United States: American Recovery And Reinvestment Act Makes Changes To HIPAA Privacy And Security Rules

Originally published February 26, 2009

The American Recovery and Reinvestment Act, signed by President Obama on February 17, 2009, included important legislative changes to the HIPAA privacy and security regulations. These are the first major changes in HIPAA privacy since 2002 and address a wide range of issues, including business associate requirements, marketing restrictions, and minimum necessary use. The legislation expands the reach of HIPAA's criminal sanctions, and significantly increases the civil monetary penalties that can be imposed for HIPAA violations.

Business Associates

Under current law, business associates must sign contracts agreeing to implement "reasonable and appropriate safeguards" to protect the security of electronic protected health information. Under the new law, business associates will become directly subject to major portions of the HIPAA information security rule, specifically those sections that define required and addressable administrative, physical and technical safeguards, along with the requirement to adopt information security policies and procedures. The law requires that business associate agreements be amended to incorporate the new information security requirements. Additionally, business associates that violate the HIPAA rules will be subject to civil monetary penalties and criminal sanctions as if they were covered entities.

The law requires all business associate contracts to reflect the applicable amendments to the HIPAA privacy rule required by the statute. It also will make business associates responsible for addressing breaches of the business associate agreement caused by the covered entities they contract with, much in the same manner that covered entities have a duty to address violations caused by their own business associates. For example, a business associate may now have an obligation to terminate a contract with a covered entity if the covered entity violates the business associate agreement.

Notice of Privacy Breaches

Covered entities will be required to notify patients whose protected health information is improperly accessed or disclosed, and business associates are required to give notice of security breaches to covered entities. Under the new law, a security breach shall be treated as discovered when first known by an employee, officer, or agent of the covered entity or business associate, or the first date they reasonably should have known of the breach. In any event, the covered entity should give notice to the patient within 60 calendar days of discovery of the breach. Notice should be provided individually by mail, but can be given my e-mail if the patient has agreed to e-mail notice. The law also sets forth provisions for alternative forms of notice, including notice on web sites or by notification of mass media outlets, under certain circumstances. The law also requires covered entities to give notice directly to the Secretary of Health and Human Services for large breaches, and to maintain a log of minor security breaches for review by the Secretary. No notice is required if the data is encrypted or otherwise protected in a manner that prevents disclosure of protected health information.

Education on Health Information Privacy

The Act establishes Regional Office Privacy Advisors for each HHS regional office. The law also requires the Office for Civil Rights to develop and maintain a nationwide educational initiative to enhance public understanding of the uses of health information and their rights regarding health information.

Restrictions on Disclosure of PHI resulting from Self Pay Services

When patients pay for health care services out of pocket, they may request that the resulting protected health information not be shared with a health plan for the purposes of carrying out payment activities or for health care operations purposes.

Minimum Necessary Use

The Act changes the implementation of the minimum necessary use rule for uses and disclosures that are not related to treatment. It will require covered entities to implement the minimum necessary use rule by using the limited data set, whenever practicable. The law directs the Secretary of Health and Human Services to issue guidance on minimum necessary use within 18 months of the effective date of the law.

Accounting Of Disclosures Made For Treatment, Payment And Health Care Operations

Current law requires covered entities to account for disclosures that are made for uses that are not for treatment, payment or health care operations and not authorized by the individual. Under the new law, covered entities that make disclosures though an electronic health record system will be required to provide patients with an accounting of disclosures that includes treatment, payment and health care operations, but only with respect to electronically disclosed information. If disclosures are made by a business associate, the covered entity can elect to let the business associate make the accounting directly to the individual, or provide the accounting itself.

Bar On Accepting Remuneration For Disclosure Of Protected Health Information

Significantly, the statute creates extensive rules prohibiting covered entities and business associates from accepting remuneration for disclosure of PHI unless the patient has first signed an authorization, and unless the authorization addresses the ability of the recipient of the information to re-disclose the information. The new prohibition has exceptions for public health related disclosures, including disclosures related to FDA surveillance and disclosures to employers regarding occupational safety. The laws also contains an exception for disclosures related to research, if the remuneration reflects the cost of preparation and transmittal of the data for research, as well as an exception for treatment related disclosures. The law also has an exception for disclosures associated with the sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity, and for due diligence related to such activity. Other exceptions apply to payments to business associates and payments in connection with the provision of an individual's record to the individual himself or herself. The law requires the Secretary to develop a schedule of "reasonable remuneration" in connection with research and public health activates.

