On Feb. 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 ("ARRA"). Title XIII of ARRA, the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), significantly changes the landscape of federal privacy and security law as it relates to protected health information ("PHI").
As part of its effort to develop a nationwide health information technology infrastructure that allows for the electronic exchange of PHI, Congress, in passing the HITECH Act, has (1) extended the reach of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing privacy and security regulations (respectively, the "Privacy Rule" and the "Security Rule"), (2) imposed a breach notification requirement on HIPAA covered entities and their business associates, (3) limited certain uses and disclosures of PHI, (4) increased individuals' rights with respect to PHI and, significantly, (5) increased enforcement of, and penalties for, violations of privacy and security of PHI. The most significant of these changes are summarized below. Many of the HITECH Act's provisions will be effective on Feb. 17, 2010 (12 months after its enactment), while other provisions require regulations to be implemented or may become effective two years or more after the law's enactment.
- Breach Notification Requirement. The HITECH Act requires covered entities to notify individuals whose "unsecured PHI" has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of a breach (which is defined as the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information absent certain statutory exceptions). In addition, business associates must notify covered entities of any breach of which they become aware.
- Unsecured PHI Guidance. Within 60 days of enactment of the HITECH Act, the Secretary of the United States Department of Health and Human Services ("HHS") is required to issue guidance on what constitutes "unsecured PHI" that may trigger notification duties in the event of a breach. If HHS does not issue guidance in accordance with the timeline, a default provision will apply, and unsecured PHI will be defined as any PHI that is not secured by a technology standard (such as encryption) accredited by the American National Standards Institute that renders the information unusable, unreadable or indecipherable. HHS will issue annual guidance on appropriate encryption methods and similar technologies.
- Timing of Notice. Notification of a breach must be made "without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach." Covered entities will have the burden of demonstrating that a notification meets this timing requirement, including presenting evidence to support the necessity of any delay. A breach is deemed to be "discovered" as of the first day that the breach is known, or reasonably should have been known, to the covered entity or its business associate. The knowledge of any employee, officer or agent (other than the person committing the breach) will be imputed to the organization for purposes of establishing discovery and starting the clock running.
- Individual Notice. Notification to the individual must be made in writing and sent to the individual via first class mail unless the individual has specified a preference for electronic mail. If the covered entity has insufficient or out-of-date contact information, the covered entity must give notice in a substitute form, including posting notice of the breach on its website or in major print or broadcast media (if the covered entity has insufficient information for more than 10 individuals affected).
- Media Notice. If the breach involves the PHI of more than 500 individuals in a state, the covered entity must give notice of the breach to prominent media outlets in that state.
- HHS Notice. Covered entities must notify HHS of any breach. If the disclosure involves the PHI of more than 500 individuals, HHS must be notified immediately. If less than 500 individuals are affected, the covered entity may maintain a log to be produced to HHS annually.
- Content of Notice. Notice of a breach must include a description of the facts surrounding the breach, the type of PHI involved, the steps individuals should take to protect themselves, what the covered entity is doing to investigate, mitigate and protect against future breaches, and contact information for individuals to ask questions or obtain more information.
- Effective Date. HHS is required to issue interim final regulations on the HITECH Act's breach notification provisions no later than 180 days after enactment. The new breach notification provisions will become effective for breaches discovered 30 days after the publication of the interim final regulations.
The HIPAA Privacy and Security Rules do not currently require covered entities to notify individuals when their PHI has been subject to a breach. However, most states have passed general security breach notification laws in recent years that require notification of individuals whose financial information (such as Social Security number or credit card number) has been subject to unauthorized access. The HITECH Act adds more detailed and stringent provisions to many of the common elements of state security breach notification laws, such as the Act's requirements regarding (1) the content of the notice, (2) media notice, (3) acceptable encryption technologies, and (4) the 60-day deadline for notification. Applying security breach notification standards to medical information is consistent with concerns expressed by the Federal Trade Commission ("FTC") and other regulators about the growing crime of medical identity theft.
