February 23, 2009
On February 17, 2009, President Barack Obama signed the American Recovery and
Reinvestment Act of 2009 (the “ARRA”), commonly referred to as the federal
stimulus bill. The ARRA contains several provisions -- intended to promote the
use of health information technology -- that would significantly expand the
scope of the privacy and security requirements of the Health Insurance
Portability and Accountability Act of 1996 (“HIPAA”). These changes, summarized
below, include:
- Direct, statutory liability for business associates for violations of
HIPAA’s privacy and security requirements;
- New notification obligations for covered entities, business associates
and other organizations in case of breach of personal health information
(PHI) or personal health records (PHR) use and disclosure requirements;
- Additional rights for individuals regarding their PHI, particularly PHI
contained in electronic health records;
- Additional restrictions on certain disclosures by covered entities and
business associates;
- Increased civil penalties and expanded criminal liability for
violations;
- Mandatory compliance audits by the Department of Health and
Human Services (the “Department”);
- An expansion of entities required to have business associate agreements;
and
- Additional restrictions on marketing communications.
Direct, Statutory Liability for Business Associates
Effective February 17, 2010, business associates will be statutorily liable
for the use or disclosure of PHI that does not conform to the standards that
HIPAA sets forth for business associate agreements. Currently, business
associates are only liable to covered entities for such violations as a breach
of their business associate agreements. Additionally, business associates will
be statutorily liable if they have knowledge of a covered entity’s pattern,
activity or practice that materially breaches the business associate agreement
and such breach remains uncured, the business associate does not terminate its
contract with the covered entity, and the business associate fails to report the
uncured breach to the Department. Finally, business associates will be required
to comply directly with HIPAA’s security provisions. For example, business
associates will be required, effective February 17, 2010, to appoint a security
official and conduct staff training on HIPAA compliance.
Consequently, business associates should carefully review their business
associate agreements and practices to determine whether they comply with HIPAA’s
privacy and security requirements. Some business associates may already comply
with many of these provisions as a consequence of their efforts to meet their
existing contractual obligations. To the extent that current practices are
inadequate to ensure compliance, business associates will need to implement new
policies and practices.
New Notification Obligations in Case of Breach of PHI or PHR
The ARRA creates significant new notification obligations for covered
entities, business associates, PHR vendors and entities, and third-party service
providers that provide services to PHR vendors and entities. The Department and
the Federal Trade Commission (FTC) are required to promulgate interim final
regulations implementing the following notification requirements by August 16,
2009.
Covered Entities. When a covered entity discovers a breach of
unsecured PHI, the covered entity will be required to notify each individual
whose PHI has been -- or is reasonably believed to have been -- accessed,
acquired or disclosed as a result of such breach. Further, if more than 500
individuals are affected by the breach, the covered entity will be required to
notify the Department as well as prominent media outlets serving the state or
jurisdiction in which the affected individuals reside. Covered entities will be
required to maintain and submit annually to the Secretary of the Department (the
“Secretary”) a log of all breaches.
Business Associates. When a breach of unsecured PHI occurs under the
control of a business associate, the business associate will be required to
notify the covered entity.
PHR Vendors and Entities. When a PHR vendor or entity discovers a
breach of security of PHR, the PHR vendor or entity will be required to notify
the affected individual of the breach as well as the FTC.
Third-Party Service Providers. Third-party service providers that
provide services to PHR vendors or entities offering products and services
through a website will be required to notify the PHR vendor or entity upon
discovering any breach of security of PHR health information.
Additional Rights for Individuals Regarding Their PHI
The ARRA expands individual rights with respect to PHI in a number of ways.
Right to Electronic Copy. Effective February 17, 2010, individuals
will have the right to receive an electronic copy of their PHI if the PHI is
maintained in an electronic health record. The individual will also be able to
designate that the PHI be sent to another entity or person. Any fee charged by
the covered entity for providing the PHI must be reasonable and based on the
covered entity’s costs.
Right to Require Non-Disclosure for Out-of-Pocket Services. Effective
February 17, 2010, health care providers will be required to comply with an
individual’s request that PHI regarding a specific health care item or service
not be disclosed to a health plan for purposes of payment or health care
operations if the individual paid out-of-pocket, in full, for that item or
service.
