Health care entities and those that serve as business associates to health care providers should be aware of upcoming changes to the Health Insurance Portability and Accountability Act (HIPAA). The stimulus package includes the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which expands the direct role of business associates in complying with HIPAA and imposes new penalties and enforcement mechanisms on covered entities.

Direct Application Of HIPAA To Business Associates.

The current HIPAA law only directly applies to "covered entities," defined as health plans, health care providers, and health care clearinghouses. Entities such as consultants, billing companies, IT companies, and others who use protected health information (PHI) provided by a covered entity to perform a function on behalf of the covered entity are considered "business associates" of the covered entity and currently are not directly regulated by the HIPAA law. Rather, business associates have a contractual responsibility to the covered entity for whom they provide services. Under the HITECH Act, certain of the HIPAA privacy and security provisions will apply directly to business associates. This means that business associates will have to implement their own administrative, physical, and technical safeguards that comply with the HIPAA security rules. Business associates will also be required to implement new policies and procedures to ensure HIPAA compliance. Business associates will be subject to the HIPAA civil and criminal penalties. Under the current law, only covered entities were subject to penalties. The business associate provisions will be effective in February, 2010.

Any organization that provides data transmission of PHI to a covered entity or business associate and that requires access to PHI on a routine basis will be considered a business associate. Likewise, all vendors who contract with a covered entity to provide personal health records are considered business associates. As a result, all health information exchanges and vendors of personal health records will be required to enter into business associate agreements with the covered entities they serve, and these information technology vendors will be subject to HIPAA as business associates.

Expanded Enforcement And Penalties

The HITECH Act expands HIPAA enforcement and penalties in several respects. First, the new law requires the Office of Civil Rights (OCR) to investigate complaints when a violation appears to be the result of "willful neglect." The new law increases the amount of civil money penalties for HIPAA violations by creating a tiered system of penalties ranging from $100-$50,000 for each individual violation, with an annual maximum range of penalties from $25,000-$1,500,000. OCR will have more funding to enforce HIPAA because civil money penalties and monetary settlements will now be collected and transferred to OCR for enforcement activities. In addition, the HITECH Act directs the Secretary of Health and Human Services to establish a methodology for distributing a percentage of the collected penalties and monetary settlements to those individuals who were harmed by a HIPAA violation.

Second, the new law authorizes states to bring civil actions on behalf of residents for actual or threatened HIPAA violations. Each state's Attorney General is specifically authorized to obtain injunctions, statutory damages, and attorney fees. The total amount of damages that can be recovered by a state is limited to $25,000 during a calendar year.

In addition to the new civil enforcement provisions, the law also expands the HIPAA criminal penalties to apply not only to the covered entity but also directly to an employee of a covered entity or business associate if the employee obtains or discloses PHI without authorization.

New Duty To Notify Of Breach

The HITECH Act includes new notification requirements for breaches of "unsecured PHI." Unsecured PHI is defined as PHI that is not secured through the use of a technology or methodology specified by the Secretary of HHS. The duty to notify only applies where there has been a breach of PHI that was not secured. However, a breach can occur if an employee of a covered entity or business associate accesses unsecured PHI without authorization and the employee's access of PHI is not made in good faith.

If a covered entity discovers a breach in unsecured PHI, the covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed or disclosed as a result of the breach. Notice must be provided within 60 days of the date of discovery of the breach, or the date that the breach should have been reasonably discovered. Notice should be sent by first class mail or email if agreed to by the individual. The notice must include the circumstances of the breach, date of the breach, date of discovery, the type of PHI involved, steps the individuals should take to protect themselves, the steps the covered entity will take to mitigate the harm and prevent future breaches, and contact information so the individuals can obtain additional information. If a business associate discovers a breach of unsecured PHI, the business associate must notify the covered entity of such breach. The covered entity must provide appropriate notification to the affected individual(s). If the breach involves less than 500 individuals, the covered entity is not required to immediately notify the Secretary of HHS. However, the covered entity is required to maintain a log of all breaches that occur and must submit the log to the Secretary on an annual basis.

If the covered entity has outdated contact information on individuals affected by the breach, the covered entity must provide an alternate method of notification. If the covered entity has outdated contact information on 10 or more individuals involved in the breach, the covered entity must conspicuously post the notice on the home page of its website or in major print or broadcast media. The notice must include a toll-free phone number so individuals may obtain information about the breach. In the event that a breach involves more than 500 residents of a particular state, a covered entity is required to provide immediate notice of the breach to the Secretary of HHS. The covered entity is also required to provide notice to prominent media outlets serving the state. The law directs the Secretary to post on its website a list of all covered entities which have experienced a breach of unsecured PHI involving more than 500 individuals. These notice requirements also apply to vendors of personal health records and third party service providers which provide services to vendors of personal health records.

The notice requirements will become effective after the Secretary of HHS publishes interim final regulations.

Other Significant Provisions

  • The Secretary of HHS will designate a Privacy Advisor for each regional HHS office. The Privacy Advisor will offer guidance and education on HIPAA.
  • Sales of PHI are prohibited unless otherwise authorized by the individual. The only exceptions are for public health activities and research, if the price charged equals the cost of preparation and transmittal.
  • The Secretary of HHS is required to perform audits to ensure that covered entities and business associates are complying with HIPAA.

Implications Of The New Provisions

All covered entities and business associates should review and revise existing business associate agreements as necessary to incorporate the new provisions. Covered entities and business associates, including vendors of personal health records, should prepare for the notice requirements and consider creating policies and procedures regarding notice. In addition, the Secretary of HHS will promulgate regulations on the new HIPAA provisions, and the regulations will likely provide even more specific guidance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.