New Regulation of Personal Health Record Vendors
The recent movement to adopt personal health records ("PHRs"), spurred by the efforts of large employers, has led to concerns that vendors of PHR products are not necessarily required by law to report breaches involving PHR data. Most state security breach notification laws do not define "personal information" to include medical information, focusing instead on information that may be used to commit financial fraud. The HITECH Act addresses that perceived deficiency by extending the security breach notification provisions described above to (1) PHR vendors, (2) businesses that offer products or services through a website of a PHR vendor or a covered entity that offers PHRs, and (3) entities that access information in, or send information to, a PHR (collectively "PHR businesses").
- Notification of PHR Breach. Because PHR businesses are not covered entities under HIPAA subject to regulation by HHS, the HITECH Act provides for regulation of such businesses by the FTC. PHR businesses are required to notify the FTC and each affected individual who is a citizen or resident of the United States of a privacy or security breach of unsecured individually identifiable information in a PHR ("PHR Information"). If a PHR vendor utilizes the services of a third-party service provider in performing the PHR service, then that service provider must notify the PHR vendor of any breach upon its discovery. The FTC will notify HHS upon receiving notice of a PHR breach.
- FTC Regulatory Authority. The FTC will have the authority to take action against violations of the notification requirements related to PHR Information as unfair and deceptive acts or practices under the Federal Trade Commission Act.
- Effective Date. The FTC must issue interim final regulations regarding PHR breach notification requirements within 180 days from the enactment of the HITECH Act. The new breach notification requirements will apply to breaches that are discovered on or after 30 days from the publication of the FTC's interim final regulations.
Business Associates — Increased Duties and Penalties
Prior to the enactment of the HITECH Act, HIPAA applied to business associates only indirectly by way of the business associate's contractual obligations to the covered entity. Similarly, the penalty for a violation of these obligations was merely damages that resulted from any contractual breach (unless the business associate also happened to be a covered entity). The HITECH Act, however, has expanded both the application of HIPAA requirements and penalties to business associates.
- Security Rule Obligations. The HITECH Act requires business associates to comply with the Security Rule's administrative, technical and physical safeguard requirements and requires business associates to implement security policies and procedures in the same manner as a covered entity. If the business associate violates any of these Security Rule provisions, the business associate may be subject to the same HIPAA civil and criminal penalties as a covered entity.
- Privacy Rule Obligations. While the HITECH Act makes certain Security Rule provisions directly applicable to business associates, it takes a less direct approach with respect to the Privacy Rule. Specifically, the HITECH Act requires the business associate to only use or disclose PHI consistent with its obligations under its business associate agreement with a covered entity (the provisions of which are dictated by the Privacy Rule). The HITECH Act did, however, increase the potential liability for a business associate who breaches its contractual obligations. That is, if a business associate violates the terms of its business associate agreement, the business associate may be subject to the same HIPAA civil and criminal penalties as a covered entity who violated the Privacy Rule.
- Curing Breach of Business Associate Agreements. Similar to the obligations currently imposed on covered entities, a business associate will be required to take reasonable steps to cure a breach of a business associate agreement or terminate the agreement if it knows of a pattern of activity or practice by a covered entity that violates the agreement. If termination of the business associate is not feasible, the business associate may be required to report the covered entity's compliance problem to HHS.
- Organizations Transmitting PHI. The HITECH Act clarifies that organizations that provide data transmission of PHI for covered entities and who require routine access to the PHI are business associates who must enter business associate agreements with the covered entities for whom they provide these services. The HITECH Act states that health information exchange organizations, regional health information organizations, e-prescribing gateways, and PHR vendors who provide a PHR to patients as part of a covered entity's electronic health record ("EHR") are among the organizations that may be business associates under this provision. While many of these enumerated organizations already qualified as business associates under HIPAA, the HITECH Act seems intended to clarify that the exception for "conduit" organizations that are solely responsible for transmission of PHI should not exempt these enumerated organizations from business associate status.
- Amendment of Business Associate Agreements. The additional privacy and security requirements imposed upon business associates through the HITECH Act must be incorporated into the business associate agreement between the covered entity and the business associate. Because large covered entity organizations may have hundreds of business associate agreements in place, amending those agreements could entail considerable administrative costs. The question of whether business associate agreements must be amended would benefit from further clarification from HHS, particularly in light of the fact that the new obligations are imposed upon business associates by force of law, rather than through required contract terms.