Right to Receive an Accounting of PHI Disclosures. Individuals will
have the right to receive an accounting of PHI disclosures made by covered
entities or their business associates for treatment, payment and health care
operations during the previous three years if the disclosures were made through
an electronic health record. (Currently, individuals have a right to obtain an
accounting of disclosures of their PHI by a covered entity during the previous
six years, except for disclosures made to carry out treatment, payment or health
care operations.) The Secretary will promulgate regulations regarding what
information must be collected about each disclosure. For current users of
electronic health records, the accounting requirements will apply to disclosures
made on or after January 1, 2014. For covered entities that have not yet
acquired electronic health records, the accounting requirements will apply to
disclosures on or after January 1, 2011, or the date on which the covered entity
acquired electronic health records, whichever is later.
Additional Restrictions on Certain Disclosures
In addition to the individual rights discussed above, the ARRA places new
restrictions on disclosures of PHI by covered entities and business associates.
Minimum Necessary Requirement. Under current law, a covered entity
must generally make reasonable efforts to limit disclosure of PHI to the
“minimum necessary” to accomplish the intended purposes or use of the
disclosure. The ARRA requires the Secretary to issue guidance as to what
constitutes “minimum necessary” by July 17, 2010. Until the effective date of
such guidance (which is to be determined), the ARRA requires covered entities to
limit the use, disclosure or request of PHI, to the extent practicable, to
either (i) a “limited data set” or (ii) if needed by such entity, to the
“minimum necessary” to accomplish the intended purpose of such use, disclosure
or request. (The “limited data set” standard is the standard currently applied
to a certain subset of purposes -- such as research purposes -- pursuant to a
data use agreement with the recipient. Limited data sets have most direct
identifiers removed and are considered by the Department to pose a low privacy
risk.) The limited data set requirement will sunset on the effective date of the
Secretary’s guidance regarding what constitutes the “minimum necessary”.
Prohibition on Sale of PHI without Authorization. Covered entities and
business associates will be prohibited from selling PHI without the individual’s
authorization, except in certain specified circumstances that include (1)
recoupment of the costs of preparing and transmitting data for public health or
research activities and (2) provision of an individual with a copy of his or her
PHI. The Secretary is required to promulgate regulations implementing this
prohibition by July 17, 2010, and the regulations will be effective six months
after they are promulgated.
Increased Civil Penalties and Expanded Criminal Liability for Violations
The ARRA significantly increases civil monetary penalties for HIPAA
violations. Effective immediately, the maximum civil penalty for all violations
of an identical requirement or prohibition during a calendar year will increase
from $25,000 to $1,500,000. The ARRA increases civil monetary penalties in tiers
depending on whether the violation was committed unknowingly, or due to
reasonable cause or willful neglect. Further, the ARRA clarifies that criminal
liability for wrongful disclosure of PHI extends to any individual who, without
authorization, obtains or discloses PHI maintained by a covered entity.
Currently, it is the policy of the Department of Justice to prosecute only
covered entities for such disclosure. State Attorneys General are also
authorized to bring civil action in Federal district court against individuals
who violate the HIPAA rules. The Secretary has the right to intervene in such
actions.
Mandatory Compliance Audits by the Department
Effective February 17, 2010, the Secretary will be required to perform
periodic compliance audits of covered entities and business associates.
Currently, the Secretary is authorized, but not required, to perform such
audits.
Expansion of Entities Required to Have Business Associate Agreements
Effective February 17, 2010, organizations that contract with covered
entities for the purpose of exchanging electronic health information --
including health information exchanges, regional health information
organizations, and PHR vendors that offer their products through or for a
provider or health plan -- will be required to have business associate contracts
in place with those covered entities. Current law does not explicitly include or
exclude these organizations from HIPAA’s privacy requirements.
Additional Restrictions on Certain “Marketing” Communications if
Remuneration Received
Under current law, a covered entity or business associate can provide
communications that might otherwise be considered marketing without individual
authorization if the communication is made (1) to describe a health-related
product or service (or payment for such product or service) that is provided by,
or included in a plan of benefits of, the covered entity making the
communication, or (2) for treatment of the individual, or (3) for case
management or care coordination for the individual, or to direct or recommend
alternative treatments, therapies, health care providers, or settings of care to
the individual.
Effective February 17, 2010, the ARRA will place additional, significant
restrictions on the three categories of communication identified above if
the covered entity receives direct or indirect remuneration from a third party.
Specifically, the ARRA prohibits these communications where the covered entity
receives remuneration except if (1) the marketing communication describes only a
drug or biologic that is currently being prescribed for the recipient of the
communication and any payment received by the covered entity is reasonable, or
(2) the communication is made by the covered entity with the authorization of
the recipient, or (3) the communication is made by a business associate on
behalf of the covered entity and the communication is consistent with the
written contract between the business associate and the covered entity.
For more information about these changes, or for guidance to help ensure
compliance, please contact us.