The Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), which was enacted as part of the American Recovery and Reinvestment Act of 2009,[1] made several significant amendments to the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder ("HIPAA"). Many of these HITECH Act amendments to HIPAA have significant consequences for "Covered Entities," which are defined as (i) health care providers that transmit patient information electronically, (ii) health plans (which include employer-sponsored employee welfare benefit plans and self-insured health care plans offered by an employer to its employees), and (iii) health care clearinghouses.[2] Most of the amendments to HIPAA become effective on February 17, 2010, which means that deadlines are fast approaching.

Specifically, the HITECH Act will have the following practical and legal effects on Covered Entities: (i) require revisions to their HIPAA Policies and Procedures, (ii) require revisions to their HIPAA training programs for employees and/or re-training of current employees, (iii) impose enhanced duties and responsibilities on the Covered Entity's Privacy and Security Officer, (iv) require amendments to, and/or renegotiation of, Business Associate Agreements, and (v) require improved physical, technical and administrative safeguards to protect an individual's protected health information ("PHI").[3] On a more global level, Covered Entities need to be aware of the consequences of an increasingly stringent enforcement environment, and will need to evaluate how their policies, procedures and actions relating to privacy, security and breach incidents stand up to regulatory, judicial and public scrutiny.

The following is a summary of the provisions of the HITECH Act that affect Covered Entities' privacy and security practices and obligations.

Breach Notification

The HITECH Act requires that Covered Entities notify individuals whose "unsecured" PHI has been, or is reasonably believed to have been, acquired, accessed, used or disclosed in a manner that compromises the security, privacy or integrity of the PHI.[4] In August 2009, the Secretary of the Department of Health and Human Services (the "Secretary" and "HHS"), issued regulations clarifying the breach reporting obligations and providing guidance on the meaning of "secured" and "unsecured" PHI (the "Breach Notification Rules").[5] In addition to notifying individuals in the event of a breach, Covered Entities must report breaches to the Secretary, and in some instances, the media. [6]

"Unsecured" PHI is PHI that is "not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary."[7] This requirement applies to both hard copy and electronic forms of PHI. The Secretary will issue annual guidance on appropriate methods and standards of encryption that will apply to Covered Entities and Business Associates.[8] The Secretary issued its first annual guidance on April 17, 2009.[9] A breach that "compromises the security or privacy of the [PHI]" has its own definition, which is that such breach "poses a significant risk of financial, reputational, or other harm to the individual."[10] This risk of harm standard requires that a Covered Entity undertake a risk assessment in the event of a breach, and based upon the assessment, determine in good faith whether it is necessary to notify the individual of the breach. Each Covered Entity should amend its existing HIPAA Privacy and Security Policies as soon as possible to provide for the risk assessment process and the security breach notification requirements, and must provide training to its workforce on these amended policies and procedures.[11]

Effective Date: Pursuant to the Breach Notification Rules, Covered Entities are required to report breaches that are discovered after September 23, 2009. However, the Secretary stated in its comments to the Breach Notification Rules that HHS "will use [its] enforcement discretion to not impose sanctions for failure to provide the required notifications for breaches that are discovered before 180 calendar days from the publication [of the HHS regulations],"[12] so enforcement was delayed until mid-February 2010.

Increased Responsibilities for Accounting of Disclosures of PHI

The HITECH Act expands an individual's right to obtain an accounting of disclosures of his or her PHI, thereby expanding the Covered Entity's obligations to account for disclosures of PHI. HIPAA requires that Covered Entities keep a log of disclosures of an individual's PHI. However, there is a sizeable exception to this requirement under HIPAA in that Covered Entities are not required to account for disclosures of PHI that are made for purposes of treatment, payment and health care operations. Under the HITECH Act, this exception is not available to Covered Entities for disclosures that are made through electronic health records ("EHRs").[13] Therefore, Covered Entities that use EHR must be able to account for disclosures of PHI made through EHRs in the course of treatment, for purposes of obtaining payment, or in connection with other health care operations. This change will require amendments to a Covered Entity's existing HIPAA Privacy Policies, and will also require that the Covered Entity ensure that its EHR system is capable of tracking such disclosures.

While HIPAA requires that Covered Entities be able to account for disclosures made within the six years prior to the individual's request for an accounting, the HITECH Act only requires that Covered Entities provide an accounting of disclosures of PHI from EHRs for purposes of payment, treatment and health care operations that occurred within the three years prior to the request.

