Just weeks into the new year, Connecticut Attorney General Richard Blumenthal has sued Health Net of Connecticut, Inc. (“Health Net”), a health plan, for allegedly failing to secure patients’ private records, including medical and financial information, resulting in a breach that allegedly affected 446,000 customers.1 The suit marks the first time a state attorney general has sued for violations of the federal HIPAA law since HITECH authorized state attorneys general to enforce HIPAA last year. This memorandum provides an overview of some of the major legal changes wrought by HITECH, a cautionary note about future state prosecutions of health care providers, as well as health plans, and important steps companies are taking in order to comply with the new law.
What is HITECH? As part of the American Recovery and Reinvestment Act of 2009 (or “ARRA”), Congress enacted the Health Information Technology for Economic and Clinical Health Act, or “HITECH”.2 HITECH raised the stakes for health care providers, health plans and others who are “covered entities” or “business associates” subject to the Health Insurance Portability and Accountability Act (“HIPPA”) in four important ways.3 First, it increased penalties for violations of HIPAA, including violations of the regulations known as the Privacy Rule, Security Rule, and now the Breach Notification Rule (discussed below).4 Second, the law empowers state attorneys general to sue for damages and to enjoin violations of HIPAA by a covered entity or business associate that affect citizens in that state. The reach of these state attorneys general will be broad—the Privacy and Security Rules apply to “covered entities,” including both health plans and health care providers who transmit health information in electronic form, and to business associates of those covered entities. Although in the Connecticut case the attorney general has sued a health plan, HITECH empowers a state attorney general to sue “any person who violates a provision of” HIPAA’s Administrative Simplification provisions, which include the rules mentioned above, and other regulations such as those mandating the use of unique health identifiers and setting standards for electronic transactions. Third, for the first time since HIPAA was enacted, HIPAA’s privacy and security rules apply directly to business associates, who are now themselves subject to the ramped-up civil penalties for violations. While in the past business associates were subject only to the terms of their business associate agreements entered into with covered entities, now business associates will be directly responsible, and liable, for compliance with the laws and regulations. Fourth, the new Breach Notification Rule5 imposes new notification obligations on covered entities and business associates in the event of a breach of unsecured protected health information (“PHI”).
Covered entities and business associates must still continue to comply with both the federal HIPAA law and more restrictive state privacy, security, and breach notification laws. HITECH’s extension of the HIPAA rules to other entities will also not preempt stricter state laws.
The Connecticut AG Case
The Connecticut AG action has been viewed as a “wake up call” to the health care community of the risks associated with HIPAA noncompliance. In his lawsuit, filed in the federal District Court of Connecticut, the state AG claims that Health Net and other defendants violated HIPAA, HITECH, and the U.S. Department of Health and Human Services (“HHS”) regulations promulgated thereunder. For relief, the Connecticut AG seeks a permanent injunction against future alleged breaches; statutory damages in an unspecified amount under HIPAA; and other relief under supplemental state law claims. According to the allegations in the complaint, Health Net learned in May of last year that an unencrypted portable computer disk drive containing the PHI, social security numbers, and financial information (including bank account numbers) for about 446,000 Health Net beneficiaries had “disappeared”. Health Net allegedly failed to notify any state authorities regarding the missing data, which reportedly included millions of pages of insurance claims forms, grievances, medical records, and other documents that could be viewed by an unauthorized person with commonly available software. Health Net is alleged to have notified individuals whose personal information was believed to have been accessed in late November of last year through its website and letters to individuals. The Connecticut AG claims that the “design and implementation” of Health Net’s security policies were “ineffective” to safeguard against the breach, and that it failed to train and supervise its workforce.
Steps Covered Entities Are Taking to Comply with HITECH
Adopting HIPAA Policies and Procedures. The Connecticut AG’s initial foray into state enforcement of HIPAA marks an (in)auspicious occasion for health plans and health care providers to examine the compliance dictates in HIPAA and HITECH. It is important for covered entities to periodically review their policies and procedures to ensure they reflect the current state of the law, and many covered entities will be doing so now in light of HITECH’s enhanced civil penalties. These penalties will also likely inspire business associates to adopt their own policies, and to familiarize themselves with the policies of the covered entities with whom they contract. As noted above, those policies would need to pass muster with state privacy laws as well. In addition to the new Breach Notification Rule, HITECH included other changes regarding the use or disclosure of PHI–such as stricter limits on use of PHI for marketing and other purposes, and added obligations to individuals–which may require updating existing policies. A HIPAA documentation policy may be crucial, since under the statute covered entities and business associates will have the burden of proving that a breach did not occur, or that they are otherwise in compliance.
Training Workforce Members. HHS expects training and internal reporting procedures to be an important part of compliance under HITECH, particularly because a covered entity or business associate is deemed to have “knowledge” of a breach when any person (other than the person who committed the breach) who is a “workforce member” or agent of the covered entity or business associate knew, or by reasonable diligence would have known, about the breach. This is especially important because once a breach is treated as “discovered”, the clock starts ticking for notification to be made “without unreasonable delay”. Significantly, if a business associate is acting as a covered entity’s agent, then knowledge of the breach is imputed to the covered entity as soon as the business associate discovers it—not when the business associate notifies the covered entity. This in itself will be enough to inspire many covered entities to re-examine their business associate agreements, with particular attention to timing issues.
