On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act (“ARRA” or the “Stimulus Bill”). The Stimulus Bill includes significant modifications to the privacy and security requirements of the Health Insurance Portability and Accountability Act (“HIPAA”), as well as to the penalties and enforcement provisions of both the new and pre-existing HIPAA requirements.

Extension of HIPAA Privacy and Security Rules to Business Associates

HIPAA privacy and security rules have always applied to “covered entities” including health plans, health care providers and health care clearinghouses who have “business associate” contracts with service providers such as thirdparty administrators. A business associate is any person or entity who, on behalf of a covered entity, performs or helps perform a function or activity involving the use or disclosure of protected health information. Business associates include, for example, third-party administrators, pharmacy benefit managers, actuaries, attorneys and consultants.

Under the Stimulus Bill, business associates will now be directly regulated by HIPAA and subject to its penalties. Business associates will therefore need to appoint security officials, develop written policies and procedures to comply with security rules relating to physical, technical and administrative safeguards (such as locking computers), and train their workforces on how to protect health information. Business associate contracts between covered entities and business associates must be revised to include these new privacy and security requirements.

New Rules

The Stimulus Bill requires covered entities and business associates to notify each individual whose protected health information (“PHI”) was the subject of a security breach. The notification must be made without unreasonable delay and in no event later than 60 days after discovery and must describe the circumstance of the breach, including the date of the breach and the date of discovery, the type of PHI involved, the steps individuals should take to protect themselves, and the steps the covered entity and/or business associate have taken to mitigate harm and protect against future breaches. If the covered entity lacks current contact information, it may be required to post notification of the breach on its website or in newspapers or broadcast media.

A breach by a business associate also requires notification to the covered entity, including the identity of each individual involved. The notice must be made by first class mail, but email is acceptable if the individual whose PHI was breached has specified email notification. If more than 500 individuals in a state or jurisdiction are involved, the covered entity also must notify “prominent media outlets” serving the state or jurisdiction, as well as the Secretary of Health and Human Services. HHS published additional guidance on August 19, 2009, which required covered entities and business associates to identify and report all breaches occuring after September 23, 2009.

Generally, the new law prohibits direct or indirect remuneration for any exchange of PHI (even under payment or health care operations), unless so authorized by the individual whose PHI is being released. The authorization must specify whether the covered entity may further exchange the PHI for remuneration. There are exceptions for PHI that is exchanged for public health activities, research, treatment, the sale of a covered entity, services under a business associate contract, or for the purpose of providing a copy of the PHI to the individual who is the subject of the information.

Under the Stimulus Bill, a covered entity must comply with an individual’s request that his or her PHI not be disclosed to a health plan for payment and health care operations, when services for treatment have been fully paid by the individual out-of-pocket. Previously, although individuals had a right to make such a request, covered entities did not have to agree to the restriction. In addition to not being permitted to disclose health records if an individual so requests, the new law also provides that if a covered entity uses or maintains electronic health records for an individual, it must provide, at the request of that individual, a copy directly to the entity or person designated by the individual and, if the copy is in electronic form, the covered entity may not charge the individual more than the labor cost incurred in fulfilling the request.

Enforcement and Penalties

The new law requires the Secretary of Health and Human Services to periodically audit covered entities and to formally investigate each complaint received. State attorneys general have authority to bring civil actions against a covered entity or business associate to enjoin violations and to obtain damages on behalf of the residents of their state of up to $100 per violation (to a maximum of $25,000 for violations of an identical requirement during the calendar year). In addition, general civil penalties are higher or lower depending on level of intent, as the following illustrates:  

  • When the violation was unknown (and by exercising due diligence could not have been known) the minimum penalty is $100 per violation, with a cap of $25,000 for violations of an identical requirement during a calendar year.  
  • When a violation is due to “reasonable cause,” the minimum penalty is $1,000 per violation, with a cap of $100,000 for violations of an identical requirement during a calendar year.  
  • When a violation is due to “willful neglect,” the minimum penalty is $10,000 per violation, with a cap of $250,000 for violations of an identical requirement during a calendar year.  

The maximum penalty per violation is $50,000, with a cap of $1.5 million for violations of an identical requirement during a calendar year. The law also provides that penalties may not apply if the violation is corrected within 30 days of its discovery.

Effective Date

The general effective date for the Act is February 17, 2010. Certain provisions have other effective dates, however, and the penalty provisions are effective immediately.

Action Required

Plan sponsors should review and update their HIPAA policies, notices and procedures to comply with the new privacy and security requirements, and revisit and update business associate contracts to address the new requirements. Business associates, for their part, need to take immediate action to comply with the HIPAA requirements, including appointing security officials, developing written policies and procedures to comply with security rules relating to physical safeguards, and training their workforces on how to protect health information. Note that a notice of availibility to receive a copy of the plan’s Notice of Privacy Practices must be distributed every three years.