The economic stimulus package signed into law by President Obama, also known as the American Recovery and Reinvestment Act of 2009 (ARRA), made major changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). More than $20 billion has been earmarked under ARRA for the transition to electronic health records. As health records become electronic over the next few years, Congress has recognized the need to drastically improve protections under HIPAA to gain the public's trust by ensuring tough privacy and security measures protecting these records. The significant changes to HIPAA include the following:
A new security breach notification requirement has been added to HIPAA, obligating covered entities to notify affected individuals in writing of security breaches involving their protected health information. If more than 500 individuals are affected, the covered entity must also notify prominent local medical outlets and Health and Human Services (HHS) of the breach. HHS will post the names of all entities on its website that have reported a breach affecting 500 or more individuals. Further, covered entities must provide HHS with a log of all breaches that occurred during the year, regardless of the number of individuals affected. These new breach notification requirements will go into effect 30 days after HHS publishes the final HIPAA regulations (most likely in mid-August).
- Business associates will now be directly subject to HIPAA and will be subject to HIPAA's civil and criminal penalties. Business associates are entities who create, use or disclose protected health information on behalf of covered entities (such as TPAs of group health plans, collection agencies, accounting firms, auditors, law firms, billing services, transcriptionists, etc.). Prior to ARRA, business associates were only indirectly regulated by HIPAA through the business associate contract and only had contractual liability to the covered entity for privacy and/or security breaches. Under ARRA, business associates will need to implement most of HIPAA's security requirements and many of HIPAA's privacy requirements. Business associates will need to appoint a security officer, conduct a HIPAA risk analysis, develop written policies and procedures and train employees as to HIPAA's requirements. Further, business associates will now have a statutory duty to comply with all the terms of their business associate contracts. Therefore, business associates will need to implement HIPAA privacy and security compliance programs to ensure that protected health information is used and disclosed in accordance with the business associate contracts. This is a drastic change for business associates which will require a significant amount of effort to become compliant. The effective date for these changes to the business associate rules is February 17, 2010.
- HIPAA now has real teeth. Before ARRA, HHS took a soft, voluntary compliance approach to HIPAA and therefore, the dreaded HIPAA police never materialized. This approach will change under ARRA. The maximum annual civil penalty per violation is now $1.5 million (it had been $25,000 pre-ARRA). State attorneys general now are able to bring suit against a covered entity or business associate who has violated HIPAA to enjoin the wrongful practice and recover damages. HHS now has a statutory duty to investigate complaints, conduct audits and impose penalties. Penalties will be used to fund future HIPAA enforcement initiatives and repay victims of HIPAA violations. These enforcement provisions of HIPAA went into effect on February 17, 2009. Frequent, customized training of workforce members and a thorough review of your HIPAA privacy and security programs are the best courses of action to minimize the imposition of penalties.
- Many HIPAA provisions have been changed and covered entities will need to update their HIPAA privacy and security programs to implement these changes. The rules for restrictions of disclosures of protected health information, accounting of disclosures, marketing communications and the minimum necessary provisions have been changed. Security safeguards will need to be reexamined in light of guidance issued in connection with HIPAA's new breach notification requirements. Also, business associate contracts will need to be revised to incorporate the major changes to the treatment of business associates. Further guidance for implementing these changes will be contained in HHS regulations that are expected to be published in mid-August.
Once HHS issues regulations in mid-August implementing ARRA's changes to HIPAA, we will provide you with detailed guidance for the next steps you will need to take to comply with HIPAA.