Effective Date: The effective date of the new accounting requirement depends upon the date on which the Covered Entity itself adopts an EHR system. If a Covered Entity acquired an EHR system prior to January 1, 2009, that entity must account for disclosures made for payment, treatment and health care operations purposes on and after January 1, 2014.[14] Covered Entities that adopt EHR systems after January 1, 2009, must track and account for disclosures of PHI from EHRs that are made for payment, treatment and health care operations purposes on and after the later to occur of January 1, 2011, or the date on which the Covered Entity begins to use EHRs.[15]

Increased Individual Rights with Respect to Accounting of Disclosures and Restrictions on Disclosures

Under HIPAA, a Covered Entity is required to provide an individual with access to his or her PHI. The HITECH Act broadens this requirement in the context of EHRs, and requires that a Covered Entity that uses EHRs must provide an individual with a copy of his or her PHI in electric format.[16]

HIPAA permits individuals to request restrictions with respect to the disclosure of their PHI. However, prior to the HITECH Act, Covered Entities were not obligated to comply with such request. Under ARRA, Covered Entities must abide by an individual's requested restriction if the restriction (i) relates to disclosures to a health plan for payment and/or health care operations, and (ii) the PHI relates to a health care service or product that for which the individual has paid out of pocket and in full.[17]

These new individual rights should be added to the Covered Entity's HIPAA Privacy Policies so that the Covered Entity workforce understands how to respond to individual requests for copies of PHI and/or requests for restrictions on the disclosure of PHI.

Effective Date: The effective date of these new individual rights is February 17, 2010.

Limitations on the Use and Disclosure of PHI

Marketing

HIPAA states that a communication from a Covered Entity to an individual that encourages the individual to purchase products or services is part of its health care operations, and not marketing, if (i) the communication describes a health-related product or service that is provided by, or part of the plan of benefits offered by, the Covered Entity, (ii) is for the treatment of the individual, or (iii) is for case management, coordination of care, or recommends alternative treatments, therapies, and/or providers. The HITECH Act further restricts the marketing exclusion by providing that to the extent that a Covered Entity receives compensation for such communication, and unless the communication fits certain specific requirements, the communication is not considered a health care operation but rather a marketing activity.[18] The consequence of these communications being considered marketing activities is that the Covered Entity must obtain the patient's authorization prior to sending the marketing communication.

Effective Date: This requirement becomes effective as of February 17, 2010.[19]

Sale of EHRs and PHI

The HITECH Act prohibits the sale of EHRs or PHI by a Covered Entity without the individual's express authorization. The following is a list of the limited purposes for which a Covered Entity can receive remuneration for EHRs and PHI without a prior written authorization from the individual: (i) public health activities, (ii) research, (iii) treatment, (iv) sale, transfer, merger or consolidation with another Covered Entity, and the due diligence associated with such transaction, (v) providing a Business Associate with remuneration under a Business Associate Agreement, and (vi) providing an individual access to his or her PHI. The Secretary is required to promulgate regulations regarding the implementation of this provision.

Effective Date: This provision is to become effective six months after the date on which the final regulations are issued, but as of the date of this Alert, such regulations have not yet been issued.[20]

Fundraising

Under the HITECH Act, the Secretary is required to promulgate a rule that all written fundraising communications must give the recipient the option to opt out of any future fundraising communications.[21] To date, the Secretary has not promulgated such regulations. The HITECH Act states that this requirement shall become effective on or after February 17, 2010.[22] Presumably, the effective date will be specified in the Secretary's regulations when they are issued.

Guidance on Minimum Necessary

Under HIPAA, a Covered Entity is required to limit disclosure of PHI to only an amount and type that is the "minimum necessary" to accomplish the purpose underlying the disclosure. There has been confusion in the Covered Entity community as to the standards by which to determine what constitutes the "minimum necessary" PHI. The HITECH Act requires the Secretary to issue guidance on the "minimum necessary" standard by August 17, 2010.[23] When the Secretary issues this guidance, Covered Entities will need to update their HIPAA Privacy Policies to reflect the new "minimum necessary" standard.

