Stimulus Package Includes New HIPAA Security Rules

The recently passed federal stimulus package includes changes to federal health information privacy and security provisions under the Health Insurance Portability and Accountability Act, or HIPAA, that will affect physician practices. According to health care policy experts, however, the extent of that impact remains to be seen.

The Health Information Technology for Economic and Clinical Health, or HITECH, Act, which is intended to promote widespread adoption of health IT, was incorporated into the American Recovery and Reinvestment Act of 2009, (Page 144; 407-page PDF; About PDFs) which was signed into law on Feb. 17.

According to provisions in the legislation, physicians now will be required to track any disclosure of a patient's medical information. Previous regulations allowed physicians to disclose patient information for the purpose of treatment, payment or health care operations, but they were not required to track when that information was disclosed.

However, the new legislation requires physicians who use an electronic health record, or EHR, to "have the ability to track every time (patient) information has been disclosed," said Robert Tennant, a senior policy advisor for the Colorado-based Medical Group Management Association, or MGMA.

Although the provision doesn't kick in for current EHR users until Jan. 1, 2014, patients will be able to request an accounting of disclosures of their electronic personal health information three years from the date of the request, potentially dating back to 2011.

In addition, the legislation requires practices to post information about security breaches if a breach affects 10 or more patients. If a security breach affects 500 or more patients, practices must notify all of their patients, a local media outlet, and the HHS secretary.

"It's very similar to what is occurring in a lot of states that have laws against identity theft," said Mike Fleischman, a principal of Gates, Moore and Co., an Atlanta-based health care consulting and accounting firm.

Even a small family medicine practice could have thousands of patient records in its database, said Tennant. A stolen laptop computer or misplaced PDA could potentially compromise large amounts of patient data.

The new legislation also calls for beefed up enforcement rules and a new aggressiveness in assigning fines. Fines for security breaches start at $100 and can go as high as $1.5 million.

In addition, the legislation empowers state attorneys general to enforce some HIPAA elements and gives them the authority to bring class action suits, said Fleischman.

David C. Kibbe, M.D., is senior adviser to the AAFP's Center for Health IT and chair of ASTM International's technical committee on health care informatics. He called the new security provisions "a mixed blessing."

The upside is that the regulations will give consumers more control over their personal health information, said Kibbe. "But the regulations will also likely increase the uncertainty, complexity, cost and risk for anyone or any organization who collects, stores, manages or transmits personal health information."

He noted that provisions of the HITECH Act were long debated and "reflect a compromise that most people on Capitol Hill like."

Tennant said he's focusing on how the provisions apply to family medicine practices and how they will affect physicians' ability to treat patients. Overall, he sees the provisions as adding a "new layer of confusion that can't do anything positive to patient care."

He also pointed out that there is no stimulus money provided to help physicians shore up their privacy policies and procedures. "This is all money that comes off (physicians') bottom line," said Tennant.

Fleischman countered that although there was no immediate cause for alarm, physicians should be aware of the rules that pertain to them. He called the new legislation "a tweaking" of the HIPAA regulations from 1996.

The biggest change affects physicians' business associates, said Fleischman. They now will be required to fully comply with HIPAA privacy and security rules. That means clearinghouses, accountants, lawyers and others who support physicians and have access to protected health information will have more culpability in terms of privacy violations.

Family physicians should consult their EHR vendors about the security of their patient data. "Ask what would happen to patients' data if a laptop were stolen, and consider safeguards like encryption and secure passwords -- all of the things that, frankly, physicians should be doing anyway," said Tennant.

He also suggested that physicians go back and review HIPAA policy in general, paying particular attention to new staff members who may not be up to snuff on privacy policies and procedures.

"There's a new sheriff in town and what used to be a minor infraction … could very well lead to a substantial fine," said Tennant. "What you don't want is for the practice to make a mistake simply because staff weren't trained or weren't aware."

Tennant and Fleischman agreed that physicians should keep a close eye on pertinent government appointments because even though some of the new regulations take effect almost immediately, much of the content in the HITECH Act will be fleshed out during the coming months.

"We're waiting to see what the new HHS secretary and CMS administrator will do in terms of crafting regulations to support and further define the legislation," said Tennant.

Kibbe said large practices would be able to deflect some of the anticipated cost by outsourcing health information management functions. Practices also may decide to share implementation costs with other physicians and practices "sort of like the cost of electricity is shared as utility," he said. The downside is that practices would give up some autonomy and independence in the process.

Small practices have fewer financial resources and, therefore, have fewer options, said Kibbe. "Put very bluntly, the small medical practice is going to face additional costs for health IT implementation as a result of the HITECH Act's amendments to HIPAA."

Kibbe also is wary of possible unintended consequences from the audit reports that will be necessary to account for disclosures of patient information. He called them "technically challenging and operationally burdensome," and he didn't think any of the EHRs currently marketed for ambulatory care could provide the reports.

Physicians contemplating an EHR purchase -- an action the feds desperately want physicians to take -- might further delay their purchases "until they know the products have this feature and that it works," cautioned Kibbe.

Steven Waldren, M.D., director of the AAFP's Center for Health IT, said the Academy soon would be making additional educational resources available to help members further understand and comply with the government's latest privacy and security regulations.