When Andrea Smith pled guilty last April to wrongfully disclosing individually identifiable health information for personal gain, healthcare providers took note.

 

The licensed practical nurse from Trumann, Ark., who was employed with Northeast Arkansas Clinic in nearby Jonesboro, had accessed medical information of an unnamed patient on Nov. 28, 2006, and had then shared that information with her husband, Justin Smith, who called the patient and threatened to use the information against him in “an upcoming legal proceeding.” The clinic was not charged; Smith’s employment was terminated. Her penalty: up to 10 years’ imprisonment and/or a fine up to $250,000.

 

More recently, authorities learned that an employee at Johns Hopkins, with access to the hospital’s patient database, may have breached more than 10,000 patient records. CVS recently paid $2.25 million and toughened the company’s disposal practices to settle a Health Insurance Portability and Accountability Act (HIPAA) privacy and security case. And in Virginia, the scope of drug data breach remains unknown; state officials still don’t know the extent to which a hacker compromised Virginia’s prescription drug monitoring system.

 

“Most HIPAA violation cases don’t make headlines, and you don’t usually hear about them until it happens to someone you know, if then,” Walt Schuler, a healthcare attorney withEvans Petree Bogatin PC in Memphis, told attendees at the seminar, “HIPAA Changes are Coming,” on June 25 at Doubletree Hotel in Memphis, co-hosted by Morris Landau, the HIPAA privacy and security officer at St. Jude Children’s Research Hospital in Memphis.

 

HIPAA, which provided sweeping changes to the business of medicine, became law 13 years ago this month. Among other mandates, HIPAA required the U.S. Department of Health and Human Services (DHHS) to develop standards for the electronic exchange of health information such as identifiers, transactions, and code sets; security of such electronic health information ; and privacy of health information.

 

The American Recovery and Reinvestment Act of 2009 (ARRA), also referred to as the “Stimulus Bill,” signed by President Obama in February, includes the

 

HITECH (Health Information Technology for Economic and Clinical Health) Act, which authorizes $19 billion to accelerate the use of electronic medical records in all providers offices.

 

“ARRA made significant changes on many different fronts regarding the relationship of health information,” said Landau, who has served as a health policy analyst with DHHS, Office of the National Coordinator for Health Information Technology, and Office of Policy and Research. “Many people are not aware of these significant changes, specifically regarding civil penalties for breaching the HIPAA privacy and security rules, which have greatly increased.”

 

In addition, the Federal Trade Commission’s Red Flag Rule, which requires most providers to protect against identity theft, will take effect Aug. 1, and the interim final rule regarding HIPAA breach notification is anticipated Aug. 18 to add teeth to HIPAA’s privacy and security rules. Schuler and Landau stay busy educating providers and other institutions on confidentiality, disclosure, documentation requirements of health information and other HIPAA issues. “Even now, healthcare providers still struggle with how to properly evaluate and respond to requests for healthcare records and patient information from attorneys, government agencies, family members, and others, and the latest changes to HIPAA will require providers to become even more educated and responsible in these areas,” said Schuler.

 

“A main feature of ARRA legislation calls for incentive reimbursement payments of more than $40,000 from 2011 to 2015 to physicians in smaller practices who adopt Electronic Health Records (EHRs),” said Landau.

 

ARRA also calls for the creation of regional health IT extension centers across the country to encourage participation. “EHRs are viewed at the federal level as a stimulus and mechanism to lower healthcare costs,” said Schuler.

 

However, he cautioned, not using the incentive program will eventually become a penalty. “Over time, not having an electronic medical system will potentially lead to losing out on full reimbursement,” he explained.

 

Ideally, DHHS plans to create the National Health Information Network (NHIN), similar to a medical Internet.

 

“To do that, you have to have privacy and security, because without trust of the information, no one’s going to use it,” said Landau. “Congress increased privacy and security regulations in order to insure the security of health information exchange. By Feb. 18, 2010, many of those regulations will be occurring.”

 

ARRA provided federal regulatory agencies with additional funds to increase the enforcement of HIPAA violations.

 

“There’s increased scrutiny at the federal level, and ARRA now allows state attorneys general to bring suit for HIPAA violation cases,” said Schuler.

 

Before ARRA, the basic penalty for HIPAA privacy violations was a fine of up to $100 for each violation, not to exceed $25,000 during any calendar year.

 

Now, HIPAA enforcement requires DHHS to formally investigate any complaint resulting in a preliminary investigation that indicates a possible violation due to “willful neglect,” and regulations will be promulgated no later than Aug. 18, 2010 to describe the enforcement mechanisms including the collection of civil monetary penalties. Other significant changes: any person may be criminally liable under HIPAA, and civil penalties now extend to employees of the covered entity.

 

“Dealing with an alleged violation is a very burdensome and expensive process, even when the allegation is relatively minor, due primarily to the provider’s duty to thoroughly investigate the complaint, and to take affirmative steps to mitigate the effects of even accidental improper disclosures,” said Schuler.

 

Landau, who also worked for the Office for Civil Rights (OCR) at DHHS, said it’s very simple to file a complaint.

 

“Any third party can do it,” he said. “The threshold is very low. When I was with the OCR, we had to investigate all complaints. Now the statute says the OCR shall provide periodic audits to insure that covered entities and business associates comply with the new requirements.”

 

Landau knows the toll HIPAA compliance issues take on providers. “It becomes even more expensive to trace the audit trail of electronic health information,” he said.

 

By Aug. 17, 2010, the General Accounting Office will report recommendations to Congress for a methodology under which an individual who is harmed by an act may receive a percentage of civil monetary penalties or monetary settlement.

 

“Providers must be aware of the new requirements and greater threats, and be prepared,” said Schuler. “They need to dust off their compliance plan, update it, and refresh their staff on HIPAA requirements as the regulations come down.”