Law Students

You can find an excellent summary of the modifications to HIPAA mandated by the HITECH Act here. It is one of the more thorough summaries we have found to date, with Appendix A containing a calendar of HITECH/HIPAA due dates and effective dates.

This post will review the pertinent dates from the HITECH Act Subtitle D and provide commentary as appropriate:

If you would like more information regarding EHR implementations, and related compliance issues, sign up for our FREE HITECH/HIPAA Compliance Newsletter.

Upon Enactment: February 17, 2009

• Application of tiered civil monetary penalties (i.e. for violations occuring post enactment)
• State Attorney General Authority to Enforce  (i.e. bring a civil action on behalf of citizens post enactment)

Note: Clearly this raises the stakes from day one. We don't know of any cases brought by a state AG as of yet (circa August 2009), but when it happens it is guaranteed to make the national news.

Within 60 Days of Enactment: April 20, 2009

• HHS must set forth a list of technologies and methodologies that render information "unusable, unreadable or indecipherable." Directly relevant to breach notification requirements.

Note: Notification of breach requirements were covered in this post. Section 13402 of HITECH's Subtitle D is the relevant section. HHS has provided the required guidance and therefore unsecured PHI now is defined (paraphrased and annotated) as follows:

13402(h): unsecured PHI* means PHI that is not secured through: 1) encryption; and/or 2) destruction?as provided by HHS guidance. Methods must render PHI ?unusable, unreadable, or indecipherable? to unauthorized individuals (see HIPAA Security Rule  & NIST standards).

By this specific date: December 31, 2009

• HHS must adopt rules for the initial prioritized set of standards related to accounting for disclosures; with the regulations required to implement the standard due six (6) months after the standard has been adopted.

Note: the relevant Subtitle D Section is 13405.

Due Within One Year Post Enactment: February 18, 2010

• HHS and FTC study on privacy and security requirements for PHR vendors and applications
• GAO study on best practices for disclosures for treatment and use of electronic informed consent.
• First annual report on HIPAA enforcement.
• First annual guidance on the most effective and appropriate technical safeguards for health information.
• HHS study on de-identification.
• HHS implementation of health information privacy educational initiative.

Note: PHR (personal health records) vendors include companies like Google and Microsoft. These are "cloud computing" offerings that allow consumers/patients to track their own health information. EHR vendors are also offering cloud solutions as discussed here.

Effective One Year Post Enactment: February 18, 2010

• Application of rules to, and accountability for, business associates.
• Clarification regarding which entities are required to be business associates.
• Patient's right to restrict disclosures to health plans.
• Deeming of limited data set as satisfying the minimum necessary standard.
• Patient's right to electronic access to, and an electronic copy of, their health record.
• Clarification regarding marketing provisions.
• Opt-out for fund raising communications; HIPAA's current provisions regarding fund raising remain in full force an effect.
• Clarification regarding the ability to impose criminal penalties against individuals.
• Civil monetary penalties and settlements flowing to HHS/OCR (Office of Civil Rights) for enforcement.
• Requirement for HHS to begin conducting mandatory audits.

Note: The last two "bulleted" items are covered in Sections 13410 and 13411. Refer to this post for more information regarding improved enforcement (13410) and this one for mandatory audits (13411).

Within 180 Days of Enactment: August 18, 2010

• HHS and FTC must each promulgate interim final regulations on breach notification; which apply to breaches discovered on or after the interim final regulations have been published.

Note: Breach notification is covered in Section 13402 of HITECH's Subtitle D.

Within 24 Months of Enactment: February 18, 2011

• HHS to provide guidance regarding "minimum necessary."
• Promulgated regulations regarding prohibition on the sale of PHI data, which will be effective six (6) months post promulgation.
• GAO report on methodology for providing individuals with a percentage of HIPAA penalties.
• Promulgation on imposition of civil monetary penalties in cases of "willful neglect" and that HHS can pursue a civil action that would otherwise qualify as criminal.

Note: Individuals still cannot bring a civil action but clearly will now have more financial incentive to file a HIPAA complaint. The definition of "willful neglect" is still an open question. Refer to this post for commentary regarding same.

By this specific date: January 1, 2011

• Initial deadline for complying with new accounting for disclosure rules for entities implementing EHR systems post January 1, 2009.

Note: the relevant Subtitle D Section is 13405.

24 Months of Enactment: February 18, 2011

• Clarification of HHS' ability to pursue civil penalties when criminal penalties are not pursued; applies to violations discovered on or after.
• HHS' requirement to impose civil monetary penalties in cases of "willful neglect"; applies to violations discovered on or after.
  

Note: Given the lax enforcement of HIPAA's Privacy & Security Rules prior to the HITECH Act, I am certain that HHS is going to have no problem finding instances of "willful neglect"--especially for those unlucky few to be the first ones audited.

36 Months of Enactment: February 18, 2012

• HHS to promulgate methodology for providing individuals with a percentage of HIPAA penalties that OCR collects.

Note: It should be fairly clear that the HITECH Act has provided HHS with a money machine and individuals get to play for more than "funzies."

By this year: 2013

• Extended deadline for older systems to comply with the new accounting for disclosure rules.

Note: the relevant Subtitle D Section is 13405.

By this specific date: January 1, 2014

• Initial deadline for older systems to comply with the new accounting for disclosure rules.

Note: the relevant Subtitle D Section is 13405.

60 Months of Enactment: February 18, 2014

• GAO study on impact of American Recovery and Reinvestment Act (ARRA).

By this year: 2016

• Extended deadline for older systems to comply with the new accounting for disclosure rules.

Note: the relevant Subtitle D Section is 13405.

If you would like more information regarding EHR implementations, and related compliance issues, sign up for our FREE HITECH/HIPAA Compliance Newsletter.