CEO SUMMARY: There were plenty of headlines about the passage of HITECH last February because of how it expanded funding for electronic medical records. But lesser known are new requirements that providers, including labs and pathology groups, must now take specific compliance actions in response to breaches involving protected health information (PHI). Enforcement of these new requirements by the Department of Health and Human Services begins on February 22, 2010.
MUCH IS KNOWN ABOUT THE STIMULUS BILL signed last February and how it included money to advance electronic patient records. But most laboratory executives and pathologists remain unaware of important new notification requirements for reporting breaches of patient privacy.
These requirements are contained in the Health Information Technology for Economic and Clinical Health act (HITECH). HITECH was part of the American Recovery and Reinvestment Act (ARRA) which became law last February.
“HITECH details healthcare providers’ responsibilities in regard to breaches in patient privacy,” said Elizabeth Sullivan, Associate Attorney at McDonald Hopkins, LLC, of Cleveland, Ohio. “On February 22, 2010, the Department of Health and Human Services (HHS) will begin to enforce these new requirements. Clinical laboratories and pathology groups should review their existing compliance programs before that date to make sure they comply with the new rules.
“This law turns out to be more nuanced than it appears when you read it the first time,” she observed. Sullivan was speaking last week at THE DARK REPORT’S audio conference titled “New Legal Issues and Regulatory Changes and Their Potential Impact on Clinical Laboratories and Pathology Groups.” “The HITECH legislation contains sev- eral elements about which labs and pathology groups should become informed,” explained Sullivan. “One major new requirement is, whenever a breach of privacy involves 500 or more residents of a state, the provider must notify a prominent media outlet of the breach.
Reporting A Privacy Breach
“Similarly, when a privacy breach involves more than 500 residents of a state, another requirement is that the provider must immediately contact the Secretary of Health and Human Services to report the breach,” added Sullivan.
“Determining whether an entity is required to notify individuals of the breach is the first step that the provider must take,” she said. “When the breach involves more than 500 hundred residents of a state, determining the appropriate media outlet for disclosure can also present a challenge. It varies from case to case. It is important that providers covered under this statute know how to recognize what action to take in a specific situation.”
Sullivan stressed that one reason that the HITECH legislation makes compliance more complex is the nuance involved in identifying breaches that require notification. “Determining whether the breach requires notification is only a starting point toward compliance,” said Sullivan. “A ‘breach’ is the acquisition, access, use, or disclosure of protected health information that is not permitted under HIPAA. This involves protected health information, or PHI, as defined by the law.
Risk Assessment Of Breach
“These notification requirements only apply when unsecured PHI [any PHI that is not encryted or destroyed] is breached,” she noted. “To determine whether notification is required, the interim final rule gives entities the opportunity to assess the risk of the harm that could result from the breach. The challenge is to determine whether the risk of harm from the breach rises to a level that requires notification.
“Here is where the law offers only broad guidance,” she observed. “Only breaches of unsecured PHI, posing a ‘significant risk of financial, reputational, or other harm to the individual’ require notification.”
“Therefore, it is the provider’s responsibility to make a judgment call,” said Sullivan. “HITECH’s interim final rules give several examples of differing levels of risk. For example a breach disclosing that an individual was treated at a hospital without any more information poses less of a risk of harm than a breach disclosing the types of procedures or the patient’s diagnosis.
“Similarly, a breach of PHI to another covered entity poses less of a risk than a breach to a non-covered entity which is not obligated to safeguard PHI,” noted Sullivan. “Thus, a confidential lab report mistakenly faxed to the wrong doctor’s office would carry less of a risk of harm than the same report mistakenly faxed to, say, a bank or tire store. Any breach that could lead to identity theft is considered high risk.
“Once the lab or pathology group identifies that a breach of patient privacy has occurred that requires notification,” she noted, “the next step is to determine whether the breach is so extensive that it requires the provider to notify a major media source in addition to making individual notifications. In both instances, the Department of Health and Human Services must be notified. If the breach involves more than 500 residents of a state, HHS must be notified immediately.
“Clinical labs and pathology groups should review their current policies for safeguarding PHI,” she advised. “Particular attention should be devoted to the lab’s internal notification process when a breach is discovered, since entities have a limited time period to notify individuals of a breach under the new rule.”
Lab industry vendors and business partners should take note that the HITECH and HIPAA statutes may include them in specific instances. “Business associates working with the lab are also at risk,” warned Sullivan. “That is because HIPAA-covered entities and their business associates are subject to the new breach notification rule.”
These highlights about the new compliance requirements contained in HITECH demonstrate the need for all clinical laboratories and pathology groups to develop appropriate policies for their own organization. Only about four months remain before HHS begins enforcing the new law.