The American Recovery and Reinvestment Act of 2009 (the “Stimulus Act”) that President Obama signed on Tuesday, February 17, 2009 contains numerous provisions affecting health privacy and security, electronic health information and updates to the Health Insurance Portability and Accountability Act (HIPAA). These sweeping changes will significantly affect how activities of covered entities, business associates and others will be regulated and monitored. Consequently, covered entities and business associates must reevaluate and expand their HIPAA privacy and security policies, take inventory of contractual arrangements and access to protected health information (PHI) and amend business associate agreements to meet these new requirements. Unless otherwise specified, the effective date of these changes will be February 17, 2010.
Notifications in the Case of Breach (§§ 13402, 13407)
Prior to the Stimulus Act, covered entities under HIPAA were not required under federal law to notify the Department of Health and Human Services (HHS) or individuals of a breach of privacy, security or integrity of their PHI. The Stimulus Act requires such notification by covered entities, business associates, and other third-party vendors in the event of such breach. These notification requirements are similar to, but generally more extensive than, those currently enforced by many states.
- A covered entity must notify an individual whose PHI has been accessed, acquired, or disclosed as a result of a breach or when the covered entity reasonably believes that such breach occurred.
- When a business associate discovers a breach of PHI, it must notify the covered entity of the individual whose unsecured PHI has been, or is reasonably believed by the business associate to have been, accessed, acquired or disclosed during such breach.
- Notifications must be made without unreasonable delay but no later than 60 calendar days after discovery and must include specific information set forth in the Stimulus Act. Unintentional disclosures require notification unless such disclosure is to a person authorized to access health information at the same facility.
- Notice of breach must also be provided to HHS and, potentially, to the media. For breaches concerning fewer than 500 individuals, the covered entity can keep a log for HHS and submit it annually. However, immediate notice to HHS is required for breaches involving more than 500 individuals. HHS may also post a list of covered entities that disclose breaches on the HHS website. If a breach discloses the data of 10 or more patients whose contact information is insufficient or out-of-date, the covered entity must post the news on its website. The media serving a particular state or jurisdiction must be notified if the breach affected more than 500 residents of such state or jurisdiction.
- HHS has 180 days to promulgate interim final regulations. The requirements regarding breach notifications will apply to breaches that are discovered on or after the 30th day after publication of such regulations.
- The Stimulus Act includes provisions requiring vendors that offer and maintain personal health records and third party service providers to notify individuals of certain breaches and notify the Federal Trade Commission (FTC). The FTC is required to issue regulations regarding the manner of notice. Violation by these vendors/service providers will be considered violation under the Federal Trade Commission Stimulus Act as unfair or deceptive acts or practices.
Business Associate Liability (§§ 13401, 13404)
Prior to the Stimulus Act, the HIPAA Privacy Rule permitted a covered entity to disclose health information to a business associate or to allow a business associate to create or receive health information on its behalf, provided the covered entity receives satisfactory assurances in the form of a written contract, generally termed a “business associate agreement.” that the business associate will appropriately safeguard the information. Violations of HIPAA were generally not directly enforceable against business associates, and covered entities were not generally liable for, or required to monitor, the actions of their business associates unless it discovered a material breach or violation of the contract by the business associate. The Stimulus Act expands HHS’ HIPAA enforcement capabilities to include actions of business associates.
- The Stimulus Act applies HIPAA security standards and the civil and criminal penalties for violating those standards to business associates. It also requires HHS to issue annual guidance on the most effective and appropriate technical safeguards, including the technologies that render information unusable, unreadable, or indecipherable (such as encryption), which will be based on recommendations by the HIT Policy Committee (which was created by the Stimulus Act).
- The Stimulus Act also expands HIPAA privacy so that a business associate is directly liable for using and disclosing PHI in violation of its business associate agreement, the content of which is regulated by 45 CFR §§ 164.502(e)(2) and 164.504(e). Consequently, the business associate will be liable for any civil and criminal penalties assessed for violating those standards.
- The Stimulus Act places a requirement on a business associate who knows of a violation or breach by a covered entity. Unless the business associate or covered entity took acts to cure the breach, the business associate must terminate the contract or report the violation to HHS. This provision places an onerous requirement on business associates and will change the dialogue in negotiations of business associate agreements.
Disclosures of PHI will be Limited to the “Limited Data Set” or the “Minimum Necessary” (§ 13405)
Under the HIPAA Privacy Rules’ minimum necessary standard, whenever a covered entity uses or discloses PHI or requests such information from another covered entity, it must make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose of the use or disclosure. However, there are exceptions to this standard such as when the disclosure is for treatment purposes. Within the next 18 months, HHS will issue guidance on what constitutes “minimum necessary.” In issuing this guidance, HHS must consider the information necessary to improve patient outcomes and to detect, prevent and manage chronic disease.
The Stimulus Act also notes that when disclosing PHI, a covered entity or business associate must limit health information, to the extent practicable, to either the limited data set or, if necessary, minimum necessary. This requirement would sunset at the time HHS issues guidance on what constitutes “minimum necessary.” A limited data set has most information identifying a patient removed and is considered by HHS to pose a low privacy risk. The HIPAA Privacy Rule’s exceptions to the minimum necessary standard would still apply.