Knowing Your Business Associates. A business associate is someone or some entity who performs a function or service on behalf of a covered entity that involves the use or disclosure of individually identifiable health information—for example, third-party administrators or pharmacy benefit managers for health plans, claims processing or billing companies, transcription companies, and professionals performing legal, actuarial, accounting, management, or administrative services for covered entities. It is important for covered entities to know who their business associates are, and to confirm that their business associates are aware of and ready to comply with HITECH. As noted earlier, knowledge of a breach of unsecured PHI—i.e., when a breach is “discovered”—can be ascribed to the covered entity itself, and starts the clock ticking for the covered entity to comply with the Breach Notification Rule.
Updating Your Business Associate Contracts. Pre-HITECH, the HIPAA Privacy and Security Rules required covered entities and business associates to enter into contracts setting forth the parties’ obligations with respect to PHI. Covered entities will now be reviewing their business associate contracts to make sure they incorporate the requirements of the Privacy and Security Rules as well as HITECH. Because a timely response to a breach of unsecured PHI is key to avoiding liability under HITECH, whether business associates meet their specific obligations and timeframes when a breach is discovered is particularly important to covered entities, so that covered entities can act quickly to preempt—or if they cannot preempt, carry out—the required notifications. Language regarding subcontractors can also be critical. Requiring that business associates notify the covered entity whenever a subcontractor will have access to the covered entity’s PHI may be important in some situations, especially because some vendors may be deemed business associates of the covered entity itself under HITECH.
Business Associates: Getting to Know Your New Responsibilities Under HITECH. For the first time, business associates’ obligations under HIPAA will extend beyond the provisions of their private contracts with covered entities. Business associates as well as covered entities now need to familiarize themselves with the law, and consider adopting policies and procedures to comply. Because some ambiguity exists regarding exactly which HIPAA privacy and security provisions will apply directly to business associates, a comprehensive understanding of HIPAA’s complex scheme will be key to ensuring compliance.
On the Horizon: The Breach Notification Rule
Covered entities will be required in many instances to notify individuals, the media, and HHS when unsecured PHI is breached. HHS has issued new guidance setting forth technical standards to secure electronic PHI,6 and requiring both covered entities and their business associates to take steps to provide notification in the event of a breach. Although covered entities and business associates were required to comply with the Breach Notification Rule by September 23, 2009, penalties will not be imposed by HHS for breaches discovered before February 22, 2010. (Notably, the complaint filed in the Connecticut AG’s suit against Health Net does not seek relief predicated upon violation of the Breach Notification Rule.)
The Breach Notification Rule is triggered by a violation of the existing HIPAA Privacy Rule. If the Privacy Rule is not violated–e.g., if a use or disclosure occurs incident to an otherwise permissible use, and despite reasonable safeguards and proper procedures–then there is no potential breach. Furthermore, only a breach of “unsecured” PHI (which does not include, for example, encrypted7 or de-identified information) that “compromises the security or privacy” of the PHI will trigger the notification requirement. HHS has interpreted the statute as requiring breach notification only if the use or disclosure “poses a significant risk of financial, reputational, or other harm to the individual”. (Additional exceptions exist for certain unintentional or inadvertent disclosures, or disclosures to a person who would not reasonably have been expected to retain the information.) The Breach Notification Rule requires a covered entity to notify individuals, HHS and/or the media in the case of a breach, and requires business associates to notify the covered entity in the event of a breach. However, HHS encourages parties to consider whether the business associate or covered entity is in the best position to provide the notice. As with most of HIPAA’s existing privacy and security provisions, HITECH’s notification requirements will not preempt stricter state notification laws, so in most cases covered entities and business associates will be expected to comply with both.
Notification must be made “without unreasonable delay” (and in no case later than 60 days) with limited exceptions where delay is requested by a law enforcement official. The content of the notification will include a description of what happened and when the breach was discovered, the types of PHI that were involved, what steps individuals can take to protect themselves, and what the covered entity is doing to investigate the breach, mitigate harm, and prevent future breaches. In certain circumstances covered entities may be required to provide a toll free telephone number, and to provide information about the breach on its website or in the media. For breaches affecting more than 500 individuals the covered entity must notify HHS immediately, and if 500 or more affected individuals reside in a single state the covered entity will have to notify the media.
Being prepared to take swift action may enable covered entities and business associates to remain in compliance with the breach notification requirements and avoid a breach notification. The Breach Notification Rule contemplates that performing risk assessments and taking immediate steps to mitigate harm from a potential breach of unsecured PHI may eliminate or reduce the harm. In turn, if there is less than a “significant risk” of harm, then there is no breach, and the notification requirements are not triggered. (Although the complaint in the Connecticut AG case does not cite the Breach Notification Rule, as noted above, the AG has claimed that the health plans failed to mitigate harmful effects of the alleged security breach with respect to existing (pre-HITECH) requirements for covered entities under the Security Rule.)
In short, the Connecticut AG action can be seen as a message to covered entities and business associates alike to consider having policies and procedures in place to conduct risk assessments and mitigate harm in the event of a potential breach.