After years of debate with little progress, a new Health Insurance Portability and Accountability Act (HIPAA) era has become a reality through the economic stimulus legislation. As part of the American Recovery and Reinvestment Act of 2009, Congress has created a wide range of new incentives for health care providers to develop and utilize electronic medical records. While there had been a substantial debate about whether such incentives (or the use of electronic medical records in general) required changes to the HIPAA privacy and security rules, that debate has now ended.
New Statutory Requirements
In fact, this legislation now imposes the most significant set of privacy and security changes for the health care industry and its business partners since the initial adoption of the HIPAA Privacy Rule. These changes go far beyond any issues related to electronic medical records—by providing substantial new authority for enforcement and significant additional penalties for HIPAA violations, extending the effective reach of HIPAA coverage to business associates, changing certain use and disclosure rules and creating additional individual rights. While debate will continue—and many of the provisions require additional rulemaking activities—the health care privacy world is changed substantially by these new legislative provisions. Health care companies across the board—and all of the companies that provide services to the health care industry—must pay close attention to these new rules, and should begin developing strategies to meet their requirements and deal with a substantially stronger enforcement environment.
What Are the Key Provisions of the Legislation?
It was widely anticipated that the Obama Administration would be more aggressive about HIPAA enforcement than its predecessor. Independent of this inclination, the new legislation creates significant new tools for aggressive enforcement of the HIPAA rules. Over the course of the next few years, we can expect these changes to produce a fundamental shift in the overall enforcement of the HIPAA Privacy and Security Rules.
First, the legislation increases substantially the penalties that may be imposed for violations of the rules, from the current high of $25,000 to as much as $1.5 million. Fines are mandatory in situations involving "willful neglect." Some of these new penalty amounts may even be paid to "harmed" individuals in the future.
Second, state Attorneys General (AGs) now have clear and explicit authority to enforce the HIPAA rules. While state AGs have initiated HIPAA-related actions in the past, relying on their inherent authority to act to protect citizens of a state, this new provision effectively creates a parallel enforcement environment for violations. On the one hand, this enforcement is limited in meaningful ways, mainly in terms of amounts that can be sought by the state AGs. On the other hand, however, this approach creates realistic risks of differing standards and inconsistent action from state to state. Moreover, while the Department of Health and Human Services (HHS) Office of Civil Rights is severely constrained by the detailed procedures of the HIPAA enforcement rule, it is not at all clear that the state AGs are bound by these procedural protections.
Third, correcting what many saw as an oversight in the current HIPAA provisions, the legislation now permits enforcement actions against individuals employed by health care entities. Even though the Department of Justice has creatively pursued a limited number of criminal cases against individual employees (mainly where identity theft, health care fraud or some other serious criminal activity is combined with the HIPAA issue), the new legislation creates broader and more explicit authority for enforcement against individuals.
Security Breach Notification
At the same time that enforcement actions are given new strength, the legislation also creates a new federal security breach notification requirement for the health care industry, mandating that most breaches be reported not only to affected consumers but also to the government, and even to the media in some situations.
This new breach reporting requirement becomes the first significant national reporting statute. It is much broader than virtually all of the state notification laws. This provision creates a new notification standard for the health care industry—whether the breach has anything to do with an electronic health record or not. While there clearly are open questions about details of the legislation, this provision is broader than most relevant state notification laws, because it (1) applies to breaches involving any kind of personal information held by health care companies (rather than only specific categories—such as Social Security Numbers), and (2) does not include any "risk of harm" threshold. Therefore, this provision will require reporting of a wide range of security breaches, regardless of the sensitivity of the information involved or the degree of risk that harm will result from the breach.
For the health care industry at large, this breach notification requirement may be the single most significant new requirement of this legislation—and the one that is likely to affect a large number of companies most quickly and publicly. Because the notice requirement applies only to "unsecured" information, this legislation also may accelerate the movement toward encryption of a wider range of health care data.
As with many of the state laws, the obligation of a "business associate" under this statute is to report a breach to the covered entity—much like the current reporting structure for "security incidents" under the Security Rule. Because there are some complexities about the timing of this reporting, covered entities should consider whether to put specific timing obligations for reporting into their business associate agreements.
This provision will be applicable for breaches that occur 30 days or more after the implementing regulation is issued—which regulation is required to be issued within 180 days of passage of the law. So, this requirement will take effect before most of the others.
