non-HIPAA covered entities, was issued by the Federal Trade Commission.

The HHS security guidance is clear that its recitation of information safeguards, through proposal pending public comment, is intended to be exhaustive. The guidance acknowledges that use of the technologies and methodologies described therein are not required, but if used, “create the functional equivalent of a safe harbor” with respect to the breach notification provision of HITECH.

HHS is required to specify technologies and methodologies that will render PHI unusable, unreadable, or indecipherable to unauthorized individuals. If Covered Entities and BAs apply technologies and methodologies specified in the guidance to PHI, they will not be required to provide breach notice to affected individuals, HHS or the media. PHI may be secured through:

  • Destruction
    Paper, film, or other hardcopy media: shredded or destroyed such that PHI cannot be read or reconstructed.
    Electronic media: cleared, purged, or destroyed consistent with NIST SP800-88, Guidelines for Media Sanitization.  

Because these provisions are now written into federal law, as opposed to administrative rules, and subject to severe penalties for noncompliance, covered entities and BAs must make their privacy and security compliance a top priority.

E-mail the author:

©2012 Quadax | Terms of Use | Security & Privacy | Site Map | Contact Us