Limitations on the Use and Disclosure of PHI
- The HITECH Act confirms the provision of the Privacy Rule that states that communications by a covered entity about a product or service that encourages the recipient of the communication to purchase or use the product or service is not a marketing communication, but rather, a health care operation, if that communication is: 1) to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication; 2) for treatment of that individual; or 3) for case management, care coordination or to recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
- However, the HITECH Act limits this marketing exclusion by stating that, to the extent that the covered entity receives payment for making these communications, the communication is no longer a health care operation (and, presumably, is a marketing communication that requires an individual's authorization) unless: (1) the communication describes only a drug or biologic currently being prescribed for the individual and the amount of payment received for making the communication (if any) is reasonable in amount; (2) the communication is made by the covered entity and the covered entity has received a valid HIPAA authorization from the individual to whom it is making the communication; or (3) the communication is made by a business associate and is consistent with the terms of its business associate agreement with the covered entity.
- Fundraising. The HITECH Act requires HHS to issue a rule that requires all written fundraising communications to provide the recipient with an opportunity to opt out of any future fundraising communications. Different from the Privacy Rule, the HITECH Act now requires covered entities to treat an individual's election to opt out of fundraising communications as a revocation of authorization.
- Sale of EHRs or PHI. The HITECH Act specifically prohibits the sale of EHRs or PHI by a covered entity or business associate without an individual's authorization unless the covered entity (or business associate) is receiving the remuneration for the EHRs or PHI for purposes of: (1) public health activities; (2) research, provided that the price charged reflects the costs of preparation and transmittal of data; (3) treatment; (4) the sale, transfer, merger or consolidation of all or part of the covered entity with another covered entity and the due diligence related to such activity; (5) providing a business associate with remuneration under a business associate agreement for services rendered; or (6) providing an individual with access to his or her PHI.
- Minimum Necessary.
- The Privacy Rule requires covered entities to disclose only the minimum amount of PHI reasonably necessary to accomplish the purpose of the permitted use or disclosure of PHI (the "minimum necessary standard"). The minimum necessary standard has been criticized as one of the most vague and difficult-to-implement components of the Privacy Rule. The HITECH Act requires HHS to issue guidance on the minimum necessary standard within 18 months of the HITECH Act's enactment (i.e., by Aug. 17, 2010).
- For the period prior to the issuance of the Secretary's minimum necessary guidance, the HITECH Act defines compliance with the minimum necessary standard as using or disclosing a limited data set, to the extent practicable, or if necessary, to the minimum necessary to accomplish the intended purpose of the use or disclosure. The Privacy Rule defines a limited data set as data that is nearly de-identified (except that it may include dates and certain address information, such as city, state and zip code). It is likely that covered entities will often not find it practicable to utilize limited data sets for many common uses and disclosures of PHI for payment or health care operations purposes.
- The Privacy Rule's exceptions to the minimum necessary standard (e.g., treatment disclosures) remain in effect under the HITECH Act.
- Review of Health Care Operations. While both the House and Senate bills required HHS to review the definition of health care operations and eliminate from the definition any activities that could reasonably and efficiently be conducted with deidentified health information or should require an authorization, the conference agreement that resulted in the final HITECH Act struck that provision. Thus, significantly, the HITECH Act does not require the Secretary to review and modify the definition of health care operations.
- Accounting for Disclosures of PHI.
- The HITECH Act expands an individual's right to receive an accounting of disclosures of PHI, and thus, expands a covered entity's obligation with respect to accounting for disclosures. While the Privacy Rule currently excepts from the accounting requirement those disclosures of PHI made for purposes of treatment, payment and health care operations, under the HITECH Act, if a covered entity uses or maintains an EHR, this exception does not apply to disclosures of that EHR.
- While the covered entity must account for disclosures of EHRs for purposes of treatment, payment and health care operations purposes under the HITECH Act, the reporting period for these disclosures is only for the three years prior to an individual's request for an accounting (instead of the six-year Privacy Rule requirement for all other disclosures).
- The HITECH Act also requires HHS to issue regulations regarding what information must be maintained about each disclosure of an EHR for purposes of treatment, payment or health care operations purposes.
- The HITECH Act provides for a grace period for compliance with these new accounting requirements, including an extended grace period (until Jan. 1, 2014) for those covered entities who began using EHRs prior to Jan. 1, 2009. For those covered entities who acquire an EHR after Jan. 1, 2009, the new accounting requirements apply to disclosures made on or after the later of Jan. 1, 2011, or the date that the covered entity acquired the EHR.