Access to PHI in Electronic Format

The law will require covered entities that use electronic health records to provide an individual a copy of his or her protected health information in an electronic format or forward such information to another entity or person designated by the individual. Any fee charged by the covered entity cannot exceed the cost of labor required to respond to the request for a copy or transfer of protected health information.

Conditions on Contacts with Patients

The statute states that a communication recommending the purchase of a product or service cannot be classified as part of health care operations unless it describes a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, for treatment, or for case management, care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual. Further, such communications cannot be deemed health care operations if the covered entity has received remuneration in connection with the communication, unless the communication relates to a drug or biologic already being prescribed for the individual and the remuneration is reasonable in amount; or unless the communication is made by the covered entity and an authorization has been obtained; or the communication is made by a business associate pursuant to a contract between the business associate and the covered entity. The law also puts new fundraising opt-out rules in place.

Temporary Breach Notification Rules for PHR Vendors and Other Entities that Handle PHI

The statute contains temporary breach notification requirements for vendors of personal Health Records and other non-covered entities, such as entities that offer products or services thought the web site of covered entities or the website of a vendor of personal health records. The notification requirements do not apply if the information is encrypted. Failure of the PHR vendor to notify individuals of security breaches shall be an unfair trade practice in violation of the Federal Trade Commission Act.

Health Information Exchange Organizations Classified as Business Associates

Organizations that provide data transmission services for covered entities and that require access to protected health information on a routine basis are now classified as business associates. The law also states that a vendor that contracts with a covered entity to allow that entity to offer a personal health record to patients as part of an electronic health record is a business associate of the covered entity.

Expansion of Applicability of Criminal Penalties Under HIPAA

The law amends criminal sanction provisions of HIPAA by clarifying that a person who obtains or discloses protected health information from a covered entity without authorization commits a violation of the criminal provisions of HIPAA.

Modification of Civil Monetary Penalty Provisions and Increases in Penalties

The statue makes extensive modifications to the civil monetary penalty provisions of HIPAA. Changes include penalties for violations due to "willful neglect" to observe the obligations of the law, a requirement for investigations by the Secretary if a preliminary investigation indicates the possibility of a violation due to willful neglect. The proceeds of civil monetary penalties imposed under HIPAA are to be transferred to the Office of Civil Rights to fund further enforcement efforts, and the Secretary is directed to develop a method to distribute a portion of collected penalties to individuals who are harmed by privacy or security violations.

The amount of Civil Monetary Penalties that can be imposed as a result of violations of HIPAA is significantly modified. Under prior law, violations that were not known to the entity or could not have been discovered using reasonable diligence could not result in imposition of a civil monetary penalty. As amended, minor violations now carry a penalty of $100 per violation, not to exceed $25,000 annually for all violations of any one requirement or prohibition. The law sets additional tiers of penalties, as follows.

Enforcement of HIPAA Privacy Rule Though States Attorneys General

As originally enacted, HIPAA did not create a private right of action, and could only be enforced by the Secretary of Health and Human Services. Under the new law, HIPAA violations are now also enforceable in civil actions brought by states attorneys general, both to enjoin violations and to obtain damages. Damages are limited to $1,000 per violation with an annual limit of $25,000 per requirement or prohibition, plus an award of attorney's fees to the state. Civil actions brought by the state are to be heard in federal district courts.

Periodic Audits of Covered Entities and Business Associates by the Department of Health and Human Services

The statute requires the Secretary of Health and Human Services to perform period audits to ensure that covered entities and business associates comply with HIPAA privacy regulations.

The chart below summarizes the effective date of some of the major HIPAA provisions contained in the new law.

Effective Dates of HIPAA Amendments in the American Recovery and Reinvestment Act of 2009

www.nutter.com

This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.