Extension of HIPAA Requirements to Business Associates
Another requirement that will generate enormous work for the health care industry and its business partners arises from a series of provisions that essentially extend full compliance responsibility for the HIPAA Privacy and Security Rules to the business associate category—the companies that provide services to the health care industry. Today, these vendors must sign a contract with their health care clients that extends certain HIPAA provisions by contract to the business associate. The new provisions will obligate these business associates by law to follow all HIPAA provisions, rather than just the handful previously required to be included in business associate contracts. Again, this requirement is not limited to electronic health records. It clearly extends HIPAA coverage to most business associates, whether they have anything to do with electronic health records or not.
Accordingly, coupled with the new enforcement provisions, the risks for business associates are now magnified substantially. For health care-covered entities, these rules also create an apparent large-scale obligation -- the need to revise all existing business associate contracts to incorporate these new requirements. Health care companies -- with full memory of the difficulties of compliance with the initial HIPAA business associate contracting requirements in 2003 -- should promptly begin to develop model language and an approach to overall modification of thousands of business associate contracts.
Restrictions on Sharing Health Care Information for Self-Pay Situations
The new law also creates some potential fraud concerns. One new provision permits individuals to request of their health care provider that the provider not disclose information to an insurer for payment or health care operations purposes, if the patient has paid for the service out of pocket. While there are no direct compliance obligations for health plans (and only limited responsibilities for health care providers), health plans will need to analyze how these provisions could impact their claims payment and underwriting activities, as this provision does nothing more than permit individuals to hide information from their insurers. The challenge will be to identify how this kind of action could encourage or facilitate fraud or other inappropriate activity by the patient, and develop appropriate countermeasures.
Limited Data Sets and Minimum Necessary
Although more restrictive provisions were rejected, the legislation begins to take steps toward redefining some of the core uses and disclosures permitted under the Privacy Rule. The legislation mandates that HIPAA-covered entities examine "to the extent practicable" whether a "limited data set" can be used for the disclosure of health care information. A limited data set is, essentially, health care information that has been almost (but not quite) de-identified. While there are no particular details to this component of the legislation, it appears to insert a new administrative step for all uses and disclosures—to determine whether a limited data set could be used. Clearly, most uses and disclosures of information involve an individual—the typical claims submission/claims payment transaction, for instance. Covered entities will need to expend little effort to determine that a limited data set cannot be used for such purposes. However, covered entities will need to expand their procedures for considering whether limited data sets may be appropriate for other disclosures.
Next, if a covered entity determines that it cannot use a "limited data set," the legislation mandates that the covered entity follow the "minimum necessary" rule. Obviously, this rule is in place today, so the primary effect of this provision will be to dictate de facto a re-evaluation of current minimum necessary practices. On a more troubling note, the legislation also requires HHS to initiate rulemaking in the future—including an evaluation of whether there is a category of disclosures for which a limited data set should be required for a disclosure to be permitted without an authorization, and for the particular information that is the "minimum necessary" in specific situations. While it is hard to see how HHS will develop a "one size fits all" minimum necessary standard suitable for all specific treatment or payment purposes, regardless of the situation or the company involved, the legislation requires that HHS issue this guidance within 18 months of the passage of the legislation.
The Accounting and Access Rules
While most of these new provisions are not limited to electronic health records, two specific components are confined to situations in which an electronic health record is used. Nothing in the legislation pretends to reconcile the apparent contradiction in creating new legal obligations at the same time that it is creating incentives to utilize these records.
First, the legislation expands the (so far) little-used accounting rule. If a company uses an electronic health care record, it now will have to track for accounting reasons all disclosures of information for treatment, payment and health care operations purposes. This will be a significant expansion in the overall burden for health care companies—but only if they use an electronic health record. The assumption of the legislation appears to be that electronic health records will have easy means of tracking these disclosures, but that clearly is not the case today with all (or even most) electronic health records.
In addition, the individual right to access is expanded by this legislation, again where an electronic health record is used. While this access provision is more limited and less burdensome than the accounting provision, it is another example of imposing new obligations on companies that undertake to create and use electronic health records.