- Restrictions on Disclosures of PHI. The Privacy Rule currently provides individuals with a right to request a restriction on a covered entity's use or disclosure of PHI for purposes of treatment, payment or health care operations purposes. Until now, covered entities had no corresponding obligation to agree to that request. However, the HITECH Act imposes a new obligation on covered entities to agree to a requested restriction if the disclosure is to a health plan for purposes of payment or health care operations and the PHI relates to a health care item or service for which the health care provider has been paid out of pocket in full.
- Access to PHI. The HITECH Act requires that in order to fulfill its obligation to provide access to PHI under the Privacy Rule, any covered entity who uses or maintains an EHR must provide an individual with a copy of such information in electronic format or, at the individual's request, transmit the information directly to a person or entity designated by the individual. The covered entity may still impose a fee for access consistent with the Privacy Rule's requirements, but for providing access under the HITECH Act, the fee must be limited to the covered entity's labor costs in responding to the request.
Increased Enforcement and Penalties
The HITECH Act seeks to put more teeth in HIPAA enforcement efforts by increasing civil penalties for HIPAA violations and, in certain cases, requiring formal investigations. These changes appear to respond to charges that the Centers for Medicare and Medicaid Services ("CMS"), which enforces the Security Rule, and the HHS Office for Civil Rights ("OCR"), which enforces the Privacy Rule, have been less than rigorous in enforcing HIPAA. In October 2008, these charges took the form of a report from the HHS Office of Inspector General ("OIG") that took CMS to task for ineffective and incomplete enforcement of the Security Rule. In the report, OIG charged that CMS' approach to Security Rule enforcement left "significant vulnerabilities" undetected with respect to electronic medical records at U.S. hospitals.
- The HITECH Act requires the Secretary of HHS to formally investigate any complaint of a violation of HIPAA if a preliminary investigation indicates a possible violation due to willful neglect, and to impose civil penalties for these violations.
- The HITECH Act also allows state Attorneys General to bring civil actions in federal court on behalf of the state's residents when the Attorney General has reason to believe that an interest of one or more residents has been threatened or adversely affected by a person who violates HIPAA. The Attorney General may bring the case to enjoin further action or to obtain damages on behalf of the resident(s). An Attorney General bringing a civil action under HIPAA must give HHS prior written notice of the action, and HHS will have the opportunity to intervene in the action. If HHS brings an action against a person under HIPAA, then no Attorney General may bring an action against the person with respect to the same HIPAA violation while the HHS action is pending.
- Any violation of the HITECH Act is subject to HIPAA civil and criminal penalties.
- The HITECH Act also creates a tiered approach to civil monetary penalties for violations of HIPAA and the HITECH Act that went into effect immediately upon the law's enactment. The new tiers are as follows:
- If the person did not know (and by exercising reasonable due diligence would not have known) that he or she violated the law, the penalty shall be at least $100 for each violation not to exceed $25,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
- If the violation was due to reasonable cause and not to willful neglect, the penalty shall be at least $1000 for each violation not to exceed $100,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
- If the violation was due to willful neglect AND the violation was corrected, the penalty shall be at least $10,000 for each violation not to exceed $250,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
- If the violation was due to willful neglect and was not corrected, the penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
- The HITECH Act requires all civil monetary penalties collected as a result of privacy or security violations to be transferred to OCR to be used for purposes of enforcing the Privacy and Security Rules.
- The HITECH Act also requires the United States Comptroller General to issue a report to HHS by Aug. 17, 2010 (18 months after the law's enactment), that includes recommendations for a methodology under which an individual who is harmed by a HIPAA violation may receive a percentage of the civil monetary penalty collected with respect to that violation. Based on this GAO report, the HITECH Act requires the Secretary of HHS to issue regulations by Feb. 17, 2012, based on this GAO report setting forth a methodology under which the individual harmed may receive a percentage of the civil monetary penalties collected.
- Significantly, the HITECH Act resolves a point of longstanding confusion in the industry by clarifying that persons who are not covered entities (but who may be employees of covered entities or other individuals) may be found to have violated HIPAA if the PHI is maintained by a covered entity and the person obtained or disclosed such information without authorization.