• Home
• Solutions
  • Overview
  • Report Automation
  • Information Security
  • Privacy Alerting
  • Scorecards
• Products
  • Overview
  • The Central Dashboard
  • The Log Manager
  • The Privacy Auditor
  • The Clinical Scorecard
  • The Bitwork Appliance
• Demo
• Resources
  • Customer Login
  • Articles
  • Whitepapers
• Company
  • About
  • Mission
  • Affiliations
  • News
• Contact Us

Archive

• Six Sigma in Healthcare
• Changes to HIPAA, Part 3
• Changes to HIPAA, Part 2
• Changes to HIPAA, Part 1
• Security Challenges
• Balanced Scorecards
• IT Challenges
• Stimulus Package
• HIT Job Trends
• EMR Implementation

ARRA's Impact on HIPAA Privacy and Security

(Oct. 28, 2009)

Part 3: Marketing and Enforcement

Under the new American Recovery and Reinvestment Act (ARRA) of 2009, a number of modifications to the Health Insurance Portability and Accountability Act's (HIPAA) Privacy and Security rules are now in effect. Part 1 and part 2 of our series on the impact of ARRA on HIPAA discussed the expanded role of business associates in complying with the privacy and security regulations of Protected Health Information (PHI) and reporting and defining security breaches and disclosures.

The last two significant changes created by ARRA relate to using PHI for marketing activities and enforcement of these regulations.

Marketing

The ability of covered entities to use PHI for marketing purposes without the patient's authorization will now be limited under ARRA. Previously, entities have used the broad exceptions to use and sell PHI for various health-related purposes, often citing that these activities fell under 'healthcare operations,' which do not require individual authorization. However, the Health Information Technology for Economic and Clinical Health (HITECH) Act, the section under ARRA that expands the HIPAA privacy and security provisions, prohibits such activity without specific patient authorization.

Communication with patients about products or services that encourage the individual to purchase or use the product or service will be permitted without the individual's authorization provided the following criteria is met:

• the communication is made to describe a product or service provided by or included in the plan of benefits for the covered entity making the communication;
• for treatment purposes; or
• for case management, care coordination or to recommend alternative therapies, providers or settings of care.

In addition, subject to limited exceptions, the previously described communications will require patient authorization if the covered entity receives direct or indirect payment for making them.

Enforcement

ARRA provides state attorney generals with the authority to bring actions to obtain injunctive relief or damages on behalf of state residents who have been or are threatened or adversely affected by violations of HIPAA. In other words, the attorney general offices of each state can sue individuals for HIPAA violations.

Under the HITECH Act, the financial penalties for violations of HIPAA have been increased (see sidebar) and a percentage of the civil penalties collected will be distributed to the individuals harmed by the violations. The top threshold is set at $1.5 million.

In addition, periodic audits will now be mandatory, as will formal investigations of complaints.

HHS must issue regulations within the next three years to allow individuals to receive a portion of any civil monetary penalty or monetary settlement.