HIPAA Regulatory Alert

HIPAA requirements, penalties increased

According to the Ambulatory Surgery Center Association, the economic stimulus package passed by Congress last year included several changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving privacy of patient information:

• The penalty for violations increased from $100 per penalty to $1,000 per penalty. The maximum penalty is $100,000. If the violation involves willful neglect, the violation per penalty is $100 to $1,000, and the maximum penalty is $100,000.

• When an unauthorized disclosure occurs, facilities have a greater obligation to alert patients and the government. Unless the information was "secured," facilities will be required to notify those whose protected health information was involved. The Centers for Medicare & Medicaid Services (CMS) issued guidance last spring that said information must be encrypted or destroyed to be considered "secured." In some circumstances, facilities must notify the federal government and the media about the unauthorized disclosure.

Patients can prevent providers from giving information to payers about services for which the patient pays directly. This change will require modification of some contracts, the ASC association points out.

Facilities that use electronic medical records (EMR) will be required to provide patients, upon request, with a list of all disclosures made through the use of an EMR for the prior three years. The implementation date for this provision depends on when the Department of Health and Human Services issues rules, but the earliest implementation date will be Jan. 1, 2011. Most of the other changes go into effect in 2010; however, increased penalties for violations have been in effect since Feb. 17, 2009.

On Feb. 17, 2010, facilities using EMRs will be required to provide individuals a copy of their record electronically, upon request. Facilities can charge for the labor costs.