Home |  Products & Services | Risk Management | Claims | Events | Contact Us | For Participants Only

Our Risk Management Department is staffed by experienced professionals with legal and clinical backgrounds.

This combination provides our client with assistance from staff who have a thorough understanding of both the clinical situation and the legal issues and their implications. Our programs and services include:
 · Risk identification
 · Risk reduction
 · Loss prevention
 · Risk management education

We identify and implement sound risk management services to help you avoid potential incidents and lawsuits.

______________________
The Psychiatrists' Program
1515 Wilson Blvd, Suite 800
Arlington, VA 22209-2404
(800) 245-3333
 TheProgram@prms.com

Privacy Policy
Site map

HIPAA AND HITECH – WHAT YOU NEED TO KNOW

Terms

ARRA: American Recovery and Reinvestment Act of 2009 (aka Obama’s “Stimulus Act”)

HITECH: Title XIII of ARRA - Health Information Technology for Economic and Clinical Health

CE: Covered Entity under HIPAA

BA: Business Associate under HIPAA (entity that provides services to CE that requires access to patients’ protected health information)

PROGRAM PARTICIPANTS CLICK HERE FOR MORE DETAILED INFORMATION

As part of President Obama’s stimulus plan, the American Recovery and Reinvestment Act of 2009 was passed in February 2009.  One section of this federal law, known as the “HITECH Act” (Health Information Technology for Economic and Clinical Health), has significant implications for physicians and other healthcare providers.  While HITECH covers many topics, including electronic health records, it also amends the regulations under HIPAA.

SUMMARY IMPACT TIMELINE
(Note that compliance deadlines could always change)

As of 2-17-09

1. Civil penalties for HIPAA violations increase for CEs – up to $1.5 million

2. State Attorneys General (AGs) may bring HIPAA enforcement action against CEs
As of 8-16-09

3. Each Department of Health and Human Services (HHS) region is to provide guidance and education by CEs, BAs, and patient
As of 9-23-09

4. CEs and BAs must comply with HITECH’s breach notification provisions (in addition to state law requirements); need to amend BAAs
As of 2-17-10
5. HHS must have broad program to educate individuals about their rights
As of 2-18-10

6. BAs must now comply with HIPAA’s Security Rule

7. BAs are now subject to HIPAA’s (increased) civil and criminal penalties

8. State AGs can bring HIPAA enforcement action against BAs (in addition to CEs)

9. Employees and other individuals are subject to HIPAA’s criminal fines and penalties

10. HHS now required to conduct audits of CEs and BAs

11. New type of BA – data transmission entities (health information exchange organizations, regional health information organizations, e-prescribing gateways, vendors of personal health records); CEs need BAAs from these new BAs

12. Restriction on disclosure requests:  CEs have to comply with certain restriction requests from patients – must agree to patient’s restriction on disclosure request if disclosure is to a health plan for payment or health care operations (not treatment) AND the patient information pertains solely to health care items / services for which patient has paid provider in full

13. Patient access to CE’s electronic health record:  patients have the right to obtain copies of a CE’s electronic health record in electronic form

14. Minimum necessary is basically the limited data set (as defined by Privacy Rule), unless more is required; guidance to be issued prior to deadline

15. Further restrictions on using patient information for marketing purposes
 As of September 2010 

16. PHR vendors / service providers must give notice of security breaches
As of January 2011 

17. If CE’s electronic health record was acquired after 1-09, CEs and BAs must account for disclosures of electronic health record even if disclosure is for treatment, payment, or health care operations; regulations coming
As of February 2011

18. HHS must investigate complaints of willful neglect, and if substantiated, must impose statutory penalty – at least $10K - $50K per violation

19. HHS and state AGs can pursue civil HIPAA violations in cases where criminal penalty could attach, but the Department of Justice declines to pursue
As of February 2012

20. Individuals can recover a percentage of penalties or settlement

21. CEs and BAs may not sell patient information / electronic health records
As of January 2014 

22. If CE’s electronic health record was acquired before 1-09, CEs and BAs must account for disclosures of electronic health record even if disclosure is for treatment, payment, or health care operations

 

Back to HIPAA Help menu