The American Recovery and Reinvestment Act of 2009 (“ARRA”) was signed into law by President Obama on February 17, 2009. Employers will need to take immediate action to comply with the portion of ARRA that provides for a reduction in the COBRA premium that can be charged to certain individuals who have been involuntarily terminated, as well as an increase in the monthly exclusion for transit expenses. Fortunately, employers and service providers will have additional time to comply with most of the changes in the HIPAA privacy and security rules. The changes in each of these three areas are discussed in detail below.

Landmark COBRA Changes

Effective as of March 1, 2009, ARRA amends COBRA to provide that certain COBRA qualified beneficiaries will only have to pay 35% of their regular COBRA premium, with the other 65% being paid by the federal government. This is referred to generally as the “COBRA subsidy” or “subsidy.” There are many components to implementing the subsidy that require employer planning and action, including identifying eligible individuals; providing notice of the subsidy and a waiver opportunity for high-income individuals; allowing for a second chance for those eligible for the subsidy to elect COBRA; determining whether to allow the election of a lower cost benefit option; and submitting the required reports to the government to obtain the payroll tax credit for the subsidy. While some of these steps may be able to be performed by COBRA administrators, employers will need to be involved in every step of the process due to the tax penalties that will apply if the subsidy is applied incorrectly.

What Does ARRA Provide with Respect to COBRA?

Generally, ARRA provides –

  • Employees who are terminated involuntarily between September 1, 2008 and December 31, 2009 and other qualified beneficiaries who lose coverage in connection with the termination of employment (e.g., a spouse and/or dependent) with a COBRA premium subsidy in the amount of 65% of their cost of the COBRA coverage for up to 9 months; and
  • Employers with a payroll tax credit for the remaining 65% of the COBRA premium (see below for certain exceptions).

Because the subsidy is available to individuals whose employment has already been involuntarily terminated, there are certain transition rules that must be followed to provide these individuals with a second chance to enroll if they are not currently covered under COBRA.

To Which Benefits Does the Subsidy Apply?

The subsidy applies to each health benefit for which an employer is required to offer COBRA coverage, except for a health spending account. This includes medical, dental and vision coverage, as well as EAPs and HRAs. The subsidy also applies to health plans that are not subject to federal COBRA but are subject to continuation of coverage requirements under state law, such as small group health plans. (This alert focuses on the application of the premium subsidy to COBRA coverage, but the analysis is similar for health plans that are subject to state continuation coverage.)

To Whom Is the Subsidy Credited?

Typically, the subsidy is credited back to the employer via a payroll tax credit. However, there are certain exceptions as follows –

  • In a multiemployer plan, it is the plan, not the employer, that is entitled to the credit.
  • If a plan is fully-insured, and NOT subject to federal COBRA (for example, small employer plans and church plans), the insurer is entitled to the credit. However, if the employer collects premiums and administers the continuation coverage, the employer would be eligible for the credit.

Which Individuals Are Eligible for the COBRA Subsidy?

To be eligible for the subsidy, a COBRA qualified beneficiary must (1) become eligible for COBRA between September 1, 2008 and December 31, 2009, (2) by reason of an involuntary termination of employment, and (3) elect COBRA. This includes –

  • Individuals who are currently receiving COBRA coverage.
  • Individuals who were previously eligible for, but did not elect, COBRA coverage.
  • Individuals who dropped COBRA coverage (e.g., due to non-payment of premiums).
  • Individuals who are not eligible for the subsidy include –
  • Individuals eligible for COBRA for reasons other than involuntary termination (but a second qualifying event of a divorce or dependent age out would qualify if the initial event was an involuntary termination).
  • A domestic partner and/or his/her children who are not dependents of the employee.
  • High-income individuals who permanently waive their right to the subsidy (see below).

What is an Involuntary Termination?

In the past, the Service has been reluctant to provide specific rules regarding involuntary terminations due to the inherently factual nature of the determination, which for the most part relies on characterizations established by the parties. However, we understand that the Service is currently contemplating a change to this approach with respect to the subsidy. Until future guidance is issued by the Service, employers will need to make reasonable determinations on a uniform basis based on the particular facts and circumstances of each termination.