Increased HIPAA Enforcement and Penalties

Compliance Audits and Investigations

The HITECH Act authorizes the Secretary to conduct periodic compliance audits of Covered Entities to ensure that they are in compliance with HIPAA, as amended by the HITECH Act.[24] Many facts surrounding these audits are unclear at this time, such as, how frequently the Secretary can conduct the audits on a single entity, whether there will be notice in advance of the audit, and the number of audits that the Secretary will conduct in a year. Some of these uncertainties may be clarified in future regulations.

The Secretary is also required to conduct investigations of alleged violations of HIPAA that are due to "willful neglect" and also required to impose civil penalties for violations that are the result of "willful neglect."[25] These provisions apply to penalties imposed on or after February 17, 2011.[26]

Enforcement of HIPAA by State Attorneys General and Right of Harmed Individuals to Share in Recovered Monies

As of February 17, 2009, the HITECH Act gave State Attorneys General the authority to file suit in federal court against any person or entity that is accused of violating HIPAA in a manner that the Attorney General has reason to believe adversely affected any resident of that Attorney General's respective state.[27]

Furthermore, the HITECH Act grants harmed individuals the right to receive a portion of the civil monetary penalties collected by the government in a HIPAA enforcement action.[28] HIPAA does not contain a private right of action for individuals to bring civil suit for violations of HIPAA, and thus, prior to the HITECH Act, there was no financial incentive for individuals to report HIPAA violations. The opportunity to receive a portion of the civil recovery money may prompt more individuals to become aware of their rights under HIPAA and to report violations that affect them personally.

Increased Civil Penalties

The amount of civil penalties will be increased to amounts ranging from $100 to $50,000 per HIPAA violation. The maximum penalties that can be applied for additional violations in any one year are within a range of $25,000 to $1,500,000. These increased penalties became effective as of February 17, 2009. ARRA creates the following "tiers" of penalties:[29]

  • A violation without knowledge of the violation - $100 per violation, with an annual maximum amount of $25,000 in penalties.
  • A violation that is due to reasonable cause - $1,000 per violation, with an annual maximum amount of $100,000 in penalties.
  • A violation that is due to willful neglect - $10,000 per violation, with an annual maximum amount of $1,500,000 in penalties.

Business Associates Are Directly Subject to HIPAA

Prior to the HITECH Act, "Business Associates" (service providers that receive PHI from, or create or maintain PHI on behalf of the Covered Entity) were not directly subject to HIPAA. Their obligations to comply with HIPAA were a matter of contract between the Covered Entity and the Business Associate. Under the HITECH Act, Business Associates are required to comply with many aspects of the HIPAA Privacy and Security Rules by February 17, 2010,[30] which means that all Business Associates must develop reasonable physical, technical and administrative safeguards to protect PHI, and must implement written policies and procedures with respect to such safeguards. Business Associates will also be subject to certain compliance and reporting requirements. While this aspect of the HITECH Act is certain to have the most dramatic consequences for Business Associates, it is also important that the Covered Entity community be aware of the provisions affecting Business Associates, because such provisions will impact the Covered Entity's relationship with and oversight of the Business Associate. Furthermore, the Business Associate Agreements will need to be amended to reflect the new requirements under the HITECH Act. It is unclear whether existing Business Associate Agreements will need to be amended to reflect this new requirement, or whether the requirement applies only to Business Associate Agreements entered into on or after February 17, 2010. To date, HHS has declined to issue any guidance regarding what is required for existing Business Associate Agreements.

Conclusion

As discussed herein, many of the Covered Entity's HIPAA Privacy and Security Policies and Procedures will need to be amended to reflect the new HITECH Act requirements. Each Covered Entity should also adopt a new policy with respect to detecting breaches of unsecured PHI, conducting a risk assessment regarding such breaches, and the Covered Entity's breach notification obligations to individuals, the Secretary and the media. Covered Entities should be updating their Business Associate Agreements, and taking steps to ensure that their Business Associates are in compliance with the HIPAA Privacy and Security Rules.

The Secretary is expected, and in some cases required, to promulgate regulations with respect to most of the sections of the HITECH Act that have implications for both Covered Entities and Business Associates. It would be wise for Covered Entities to keep an eye out for the impending regulations in order to tailor their compliance efforts appropriately.

Despite the uncertainty surrounding some of the provisions of the HITECH Act that have yet to be clarified by the Secretary, it is certain that the HITECH Act substantially increases the scope and enforcement authority and penalties under HIPAA, which will have significant operational consequences for Covered Entities.