Medical groups and health IT organizations are pushing for the U.S. Health and Human Services Department to clarify those terms so that the ground rules and boundaries are well defined. Mr. Hinkley said to expect more clear definitions between now and next summer, when he expects the government to start enforcing this aspect of HITECH.
Under existing laws, patients have the right to “individually requested privacy restrictions,” and the new laws will sustain and extend those rights. As of next year, patients will have the right to prohibit a medical practice from disclosing any information to insurers about a patient's self-pay services.
The regulation is an effort to protect patients from insurance company abuses around preexisting or potentially high-risk conditions, explained Mr. Hinkley. For example, a patient will now have the right to pay out of pocket for an HIV test and know that his or her serostatus will not be reported to an insurer that might drop the patient or significantly increase premiums if the patient were found to be HIV positive.
Expect heavy HHS enforcement of this and other privacy restriction rights, Mr. Hinkley said. “The [department's] Office for Civil Rights will step up efforts to make the public aware of this. It applies to anything a patient wants to do outside the scope of a health plan. So you will need to have procedures to document these requests and set up policies about how you're going to manage them.”
Penalties for breaches of personal health information and other HIPAA/HITECH violations are significant, ranging from $50,000 to $1.5 million per violation if judges deem that “willful neglect” was involved. But even “unknowing” violations can cost as much as $25,000 per incident. And this is not including any criminal penalties that might be associated with violations.
Mr. Hinkley said to expect significantly ramped-up enforcement of HIPAA and HITECH beginning in the spring.
So “this is a great time to do a HIPAA compliance tune-up,” he added. “Go back and review your electronic health record system [and] all your practice procedures, talk to your vendors, and make sure everything is in compliance.”