In addition, even though it may be clear that an involuntary termination has occurred, there are certain situations where the precise date may be unclear. For example, for purposes of severance some employers continue to treat an individual as an employee during the severance period. In the past, if an employer consistently treated an individual as an employee during the severance period, such as for benefits and other employment conditions, and treated the last day of the severance period as the termination of employment date, the last day of the severance period should be recognized by the Service as the date an involuntary termination occurred. However, the Service may change this result in upcoming subsidy guidance. Therefore, employers will need to review their policies with respect to extended leaves, such as during disability, temporary layoffs and severance periods, as well as the terms of their severance agreements, to determine when the employment relationship terminates.

What Happens If The Employee and Employer Disagree As to Eligibility?

If an employer denies an individual the subsidy, the individual can request an expedited review of that decision by the U.S. Department of Labor. This might happen if the employee and employer disagree as to whether the employee was involuntarily terminated or if there is a dispute as to the date of the termination that affects entitlement to the subsidy. The ARRA requires the DOL to make this decision within 15 business days. More guidance is expected from the DOL with respect to this issue because employers are required to include the review procedures in its notices.

Does the Subsidy Apply to High-Income Individuals?

The subsidy will not apply to an individual who has an adjusted gross income during the year of the subsidy in excess of $145,000 (or $290,000 for married filing jointly). The subsidy is reduced for individuals with an adjusted gross income between $125,000 and $145,000 (or $250,000 and $290,000 for joint filers). However, employers must offer the subsidy, regardless of an individual’s income level. Then, if an individual has income in excess of the foregoing levels, the individual must include the amount of the subsidy (or a portion thereof) in his/her income and pay taxes on the amount. To assist in the application of this “recapture” tax, employers must report the amount of the subsidy to each employee and the Service, presumably on a Form W-2. To avoid this later tax, high-income individuals have the right to affirmatively waive the subsidy during COBRA enrollment. This waiver is permanent, so individuals who are eligible for the subsidy over two calendar years should carefully consider whether it is in their best interest to waive the subsidy.

How is the Subsidy Calculated?

Individuals entitled to the subsidy are only required to pay 35% of the amount the employer charges for the COBRA coverage (including the 2% administrative charge). The employer (or the plan/insurer) “fronts” the remaining 65% of the amount it would otherwise charge for the coverage, and recovers it through a subsequent payroll tax credit. If the qualified beneficiary is covering a non-qualified beneficiary, such as a domestic partner, a domestic partner’s child, or a new spouse from a post-qualifying event marriage, the Service has indicated that such premium may need to be bifurcated, and the subsidy would then only apply to the qualified beneficiary’s portion of the premium. Hopefully, this issue will be addressed in upcoming guidance.

In addition, many employers provide that coverage under the health plan does not terminate during a severance period, so COBRA is not elected until the end of the severance period. In this situation, the employee is not entitled to the subsidy (nor is the employer entitled to reimbursement of the amount it pays for such employee’s coverage) while receiving the severance payments because the employee is not receiving COBRA coverage. The subsidy will begin only after COBRA is elected.

Alternatively, if an employee has COBRA coverage during the severance period, but the employer charges a reduced COBRA rate during the severance period, the employee would be eligible for the subsidy during the severance period but the subsidy would be determined based on the amount charged to the employee (not the full COBRA rate). In other words, if an employer charges a lower rate for COBRA coverage for individuals who have been involuntarily terminated, the individual, because of ARRA, is required to pay only 35% of that reduced rate, and the employer is then eligible to claim a payroll tax credit for the other 65% of that reduced rate. The employer cannot receive a tax credit for the portion of the cost of health coverage it voluntarily absorbs. Therefore, to fully utilize the subsidy, employers who subsidize COBRA coverage or delay the beginning of COBRA coverage following an involuntary termination may want to reconsider when COBRA begins and/or whether to continue to charge reduced premiums during the severance period.

How Long Does the Subsidy Last?

The subsidy can last for up to 9 months, but is terminated early if –

  • The individual becomes eligible for coverage under Medicare or under another group health plan (even if the individual does not enroll in that coverage); or
  • The maximum COBRA period ends (e.g., 18 months).

Solely for this purpose, coverage under only a dental or vision plan or a health flexible spending account is not considered other group health coverage. It is the individual’s responsibility to notify the health plan upon becoming eligible for other coverage. Failing to provide the required notice will result in a special penalty tax that is applied on the individual’s tax return and not by the plan.