Accounting to Patients (§ 13405)
The HIPAA Privacy Rules give individuals a right to receive an accounting of certain disclosures of PHI made by the covered entity for a time period of up to six years prior to the date on which the accounting is requested. However, certain disclosures were excluded from the HIPAA accounting requirement. Most notably, individuals did not have a right under HIPAA to obtain an accounting of disclosures made to carry out treatment, payment or healthcare operations (TPO). The Stimulus Act expands certain accounting responsibilities to include TPO, which is a significant departure from current practices and will create administrative responsibilities regarding how to electronically track these types of disclosures. It is important to note that these additional accounting obligations only apply to records that are maintained electronically. Within the next 18 months, HHS will promulgate regulations to further discuss what disclosures must be included in the accounting. Because the accounting requirement is prospective, a covered entity that acquires an electronic health record as of June 30, 2012 would be required to account for disclosures made through that electronic health record as of June 30, 2012 and forward. Depending on whether a covered entity used an electronic health record as of January 1, 2009, the effective dates of this provision will be either January 1, 2014 or January 1, 2011, unless extended by HHS.
Sale of Electronic Health Records or PHI Obtained from Electronic Health Records (§ 13405)
The Stimulus Act will prohibit a covered entity or business associate from directly or indirectly receiving remuneration in exchange for any PHI of an individual unless the covered entity obtains a valid authorization that specifies that the PHI can be further exchanged for remuneration. Exceptions include when the purpose of exchange is for research or public health activities, treatment of the individual, healthcare operations, payment to a business associate for services involving the PHI, to provide the individual with a copy of his or her PHI, or otherwise determined by HHS by rule. Within 18 months, HHS shall promulgate additional regulations on this provision. These restrictions will apply six months after HHS’ rules are finalized.
Use of PHI for Marketing Purposes (§ 13406)
The Stimulus Act clarifies that a communication by a covered entity or business associate that is about a product or service and that encourages recipients of the communication to purchase or use the product or service shall not be considered a healthcare operation, unless the communication relates to a healthcarerelated product or service.
The Stimulus Act prohibits a covered entity or business associate from receiving direct or indirect payment for marketing a healthcare-related product or service without first obtaining the recipient’s authorization. However, the Stimulus Act makes an exception to allow providers to be paid reasonable fees to make a communication to their patients about a drug or biologic that the patient is currently prescribed. “Reasonable amount” will be defined by HHS. Furthermore, a business associate is permitted to receive payment from a covered entity for making any such communication on behalf of the covered entity that is consistent with the contract. This provision applies to written communications made on or after February 17, 2010.
Use of PHI for Fundraising Stimulus Activities (§ 13406)
HIPAA’s definition of healthcare operations includes fundraising activities. Despite early efforts to eliminate fundraising activities from this definition, the Stimulus Act continues to permit fundraising activities by the provider using a patient’s PHI so long as any written fundraising provides an opportunity to opt out of future fundraising communications. If the recipient chooses to opt out of future fundraising communications, that choice is treated as a revocation of authorization under 45 CFR 164.508. This provision applies to written communications made on or after February 17, 2010.
BA Contracts Will be Required for New Entity Types (§ 13408)
The Stimulus Act treats organizations that contract with covered entities for the purpose of exchanging electronic health information as business associates of the covered entity. Specifically, these organizations include Health Information Exchanges, Regional Health Information Organizations, E-prescribing Gateway and each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record (PHR) to patients as part of its electronic health record.
Expanded Enforcement Measures for HIPAA Violations (§ 13410)
HIPAA authorizes HHS to impose civil monetary penalties on any person failing to comply with the privacy and security standards. The Stimulus Act strengthens and expands the ability to enforce HIPAA violations and methods of collecting penalties. These changes are immediately effective and represent a dramatic increase in the penalties under HIPAA.
- The Stimulus Act creates tiered increases in amount of civil monetary penalties for a violation.
- The Stimulus Act enables state attorneys general to bring civil action on behalf of state residents whose PHI was released. These actions may be used to (1) enjoin the actions of defendant; and (2) to obtain damages up to $100 per violations but no more than $25,000 on behalf of the residents.
HHS HIPAA Compliance Audits (§ 13411)
HIPAA originally authorized HHS to conduct compliance reviews to determine whether covered entities are complying with HIPAA standards; however such reviews were not mandatory. The Stimulus Act now requires HHS to perform periodic audits to ensure that covered entities and business associates are complying with the Privacy and Security Rule and the new requirements created by the Stimulus Act covered entities and business associates must be prepared for such audits by reviewing and updating HIPAA policies and procedures and related business associate agreements.
Covered entities and business associates will be significantly affected by the HIPAA changes implemented in the Stimulus Act and should begin preparing to update policies, procedures and related contracts to ensure timely compliance with the new provisions. If you have any questions regarding these new requirements, please contact the healthcare practice group of LLB&L. Our healthcare attorneys have the experience to assist you with HIPAA and Stimulus Act compliance and audit preparedness.