HITECH Act of 2009 expands privacy and security rules

More oversight increases need for HIPAA compliance

Does your home health agency meet all of the requirements for compliance with the privacy and security sections of the Health Insurance Portability and Accountability Act (HIPAA)? Are you in compliance with the Health Information Technology and Economic and Clinical Health (HITECH) Act of 2009? Do you know the specific requirements of the HITECH Act?

When Heather P. Wilson, PhD, asks seminar participants to raise their hands if their home health agency is not in compliance with regulations, everyone raises their hands, she says. Wilson is principal of Weatherbee Resources, a Hyannis, MA-based compliance and hospice consulting firm. "Everyone did a great job preparing for the privacy requirements of HIPAA when it was enacted in 1996," she says. "Then, I believe everyone was exhausted and paid less attention to the security requirements."

The HITECH Act is part of the American Recovery and Reinvestment Act of 2009 (ARRA). Because ARRA is designed to accelerate adoption of electronic health records systems, the HITECH Act was developed to expand the scope of privacy and security regulations and to increase enforcement and penalties for noncompliance.

"The HITECH provisions are very far-reaching, and home care agencies and hospices were supposed to be in compliance in February 2010," says Wilson. One of the challenges in meeting HITECH requirements is the fact that not all of the requirements are finalized and some are changing, she says. "One of the most significant changes that all agencies should have addressed is related to business associate agreements," she points out.

The privacy and security requirements for all business associates are now the same for all covered entities, says Wilson. This means that business associates who use personal health information in the provision of service to a covered entity are now liable for noncompliance with all HIPAA regulations, she explains. "Business associate agreements need to be rewritten to reflect these changes, and all of an agency's business associates need to be educated," she suggests.

Wilson knows that not all agencies are paying attention to this change, because out of about 100 agencies for which her firm consults, she's received two letters informing her of the change and what it means. "Because of the services I provide, I know about the implications for my firm, but not all business associates will know this," she adds.

One agency that did not wait to address the expanded privacy and security requirements is the Palliative CareCenter & Hospice of Catawba Valley in Newton, NC. "We have updated patient privacy notices for all four services offered by our agency, and we've distributed those new notices to all of our patients," says Annette Kiser, RN, MSN, director of organizational integrity for the agency. "We have 260 patients receiving home care, so nurses had to carry the notices and have the patients sign notice receipts when they made their visits," she says.

Specific notification steps identified

One completely new section included in the HITECH Act is the breach notification rule, says Wilson. "There is a step-by-step guide for covered entities to use when a breach of privacy occurs," she says. "Although the previous rule called for the covered entity to notify individuals, it did not specify how and when to notify individuals," she adds.

Although the revision of business associate agreements and distribution of updated privacy notices have not significantly impacted her agency, the breach notification requirements did have an impact, Kiser points out. "Because the breach notification requirements are now very specific and can represent a high cost to implement . . . we decided to further reduce our risk of a breach by encrypting all of the laptops that our staff members use in the field," she says. "The total cost for encryption software and updates to the laptops was $30,000, but we believe it provides an extra layer of protection for patients and costs less than the damage to our agency's reputation if there is a breach."

Retraining staff about new requirements to protect patient information has taken time, but everyone has undergone training, says Kiser. "We were able to explain some of the changes, but because not all of the requirements have been published, we have to let them know that more changes are on the way," she adds.

One area for which agencies are awaiting specific requirements is related to the accounting of disclosures of personal health information (PHI), says Kiser. "We are told that we have to account for every disclosure made for treatment, payment, or health care operations," she says. Previously, disclosures made for the purpose of treatment did not have to be documented, but the concern is that new requirements will include treatment, so that organizations such as pharmacies and equipment providers will have to be documented as having received PHI.

"We are supposed to receive OCR [Office of Civil Rights] guidance by June about disclosure accounting, but it will represent a significant administration task," says Kiser. "At this time, we are preparing for the worst-case scenario, assuming that there are no exceptions, so that we can put the process into place quickly," she adds.

Some home care and hospice agencies may not be paying close attention to HITECH due to a combination of reasons, says Wilson. "I do think agencies are HIPAA-tired from so many different regulations and requirements," she says. "I also believe that because there has been so little enforcement of regulations in the past, many agency managers may think that they'll take their chances and just accept the fines as a part of doing business."

Unfortunately, for managers willing to risk noncompliance, the HITECH Act includes significantly higher penalty fees for noncompliance and a greater emphasis on enforcement, says Wilson. "CMS [Centers for Medicare & Medicaid Services] has been responsible for enforcing the HIPAA security rule, but the Office of Inspector General issued a report on how poorly the agency enforced the rule," she says. "Now, HITECH designates the Office of Civil Rights to enforce the security rule, as well as the privacy rule that they have always overseen," she adds.

Another change that will increase scrutiny of agency compliance is the fact that state attorneys general now have authority to pursue investigations and prosecution of noncompliant agencies within their states. "This provision further expands the enforcement oversight for compliance," Wilson adds.

"It remains to be seen how strictly HIPAA requirements will be enforced," Wilson says. "I don't know if it will be complaint-driven, or if there will be random audits conducted," she says. Because the goal of the ARRA is to move to a national health care system based upon electronic medical records, there is more money to support enforcement, she points out.

"We may see that the larger agencies or health care providers receive the most scrutiny, but all home care providers need to remember that compliance with federal regulations is one requirement of the CMS Conditions of Participation," says Wilson. For this reason, everyone — agencies and their business associates — should be careful to comply, she says. "We've always been careful about protecting patients' private information; now we need to be paranoid about protecting it."


For more information about the Health Information Technology and Economic and Clinical Health Act of 2009 and its effect on home care providers, contact:

• Annette Kiser, RN, MSN, Director of Organizational Integrity, Palliative CareCenter & Hospice of Catawba Valley, 3975 Robinson Road, Newton, NC 28658. Telephone: (828) 466-0466 Ext 2214. Fax: (828) 466-8862. E-mail: akiser@pchcv.org.

• Heather P. Wilson PhD, Principal, 259 North Street, Hyannis, MA 02601. Telephone: (508) 778-0008 or (866) 969-7124. Fax: (508) 778-8899.


The following resources are available as guidance for compliance with all aspects of Health Insurance Portability and Accountability Act and the enhancements included in the Health Information Technology and Economic and Clinical Health Act of 2009:

• A free online source of information can be found at www.hipaasurvivalguide.com/.