How is the Subsidy Recovered by the Entity That Initially Paid It?

To recover the subsidy, the employer (or the multiemployer plan or insurer, as applicable) must recover the subsidy by claiming a credit against its payroll taxes in the amount of the subsidy paid. For this purpose, payroll taxes include Federal income taxes withheld from employee wages, the employee portion of FICA and the employer portion of FICA. Today, the Service issued a revised Form 941 that takes into account the COBRA subsidy. (The revised Form 941 and Instructions can be viewed at Further guidance from the Service is expected on whether it can be taken by reducing current payroll tax deposits and then trued-up on the quarterly Form 941. It is important to remember that the credit cannot occur until after the individual pays his/her share of the premium for the month. Thus, employers will need to have a mechanism in place to track when COBRA premiums are received.

What is Required if an Individual is Currently not Receiving COBRA?

Subsidy-eligible individuals who are not currently receiving COBRA coverage must be given a second chance to enroll in COBRA. This special election period begins on February 17, 2009, and continues for 60 days following the date the individual receives notice of the special election period.

With respect to this group of individuals, prior to April 18, 2009, employers must:

  • Prepare a notice that includes –
  • A description of the eligibility requirements and the subsidy.
  • A description of the coverage available.
  • A “prominent” display of the new premiums after application of the subsidy.
  • Waiver rules for high-income individuals.
  • Appeal rights to the DOL.
  • Under current guidance, send this notice to any person who became a qualified beneficiary on or after September 1, 2008 (regardless of the reason for the qualifying event) and who is not currently enrolled in COBRA.
  • Because the notice will be sent to more people than are eligible for the subsidy, establish a process to ensure that only those individuals who are eligible for COBRA as a result of an involuntary termination are allowed to enroll in COBRA during this special election period.
  • Notify any individual who is not eligible to enroll but who submits the enrollment form that his/her election will not be effective.

Persons electing COBRA coverage during the special election period will be covered under COBRA beginning March 1, 2009, continuing to the end of his/her original COBRA period, unless coverage terminates early for another reason. COBRA is not retroactive to the date of the initial qualifying event.

The Department of Labor is working on model notices. However, because individuals must receive the supplemental notice by April 18, 2009, if these notices are not available soon, employers will be required to prepare their own notices to ensure they have sufficient time to distribute them.

Do Pre-Existing Condition Exclusions Apply to Those Who Enroll March 1, 2009?

Under ARRA, if an individual enrolls in COBRA during the special election period described above, any break in coverage of 63 days or more between the date of an individual’s COBRA qualifying event and March 1, 2009 is not treated as a break in coverage for purposes of applying pre-existing condition exclusions. This means, for example, that an individual who had not been subject to a pre-existing condition exclusion prior to his termination of employment but who incurred a break in coverage because he did not elect COBRA following his employment termination can now elect COBRA effective March 1, 2009, and effectively void his/her prior break in coverage.

What is Required for Individuals Currently Receiving COBRA?

Prior to April 18, 2009, employers must send a notice to individuals who are currently receiving COBRA coverage informing them of the subsidy. (Conflicting guidance exists as to whom this notice should be sent, but conservative sponsors will want to send this notice to all individuals who are currently receiving COBRA coverage as of the date of the qualifying event, regardless of the type of qualifying event.) The notice must explain who is eligible for the subsidy, how someone can claim that he/she is eligible for the subsidy and must allow for a permanent waiver of the subsidy for high-income individuals. Employers are allowed, but not required, to provide a mid-year election change for individuals to elect a lower cost COBRA option under the employer’s plan.

What Happens if an Individual Already Covered By COBRA Pays the Full COBRA Premium?

If an employer cannot revise invoices for March and April and an individual eligible for the subsidy pays 100% of the premium for these months, the employer must either refund the subsidy to the individual or credit the subsidy to the individual for use within the following 180 days.

What is Required for Future Individuals Who Become Eligible for COBRA?

Employers must update their COBRA initial notice and COBRA election notice for future new enrollees and future qualified beneficiaries, respectively. This could be done as part of the actual notice or as a snap-on supplemental notice.

What Administrative Procedures Must be Revised or Created?

