Videntity is an enterprise-level solution for HIPAA Compliance after the American Recovery and Reinvestment Act (ARRA) of 2009 (a.k.a. “The Stimulus”).

Videntity, an Internet-based application framework for building healthcare related communication applications, is a highly secure service based on a patent-pending identity verification and federation mechanism.  Videntity can automatically sequester information in a variety of ways; including phone, mobile phone, computer, or other devices.  The service includes an anti-vishing technology which performs a two-way challenge response over the telephone that enables Videntity to be easily accessible to everyone.

Videntity can be used to power many types of identity communication applications.  For example, the service can be used to build and power a home health monitoring application, thus reducing the need for in-home care visits.  In this case it “checks-in” on individuals with chronic conditions and obtains health information on an ongoing, real-time basis.  Similarly, Videntity can be used to obtain explicit patient authorization for a transaction.  Videntity is a tool that was designed from the ground up to help solve many common security, privacy, and communication healthcare conundrums.  Videntity also eloquently addresses many of the new security provisions spelled out in the American Recovery and Reinvestment Act (ARRA) of 2009 (a.k.a. “The Stimulus”).

The American Recovery and Reinvestment Act of 2009 (ARRA), sometimes referred to as “the stimulus,” includes provisions which make significant improvements in the privacy and security standards for health information.  The provisions concerning privacy and security are primarily found in ARRA’s Title XIII, Subtitle D and some parts of Subtitle A. Many of the changes, which go into effect Feb 17, 2010, can be grouped into four broad categories 1:

  • Substantive changes to HIPAA statute and privacy and security regulations
  • Changes in HIPAA enforcement
  • Provisions to address health information held by entities not covered by HIPAA (as either covered entities or business associates)
  • Miscellaneous:  Administration/Studies/Reports/Educational Initiatives

In the following sections, we briefly describe some of the new ARRA regulations and how Videntity addresss these new requirements.

Changes in HIPAA Enforcement – ARRA causes HIPAA to “grow teeth” and shift from guidance to enforcement.  ARRA states that a covered entity’s “Business Associates” are directly accountable for HIPAA.  Sections 13401 and 13404 of ARRA state that business associates can be held accountable by federal and state authorities for failure to comply with any applicable provisions of the HIPAA Privacy and Security Rules 2.

Under current regulations, government authorities cannot hold business associates accountable for failing to comply with their business associate agreements. Covered entities can only be held liable for the actions of their business associates in limited circumstances.

Section 13409 of ARRA clarifies that HIPAA’s criminal penalties can be enforced against individuals, including (but not limited to) employees of a covered entity.  This overrules a Department of Justice Office of Legal Counsel memo issued during the Bush Administration that states that only covered entities can be criminally prosecuted for violations of HIPAA.  In addition, the wording of the provision may broaden the scope of activities for which criminal penalties can be attached because authorities can prosecute an individual who obtains or discloses individually identifiable health information without authorization. 3

Section 13410(a) of ARRA clarifies that HHS and state attorneys-general can pursue a civil HIPAA violation in cases where criminal penalties could attach but the Department of Justice declines to pursue the case.  Section 13407 of ARRA establishes breach notification requirements for vendors of personal health records and other non-HIPAA covered entities. 4


Disclosures
– Currently, healthcare providers have to create a log of exchange between physicians, payers, ect.  Prevoiusly, disclosures between these entities were exempt from reporting but ARRA creates a legal mandate for all entities covered by HIPAA to keep accurate audit trails of personal health information.  Providers, payers, and other HIPAA covered entities are required to provide patients with a list of all of their personal health information disclosures made within the previous three years.  Section 13405(a) of ARRA requires covered entities (and their business associates) to honor an individual’s request to restrict disclosure of protected health information to a health plan for purposes of payment or healthcare operations if the information pertains solely to a healthcare item or service that the individual has paid for in full out-of-pocket. 5

Videntity creates a framework for secure exchange between:

  • Provider to Provider
  • Provider to Payer
  • Provider to Patient
  • Provider to Patient’s Guardian (spouse, parent, caregiver, etc)
  • Patient to Guardian (spouse, parent, caregiver, etc)

Videntity not only provides multiple means for verifying an individual’s identity, but also automates transaction authorization over the phone.  This is especially important for users unaccustomed to using the web and/ or mobile device technology.  Each transaction requires the sender’s authorization (digital signature), the subject signoff (transaction authorization) and/or the receiver’s signoff (deliverary signature).

Within Videntity, after a relationship is established between two or more parties, subsequent ID verification and authorization isn’t required.  The social graph acts as an access control list and transactions can occur implicitly as long as both parties agree.  In all cases, transactions are recorded with a complete audit trail.  Files containing personal health information can also be attached to each transaction.  Additionally, paper-based personal health information can be verified, authorized, sent, and delivered via Videntity using the Videntity Fax Service.

 

Individual Right of Electronic Access – Under the existing HIPAA Privacy Rule individuals have always had a right to access and obtain a copy of their health records (in the form or format requested)  if it is readily producible in such form or format, within 30 days of the request in most circumstances.  The covered entity may impose a reasonable fee for such access or copy.  Any limits on such charges are usually governed by state law. 6

Under Section 13405(e) of ARRA, covered entities using electronic health records must provide individuals with an electronic copy of their record, which must be transmitted directly to an entity or person specified by the individual, as long as that directive is clear, conspicuous and specific.  Any fee charged for the record cannot be greater than the entity’s labor costs in responding to the request.  The ARRA provisions do not change the timeframe for responding to requests for copies of records. 7

Videntity streamlines communication and information exchange between the patient, their doctor, and all those involved in the patient’s health portrait.  As a development platform, Videntity supports many communication modes including telephone, mobile phone, Internet appliance, desktop, kiosk, fax, and web applications.

Breach Notification – ARRA Section 13402 requires that covered entities provide notification to individuals if their health information has been breached (business associates are required to notify covered entities of any breaches; the covered entity must then notify the individual per the requirements).

Videntity can not only be used as a framework for breach notification, but can also help prevent information breaches from occuring.  By employing multiple verification modes, strong encryption, and providing a social access control list, Videntity provides a secure framework for information exchange.  Regardless of the source of the breach, Videntity can be used to automatically notify an individual, or individuals, and immediate corrective action can then be taken.

Summary – Videntity provides systematic cost-saving measures across the enterprise.  Videntity also streamlines communication and increases information flow while decreasing liability exposure related to HIPAA and ARRA.

REFERENCES
1-7 Center for Democracy and Technology. “Summary of Health Privacy Provisions in the 2009 Stimulus Provisions.” Center for Democracy and Technology. 24 March 2009.  <http://cdr.org>

Download the pdf here: Videntity_4_HIPAA_ARRA_Stimulus