Healthcare Privacy Law

Healthcare Privacy Law

HITECH finally provides HIPAA teeth for privacy compliance failures.


Recently, Blue Cross Blue Shield of Tennessee was fined $1.5 million dollars by the U.S. Department of Health and Human Services (HHS) to settle Health Insurance Portability and Accountability Act (HIPAA) violations related to a data breach in which protected health information (PHI) was disclosed without authorization. In 2009, an intruder illegally accessed a Blue Cross building and took more than fifty computer hard drives containing unencrypted information on about 1 million Blue Cross members. According to published reports, the recent fine brought the total estimated costs related to this one breach to over $18 million. Furthermore, the company estimates over three hundred of its employees have worked at least part time on duties related to the breach. (That is what we call “opportunity cost.” When people are working on data breaches, they are not working on your business). Lastly, the insurance company was ordered to revise its privacy and security policies and regularly train employees on their responsibilities under HIPAA.

This is only the most recent HIPAA enforcement action as authorized under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act’ s new compliance requirements.

  • In February 2011, the Department of Health and Human Services (HHS) imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for HIPAA violations
  • Also in February of last year, HHS agreed to a $1 million settlement with Massachusetts General Hospital for similar violations.

Breach notification has become a significant factor in all privacy legislation. The changes to HIPAA under the HITECH amendments to the Social Security Act effective in February of 2010 require all HIPAA-covered entities (healthcare providers, payers or payment clearing houses) to notify affected individuals, and in some cases the media and HHS, of any breach involving PHI by those entities or possibly business associates thereof. These are unbudgeted costs that can no longer be sustained or swept under the rug for the majority of businesses, in any sector.

The HIPAA effective date is now almost ten years old. The Office of Civil Rights (OCR) was originally empowered with investigating and enforcing HIPAA Privacy and Security Rule Violations. However, enforcement actions under the law prior to HITECH for unauthorized use of PHI had been few and far between. Thus, and probably as a direct result of a lack of consistent enforcement, while HIPAA has been on the radar and in the healthcare lexicon, the level of effective implementation and compliance across the healthcare industry has been inconsistent at best.

But the game is changing with HITECH. Even though the HITECH changes have become effective over the past couple of years, as with any law, it takes a couple of years for mandates to go into effect and the results to be seen. The recent enforcement action in Tennessee proves it would do any healthcare Covered Entity or Business Associate to remind itself of the increases liabilities associated with using unsecured protected health information under this new compliance model.

Operational and Policy Requirement Changes

  • Business Associates’ Skin in the Game. Now, “Business Associates” of Covered Entities are now included in many of the Covered Entity’s compliance requirements and can be equally held liable for violations
  • Accounting of disclosures and access. Covered Entities and Business Associates must be able to account for disclosure of PHI for treatment, payment and operations (TPO) during the three years prior to the date on which the accounting is requested by an individual. Likewise, requesting individuals have a right to access that information.

Audit, Enforcement and Liability Changes

  • State Attorneys General Action. In 2009, state attorneys general were empowered to sue Covered Entities that commit HIPAA violations after February 16, 2009, for damages caused to its state citizens. Statutory damages can be equal to the sum of the number of violations multiplied by 100 up to a maximum of $25,000 per calendar year.
  • Civil liability
    • Covered Entities AND now Business Associates can be liable for violations.
    • Mandatory penalties will be imposed for “willful neglect.” Such a finding is for the courts, but having a privacy plan and operating according to it will go a long way to avoid a finding of willful neglect.
    • Penalties can extend up to $250,000, with repeated or failing to address violations extending the amount to $1.5 million.
  • Criminal liability.
  • HIPAA is revised to include criminal sanctions that the Department of Justice can seek against Covered Entities and others for violations of HIPAA
  • HITECH amends HIPAA to state improperly using, accessing or disclosing protected health information in violation of HIPAA can face criminal prosecution.
  • OCR powers expanded. The OCR is now expected to:

How to prepare

To avoid these financial and legal liabilities, not to mention the public relations problems that come with mishandling protected health information, companies should look inward and ensure they are addressing their privacy and data security policies and procedures to account for, amongst other things, the following:

  • Encryption of protected health information. While there is no “silver bullet” to data privacy and security, the most impactful step a company can take to protect its protected health information and avoid data breach harm and associated notification requirements is to encrypt its personally identifiable information. NIST provides guidance on encryption and data destruction standards for compliance.
  • Minimum necessary. Re-examining policy and procedures in general but specifically to ensure that PHI shall only be used in accordance with the “minimum necessary” standard to ensure only the information needed to accomplish a business transaction is the information collected, stored and shared.
  • Data breach response plan. HIPAA-covered entities and business associates must provide notifications of an unauthorized disclosure of unsecured protected health information within a reasonable time –no longer than 60 days after first knowledge or time when it should have known of the breach. Sixty days can pass very quickly. The time to have a plan is well before a breach is discovered.
  • Lastly, of course all of this assumes your company has a privacy policy and program in place. If not, time is more of the essence than ever.