Employers will need to work closely with their COBRA administrators on a number of new procedures, including the following –

  • Identifying employees who were involuntarily terminated after September 1, 2008, and those qualified beneficiaries claiming through such individuals.
  • Determining whether individuals will be permitted to elect a lower cost benefit option.
  • Creating and sending the notices to current COBRA beneficiaries and those who are eligible for a second chance election. Notifying ineligible individuals who attempt to enroll in COBRA through the second chance election that they are not eligible. Reviewing subsidy elections that are returned by existing and potential COBRA beneficiaries to confirm eligibility. Tracking the amount of the subsidy and the receipt of premiums so the subsidy can be taken as a credit against payroll taxes. Compiling information for additional Form W-2 and Form 941 reporting.

Can an Employer Outsource Compliance?

Although certain portions of the administration can be outsourced to COBRA administrators, employers will have to determine which employees were involuntarily terminated, report information on the employer’s quarterly payroll tax return, and be able to attest to certain information (such as the amount of the subsidy) when claiming the subsidy as a credit against its payroll taxes. If this amount is incorrect (which could be the situation if a subsidy is taken for an ineligible terminated employee), then the employer will have underpaid its payroll taxes to which numerous penalties apply under the Code. Therefore, employers will want to provide oversight to make certain that this work is being performed correctly.

When is Additional Guidance Expected from the Service and the DOL?

As noted above, the Service has already issued guidance regarding the revised Form 941, and additional payroll tax guidance should be forthcoming. In addition, the Service also expects to issue guidance in the form of frequently asked questions regarding the harder subsidy issues. It is unclear when this additional guidance will be issued, but we expect it to be somewhere around late March.

The Department of Labor will also issue model notices, and has established a dedicated web site to post guidance relating to the subsidy at

Changes to the Monthly Limit on Transit and Vanpooling Benefits

Effective March 1, 2009, ARRA amends Code Section 132(f)(2) to provide that the monthly statutory limit for qualified mass transit and vanpooling benefits combined is raised from $120 to $230 per month, which is the monthly statutory limit for qualified parking benefits. ARRA contains a sunset provision with respect to this change, such that the increase in the monthly limit will expire on December 31, 2010 unless it is extended in future legislation.

Expansive HIPAA Privacy and Security Changes

One of ARRA’s objectives is to invest in improving health information technology and promoting the use of electronic health records with the goal of reducing health care costs, streamlining the health care system and reducing medical errors. To address the privacy and security concerns which arise from the increased use of technology in this arena, ARRA includes a number of provisions which amend, clarify or expand the administrative simplification provisions of Title II of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and the privacy and security regulations issued by the Department of Health and Human Services (“HHS”). Most of these changes are effective 12 months after ARRA’s enactment date, but as discussed below, there are several provisions with an earlier or later effective date. Below is a brief summary of the key HIPAA privacy and security provisions of ARRA.

Application of the HIPAA Privacy and Security Rules to Business Associates

The HIPAA Security Rule [ARRA Section 13401]

ARRA provides that most provisions of the HIPAA Security Rule (45 C.F.R. Part 160, Subpart A, and Part 164, Subparts A and C) will apply directly to business associates in the same manner that they currently apply to covered entities. As a result, business associates will be required to implement physical, technical and administrative safeguards and adopt related policies and procedures with respect to electronic protected health information (“E-PHI”) which comply with the standards set forth in the HIPAA Security Rule. This represents a significant change for business associates.

The Security Rule already requires business associates to agree, through a business associate agreement, to implement safeguards protecting the confidentiality, integrity and availability of E-PHI maintained by the business associate. However, because the Security Rule does not currently apply directly to business associates, they have had more flexibility in determining how to structure and implement those safeguards. Going forward, business associates must review their existing safeguards and policies and procedures to determine what gaps exist relative to the standards required by the HIPAA Security Rule. In addition, the risks of noncompliance for business associates are much greater now since a non-compliant business associate faces, among other things, potential civil and criminal penalties under HIPAA, HHS audits and state enforcement actions.