The legislation also alters the substance of the marketing provisions of the HIPAA Privacy Rule. First, the legislation clarifies that "marketing" communications will be considered "health care operations" only if they meet the specific criteria set forth in the Rule. As with certain other provisions (such as the minimum necessary provision), this seems to be simply a restatement of the existing regulation. Beyond this provision, however, the legislation requires an authorization even for communications that were permitted by the HIPAA Privacy Rule, if the covered entity receives "direct or indirect" payment for the communication. While the clear intent of this provision is to cut back on "paid" marketing communications, the most likely impact will involve a statutory ambiguity -- what constitutes "indirect" payment for a communication. Covered entities should evaluate promptly their ongoing marketing programs, to determine whether there are situations where payment arguably is involved.
Personal Health Records Issues
While the privacy provisions clearly were driven by the push for electronic medical records (even though most provisions are not limited to electronic health records), the legislation also punts on one of the key HIPAA "gaps" that has emerged in the health care field in recent years—the role under HIPAA of personal health records and the vendors that offer personal health records products, most of which are outside the current HIPAA structure. Rather than creating specific rules for these entities, Congress has dictated a study of personal health records issues going forward, to identify appropriate rules. It also created a "temporary" security breach notification standard for these entities.
State Law and Privileges
The legislation does nothing to alter the current "preemption" status of the HIPAA Rules. Essentially, state laws will continue to govern if they are "more stringent" than the relevant HIPAA provision. While many electronic health record advocates have identified state law disparities as a significant hurdle to widespread adoption of electronic health records, this legislation does nothing to "fix" this problem. Instead, it preserves the status quo. Moreover, by focusing attention on specific state law "privileges," the legislation may in fact exacerbate this problem. For example, in certain recent cases, state law "physician-patient privileges" have been used to stonewall health care fraud investigations, where HIPAA would have permitted the relevant information about the fraud perpetrated by a health care provider to be disclosed. This preemption issue will continue to create confusion and concern across the health care industry.
Most of the provisions of this legislation take effect 12 months following enactment; however, the increased penalties for HIPAA violations essentially are effective with the enactment of the statute. There also are various requirements for the issuance of new regulations on specified timetables, often with separate effective dates, depending on when a regulation is issued. The breach notification provision is effective for breaches that take place 30 days or more after the issuance of the HHS implementing rule, which is required to be issued within 180 days of passage of the legislation. As the HIPAA legislation implementation progresses and companies analyze their obligations, it will be important to focus attention on the required timetable for bringing a health care company into compliance with these new requirements.
This legislation creates an entirely new environment for health care privacy and security. Enforcement will be more significant and more substantial. Security breaches—even those without any discernible risk of harm—will be more broadly publicized across the country. And companies face a variety of new requirements that will affect their day-to-day operations. Three challenges stand out from the rest:
Developing a Business Associate Contracting Strategy
Without any articulated rationale, the legislation appears to require that all business associate agreements be amended to incorporate the new requirements imposed by the legislation. Those who went through the 2003 business associate contracting process may remember this was an enormous task, where volume concerns often predominated over substance. Here, with the required addition of certain terms, health care companies essentially must revisit and renegotiate their overall business associate portfolio. Accordingly, it will be critical to promptly develop an overall strategy for revising existing and establishing new business associate arrangements.
Upgrading Overall Compliance
The second challenge is more contextual. There are significant new requirements in this legislation. More importantly, however, we can expect a significantly enhanced enforcement environment. Accordingly, covered entities need to focus attention on overall compliance—because the enforcement risks if something goes wrong are now much greater. Companies should be re-evaluating their HIPAA privacy and security plans, focusing on high-risk areas and other areas where companies (including peers and competitors) have had problems.
Developing a Broader Breach Notification plan
Similarly, virtually all health care companies have "breaches" that will trigger notification under these new provisions. Most of these "breaches" cause no harm and present no risk of harm. Under today's HIPAA rules, such a company is required to take steps to mitigate potential harm, and to evaluate whether changes need to be made to prevent future problems, but often nothing significant is done in response to many minor breach events. Now, these breaches will require notification -- to patients, customers, the government and perhaps the media. This places a much higher priority not only on effective security strategies to prevent breaches, but also on an effective breach notification and mitigation plan.
The new legislation is only a first step—and lots of questions still remain unanswered—but it is clear that these new provisions have significantly altered the overall health care privacy and security environment. Health care companies and their business partners need to begin studying these provisions promptly, and to develop appropriate strategies to ensure compliance and mitigate the growing risk of security and privacy enforcement.