Health care providers, health plans, clearinghouses and their business associates face deadline for implementation of significant new compliance obligations.
February 17, 2010 marks the compliance date for significant new obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, adopted one year ago. It appears the date may come and go without the regulatory guidance that many HIPAA covered entities and business associates expected to inform their compliance decisions.
Many of the new obligations require significant resources for implementation (e.g., amending business associate agreements, adopting new systems for limiting disclosures to health plans and providing copies in electronic formats that can be securely delivered). Yet, the HITECH provisions are unclear in many places. Thus, expending resources without clarifying guidance creates a Catch-22 for many covered entities and business associates subject to the new requirements (e.g., the definition of an Electronic Health Record is opaque, at best, with its dependence on the undefined term “clinician”).
Covered entities must now comply with most of the new privacy requirements introduced under HITECH including, among other requirements:
- additional requirements regarding “minimum necessary” uses and disclosures of protected health information (PHI);
- new limitations on uses and disclosures of PHI for marketing;
- new individual rights related to electronic access to PHI maintained in an electronic health record; and
- new individual rights allowing individuals the right to restrict their providers from sending PHI to the individuals’ health plan if the individuals pay in full for the product or service at issue.
Business associates also now face substantial new compliance obligations under HITECH.Prior to HITECH, business associates were not directly subject to HIPAA and were subject only to the contractual obligations imposed on them by covered entities through business associate agreements (BAAs). HITECH changes the regulatory landscape by imposing a direct statutory obligation on business associates to comply with the new privacy and security requirements. These include such things as:
- compliance with the bulk of the HIPAA Security Rule requirements;
- compliance with the new HITECH data breach provisions; and
- compliance with the new individual rights provisions related to access to PHI and restrictions on certain disclosures of PHI.
HITECH further requires that the new privacy and security requirements “shall be incorporated” into BAAs. The amendment of BAAs has been one of the most troublesome and challenging issues for both covered entities and business associates. While some have hoped that HITECH “by law” amends existing BAAs (an argument that may raise constitutional issues given that private contracts and assets are at stake), most, if not all, have struggled with the decision whether to amend existing BAAs prior to the February 17, 2010 compliance date or rely upon a “transition period” that has been hinted at by the Department of Health and Human Services (HHS) and was provided in the Privacy Rule when compliance was required in 2003.
New Enforcement Framework
In addition to the new compliance challenges faced by covered entities and business associates under HITECH, several notable changes to HIPAA enforcement were also introduced under HITECH. Although many of the new enforcement provisions were effective upon enactment of HITECH (e.g., enforcement by state attorneys general, increased civil monetary penalties), several other enforcement provisions are now effective, including:
- business associates are now subject to direct enforcement actions; and
- covered entities and business associates are now subject to mandatory, periodic audits by HHS.
Beginning February 22, 2010 HHS also will begin enforcement of the new HITECH data breach regulations issued in September 2009.