The HIPAA Privacy Rule [ARRA Section 13404]

ARRA takes a different, much less expansive, approach with respect to the HIPAA Privacy Rule (45 C.F.R. Parts 160 and 164, Subparts A and E). ARRA confirms that a business associate may use and disclose protected health information (PHI) only if it enters into and complies with a business associate agreement containing all of the required elements described in the Privacy Rule. ARRA also provides that any of its provisions which impose additional requirements with respect to the security and privacy of PHI (e.g., the new notice of breach requirement discussed below) also apply to a business associate and must be incorporated into the business associate agreement. In a significant change, ARRA also applies the same rules regarding a covered entity’s obligations in the event a business associate breaches the agreement (e.g., notice, opportunity to cure and termination of the agreement) to business associates in the event that the covered entity breaches the agreement.

ARRA does not specifically address amendments to existing business associate agreements to incorporate the ARRA provisions. However, unless HHS provides for an exemption, most business associates and health plans will want to amend their business associate agreements.

Required Business Associate Agreements for Certain PHR Vendors [ARRA Section13408]

ARRA confirms that vendors that provide data transmission services in connection with personal health records (PHRs) which are offered by a covered entity are business associates of the covered entity and must enter into a business associate agreement.

New Notice Requirements Related to Security Breaches

Breach of Security of Unsecured PHI Held By Covered Entity or Business Associate [ARRA Section 13402]

ARRA contains a new notice obligation when the security of an individual’s PHI is breached. ARRA provides that if a covered entity accesses, maintains, modifies, records, stores, destroys, or otherwise holds, uses or discloses “Unsecured Protected Health Information” (defined below) and the security of that information is breached or believed to have been breached, the covered entity must notify each impacted individual of the breach, in writing, without unreasonable delay but no later than 60 calendar days after discovery of the breach. Business associates are subject to the same requirement except that the business associate must notify the covered entity of the breach.

ARRA defines “Unsecured Protected Health Information” as PHI that is not secured through the use of a technology or methodology specified by HHS as one that renders the PHI as unusable, unreadable or indecipherable to unauthorized individuals. HHS must issue guidance specifying the technologies and methodologies that render PHI as unusable, unreadable or indecipherable to unauthorized individuals within 60 days of the enactment date (i.e., April 18, 2009) and annually thereafter. Until the guidance is issued, covered entities may rely on a technology or methodology which is developed or endorsed for this purpose by a standards developing organization accredited by the American National Standards.

Delivery of the Notice: The notice must be in writing and sent to the individual’s last known address (or electronically if permitted by the individual) or through an alternative method if the individual’s address is not known. If there are 10 or more individuals for whom an address is not available, the notice must be posted conspicuously on the covered entity’s website or in other major print or broadcast media. If the breach involves more than 500 individuals in one state or jurisdiction for whom an address is not available, the notice must be provided through major media outlets servicing the state or jurisdiction.

Content of the Notice: The notice must contain (1) a brief description of the breach, including the date of the breach and the date it was discovered; (2) a description of the types of unsecured PHI involved in the breach (e.g., social security number, account number etc.); (3) the steps an individual should take to protect himself from potential harm resulting from the breach; (4) a brief description of actions the covered entity is taking to investigate and mitigate losses from the breach; and (5) contact information in case there are additional questions.

Notice of Breaches to HHS: ARRA requires covered entities to keep a log documenting the breaches that occur and provide the log annually to HHS. However, if a breach occurs with respect to 500 or more individuals, the covered entity must notify HHS immediately, and HHS will post the names of the impacted individuals on its website.

Effective Date: HHS is directed to issue interim final regulations regarding this new notice requirement no later than 18 months after ARRA’s enactment date, and the notice provision will apply to breaches that are discovered on or after the 30th day following the date the regulations are issued.

Breach of Security of Information held by PHR Vendors or Related Entities [ARRA Section 13407]

Reflective of the provisions in ARRA promoting the use of personal health records (“PHRs”), ARRA imposes a similar notice requirement on (1) vendors of PHRs; (2) entities that offer products and services through a PHR vendor; (3) entities that are not covered entities that offer products or services through the website of a covered entity; and (4) entities that are not covered entities that access information in a PHR or send information to a PHR. Under ARRA, if a PHR vendor or a related entity described above discovers a breach of security of Unsecured PHR Identifiable Health Information that is in a PHR that it maintains or offers, the vendor or related entity, as applicable, must notify the individual whose information was breached, as well as the Federal Trade Commission (FTC). The FTC will notify HHS of the breach. The notice must meet the same requirements (e.g., format, content and timing) that are applicable to the notice sent when there is a breach of Unsecured PHI involving a covered entity or business associate. Failure to provide the notice outlined in this section will be treated as an unfair and deceptive act or practice under the Federal Trade Commission Act. For this purpose:

