As part of the economic stimulus package, Congress enacted the Health Information Technology for Economic and Clinical Health Act (the Act) which expands the scope of the Privacy and Security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Act includes the following key provisions.
Business Associates are now directly subject to many of the Privacy and Security requirements that were formerly imposed on them only through their contracts with covered entities. As a result, business associates now may become directly liable to the individual and to the Secretary of the Department of Health and Human Services (the Secretary) rather than simply liable to the covered entity for breach of the business associate agreement. Specifically, business associates must now comply with the following:
- Business associates are required to comply with many of the Privacy regulations previously applicable only to covered entities;
- Business associates are required to implement the physical, administrative and technical safeguards defined in the Security regulations in the same manner as those requirements are applied to covered entities;
- Business associates are required to comply with individual requests for restrictions on the use and disclosure of PHI;
- Business associates that become aware that a covered entity with which they have a business associate agreement has violated HIPAA or breached its obligations under the business associate agreement must terminate the agreement. In some cases, the business associate is required to notify the Secretary of the covered entity’s breach;
- Business Associates are subject to audit by the Secretary; and
- Business Associates are directly subject to the civil and criminal penalties previously applied only to the covered entities for which the business associates provide services.
Notice of Breach
The Act defines notice requirements in the event of a breach of “unsecured PHI” by a covered entity to the individual whose PHI has been breached and, under certain circumstances, to the Secretary. If more than 500 individuals are involved, the covered entity must also provide notice of the breach to the media. “Unsecured PHI” is PHI that has not been secured through the technology or methodology specified in guidance by the Secretary. If the Secretary fails to issue guidance within 60 days of enactment of the Act, “unsecured PHI” means PHI that is not secured by a technology standard that makes the PHI unusable, unreadable or indecipherable, and that was developed or adopted by an organization accredited by ANSI. If the “unsecured PHI” is under the control of a business associate, the business associate is required to notify the covered entity of a breach.
- Access. An individual has the right to receive an electronic copy of his or her PHI if the information is maintained in an electronic health record.
- Accounting. An individual has a right to request an accounting of uses or disclosures of his or her PHI for treatment, payment or health care operations during the prior three years if the disclosures were made through an electronic health record.
- Restriction. A covered entity must honor an individual’s request that the covered entity not disclose PHI for payment reasons if the individual privately paid in full for the item or service.
Marketing and Fundraising
A communication by a covered entity or business associate about a product or service that encourages the recipient to purchase or use a product or service will not be considered a health care operation unless the communication falls within one of the exceptions listed in the definition of marketing in the Privacy regulations. In addition, even if a communication fits one of the exceptions, it will not be considered a health care operation if the covered entity receives any payment for the communication, except under certain circumstances.
The communication will be considered a health care operation if the communication (1) describes only a drug or biologic currently prescribed for the recipient and any payment is reasonable, (2) is made by a covered entity with an authorization, or (3) is made by a business associate on behalf of a covered entity pursuant to a business associate agreement.
The individual must be given clear and conspicuous notice of his or her option to opt out of the use or disclosure of his or her PHI for fundraising purposes.
In most cases, covered entities will be considered to be in compliance with the “minimum necessary” requirements of the Privacy regulations only if their use and disclosure of PHI is limited to “de-identified” information or “limited data sets.”
Prohibition on Sale of PHI
Covered entities and business associates are prohibited from selling PHI except with patient authorization or under certain limited circumstances, such as for research or public health activities. This leaves open the question of whether a covered entity may receive payment in connection with various health care operations.
Enforcement and Penalties
- The Act grants authority to the State Attorneys General to enforce HIPAA and litigate for damages and injunctive relief.
- The Act requires the government to conduct a formal investigation of HIPAA complaints that it receives.
- The Act authorizes tiered increases in the CMPs based on the level of violation and the distribution of a percentage of the CMPs to the individual harmed by the HIPAA violation.
- The Act prohibits the sale of PHI by a covered entity or business associate, except with patient authorization or under certain limited circumstances.
- Covered entities and business associates will need to modify policies and procedures addressing the Privacy and Security Regulations.
- Business associate agreements between covered entities and business associates must be modified to reflect the changes in the Act.
- Covered entities will need business associate agreements with organizations that provide data transmission of PHI.
The Act provides for varying effective dates within the next six to twelve months, generally based on a specified period of time following the promulgation of regulations by the Secretary.