Humana 2011 Annual Report Download - page 37

Download and view the complete annual report

Please find page 37 of the 2011 Humana annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 160

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160

Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for
Economic and Clinical Health Act (HITECH Act)
The use of individually identifiable health data by our business is regulated at federal and state levels. These
laws and rules are changed frequently by legislation or administrative interpretation. Various state laws address
the use and maintenance of individually identifiable health data. Most are derived from the privacy provisions in
the federal Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, or HIPAA.
HIPAA includes administrative provisions directed at simplifying electronic data interchange through
standardizing transactions, establishing uniform health care provider, payer, and employer identifiers, and
seeking protections for confidentiality and security of patient data. The rules do not provide for complete federal
preemption of state laws, but rather preempt all inconsistent state laws unless the state law is more stringent.
These regulations set standards for the security of electronic health information. Violations of these rules
could subject us to significant criminal and civil penalties, including significant monetary penalties. Compliance
with HIPAA regulations requires significant systems enhancements, training and administrative effort. HIPAA
can also expose us to additional liability for violations by our business associates (e.g., entities that provide
services to health plans).
The HITECH Act, one part of the American Recovery and Reinvestment Act of 2009, significantly
broadened the scope of the privacy and security regulations of HIPAA. Among other requirements, the HITECH
Act mandates individual notification in the event of a breach of unsecured, individually identifiable health
information, provides enhanced penalties for HIPAA violations, and grants enforcement authority to states’
Attorneys General in addition to the HHS Office of Civil Rights. On October 30, 2009, HHS issued an Interim
Final Rule implementing amendments to the enforcement regulations under HIPAA. On July 14, 2010, HHS
issued a Proposed Rule containing modifications to privacy standards, security standards, and enforcement
actions. In addition, HHS is currently in the process of finalizing regulations addressing security breach
notification requirements. HHS initially released an Interim Final Rule for breach notification requirements on
August 24, 2009. HHS then drafted a Final Rule which was submitted to Office of Management and Budget but
subsequently withdrawn by HHS on July 29, 2010. Currently, the Interim Final Rule remains in effect but the
withdrawal suggests that when HHS issues the Final Rule, the requirements for how covered entities should
respond in the event of a potential security breach involving protected health information are likely to be more
onerous than those contained in the Interim Final Rule.
In addition, there are numerous federal and state laws and regulations addressing patient and consumer
privacy concerns, including unauthorized access or theft of personal information. State statutes and regulations
vary from state to state and could impose additional penalties. Violations of HIPAA or applicable federal or state
laws or regulations could subject us to significant criminal or civil penalties, including significant monetary
penalties. Compliance with HIPAA and other privacy regulations requires significant systems enhancements,
training and administrative effort. An investigation or initiation of civil or criminal actions could have a material
adverse effect on our business reputation.
American Recovery and Reinvestment Act of 2009 (ARRA)
On February 17, 2009, the American Recovery and Reinvestment Act of 2009, or ARRA, was enacted into
law. In addition to including a temporary subsidy for health care continuation coverage issued pursuant to the
Consolidated Omnibus Budget Reconciliation Act, or COBRA, ARRA also expands and strengthens the privacy
and security provisions of HIPAA and imposes additional limits on the use and disclosure of protected health
information, or PHI. Among other things, ARRA requires us and other covered entities to report any
unauthorized release or use of or access to PHI to any impacted individuals and to the U.S. Department of Health
and Human Services in those instances where the unauthorized activity poses a significant risk of financial,
reputational or other harm to the individuals, and to notify the media in any states where 500 or more people are
impacted by any unauthorized release or use of or access to PHI. ARRA also requires business associates to
27