  • Breach of Security” means the acquisition of Unsecured PHR Identifiable Health Information of an individual in a PHR without the individual’s authorization.
  • Unsecured PHR Identifiable Health Information” means PHR Identifiable Health Information that is not protected through the use of a technology or methodology specified by HHS as one that renders the information as unusable, unreadable or indecipherable to unauthorized individuals, as specified in the guidance to be issued by HHS with respect to the definition of Unsecured PHI.
  • PHR Identifiable Health Information” generally means individually identifiable health information as defined in HIPAA, including information that is provided by or on behalf of the individual and information that identifies the individual or with respect to which there is a reasonable basis to believe that the individual could be identified.

ARRA imposes a similar notice requirement on service providers that provide administrative services to PHR vendors and related entities, but the notice (including a list of persons whose information is breached) must be provided to the PHR vendor or related entity, as applicable.

Effective Date: The FTC is directed to issue interim final regulations regarding this new notice requirement no later than 18 months after ARRA’s enactment, and the notice provision will apply to breaches that are discovered on or after the 30th day following the date the regulations are issued.

HHS Directed To Issue Additional Guidance Regarding Compliance with Privacy and Security Rules

Annual Guidance Regarding Technical Safeguards [ARRA Section 13401(c)]

ARRA requires HHS to issue guidance sometime in 2010 regarding the types of technical safeguards that must be implemented by covered entities (and now business associates) in order to comply with the HIPAA Security Rule. This guidance must be updated and reissued each year thereafter. The HIPAA Security Rule was intentionally written in a broad manner because of the need to have it apply to a wide range of entities with various computer systems and associated risks to those systems. As a result, there have been a number of questions as to the standards that must be adopted in order to comply with the Security Rule. This provision of ARRA will provide much-needed guidance in this area, and the annual update requirement will allow that guidance to evolve as technology develops.

Guidance Regarding the “Minimum Necessary” Standard [ARRA Section 13405(b)]

The HIPAA Privacy Rule generally requires a covered entity to disclose (with some exceptions) only the minimum amount of an individual’s PHI which is necessary to accomplish the purpose of the disclosure. ARRA directs HHS to issue guidance within 18 months after the enactment date as to what constitutes the “minimum necessary” amount for this purpose. Until then, covered entities are directed to limit their disclosures which are subject to the minimum necessary standard to the information that is contained in a limited data set, unless the purpose of the disclosure requires that more information be disclosed. The information contained in a limited data set is like de-identified health information except that it may contain certain dates relating to the individual and may contain locations down to a zip code.

HIPAA Privacy Rule Amended to Add New Protections

Required Approval of Certain Restriction Requests [ARRA Section 13405(a)]

Currently, the HIPAA Privacy Rule allows an individual to request that certain restrictions be placed on the disclosure of his or her PHI, but the covered entity is not required to agree to such restrictions. Many covered entities are not willing to agree to these requests because of the additional administrative obligations which apply if a request is approved.

ARRA requires a covered entity to agree to an individual’s request for a restriction on disclosure of his or her PHI if: (1) the disclosure is to a health plan for purposes of carrying out payment or health care options (not treatment) and (2) the PHI pertains solely to a health care item or service for which the health care provider involved has been paid in full by the individual out-of-pocket. Third party administrators of group health plans may find it difficult to comply with this provision because their claims processing systems may not allow them to easily segregate this information.

New Accounting Standards for Disclosure of Electronic Health Records (EHR) [ARRA Section 13405(c)]

ARRA provides special rules with respect to an individual’s right to receive an accounting of disclosures of PHI which are contained in an EHR maintained or used by a covered entity. Currently, covered entities are not required to provide an accounting of any disclosures of PHI which are made for purposes of payment, treatment or health care operations.

ARRA provides that a covered entity and business associate must provide an accounting of all disclosures of PHI which is contained in an EHR used or maintained by the covered entity or business associate for a 3-year period prior to the request (e.g., disclosures for payment, treatment and health care operations are not excluded). An electronic health record is defined by ARRA as an electronic record of health-related information on an individual that is created, gathered, managed or consulted by authorized health care clinicians and staff. ARRA directs HHS to issue regulations regarding what type of information should be included in the accounting within 6 months of the date that national standards are issued.

For disclosures of information contained in an EHR which is acquired after January 1, 2009, the new accounting standards will be effective for disclosures made on or after January 1, 2011 (or the date the EHR is acquired, if later). For EHRs which were held by a covered entity as of January 1, 2009, the new accounting provisions will apply to all disclosures made on or after January 1, 2014. HHS may delay these effective dates for up to two years.

Right to Access Information in an EHR [ARRA Section 13405(e)]

ARRA provides that if a covered entity uses or maintains an EHR that contains an individual’s PHI, the individual has the right to an electronic copy of the EHR. The covered entity may charge a fee for providing a copy of the individual’s EHR, but the fee may not be greater than the covered entity’s labor costs in responding to the request. This provision is effective 12 months after ARRA’s enactment date.

New Rules Regarding Contacting Individuals as part of Health Care Operations [ARRA Section 13406]

ARRA confirms that covered entities or business associates may use an individual’s PHI to send communications regarding a health-related product or service and to encourage the use of the product without the individual’s authorization if the communication (1) describes a health-related product or service that is provided by, or included in a plan of benefits of, the covered entity making the communication; (2) is made for the treatment of the individual or (3) is made for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers or settings of care to the individual. For example, a group health plan may send a communication to participants with high cholesterol regarding cholesterol-lowering medications. However, ARRA clarifies that if the covered entity receives direct or indirect payment for these types of communications, the communication will not be permitted without a valid authorization (which includes disclosure of the payment) unless the communication describes a drug or biologic that is currently being prescribed to the individual and the amount paid to the covered entity is reasonable (as determined by HHS in regulations to be issued in the future).

Increased Penalties and Improved Enforcement of HIPAA Privacy and Security Rules [ARRA Section 13410]

ARRA improves the enforcement of HIPAA by clarifying and adding new civil and criminal penalties, and increasing the available enforcement mechanisms. Unless stated otherwise, the changes are effective immediately. Among other things, ARRA –

  • Adds new enforcement mechanisms related to violations of the HIPAA Privacy and Security Rules which are the result of “willful neglect.” In particular, ARRA requires HHS to formally investigate a complaint if a preliminary investigation suggests a possible violation due to willful neglect. In addition, HHS must impose a penalty if a violation is found. HHS must issue regulations regarding this new enforcement provision within 18 months, and the provision will be effective 24 months after ARRA’s enactment date.
  • Imposes a tiered increase in the amount of civil monetary penalties, such that penalties will now range from $100 per violation ($25,000 maximum for all violations of an identical requirement) to $50,000 per violation ($1.5 million maximum for all violations of an identical requirement). The range of penalties that may be imposed for each violation depends upon whether the covered entity or business associate knew or should have known about the violation or whether the violation was the result of reasonable cause or willful neglect. The penalty for an uncorrected violation which is the result of willful neglect may be higher.
  • Provides that civil and criminal monetary penalties that are collected as a result of a violation of HIPAA will be transferred to the Office for Civil Rights to be used for the purposes of enforcing the new privacy and security provisions of ARRA and the HIPAA Privacy and Security Rules.
  • Directs the Comptroller General to provide HHS, within 18 months of ARRA’s enactment date, a report regarding a methodology by which individuals who are harmed as a result of a violation of the HIPAA Privacy or Security Rules or the privacy and security provisions of ARRA can receive a percentage of any civil penalty or settlement collected with respect to the violation. HHS must issue regulations based on these recommendations within 3 years of ARRA’s enactment date.
  • Adds a mechanism by which states may enforce the HIPAA Privacy and Security Rules through each State Attorney General’s office. The Attorney General may bring a civil action in federal district court on behalf of the harmed individual and may seek an injunction or statutory damages, which are capped. The state may not bring an action if the Secretary of HHS has already instituted an action against the person.
  • Requires HHS to conduct periodic audits, but allows HHS to use its discretion in determining whether to impose a penalty in cases where the person reasonably did not know of the violation.
  • Requires HHS to prepare annual reports beginning in 2010 regarding complaints of alleged violations of HIPAA and to include certain information related to those complaints. These reports will be made available to the public.