A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), will have a significant impact on employers that sponsor group health plans. The HITECH Act effectively mandates that group health plans secure protected health information (“PHI”) of plan participants by using a technology or methodology to be specified by guidance later this month. Plan sponsors that fail to bring their group health plans into compliance are at risk for enforcement actions, large penalties, class action lawsuits, and injuries to reputation. By any measure, this is the toughest federal law ever enacted to regulate employee benefit plans.
The HITECH Act, which amends the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), creates the following new risks and penalties:
- Notice to individuals and media outlets. If unsecured PHI is “accessed, acquired, or disclosed” by or to an unauthorized person, a detailed notification of the breach must be provided to each affected individual and to the Department of Health and Human Services (“HHS”). If the breach affects more than 500 residents of the same state, notice must be published in prominent media outlets serving that state. If the breach affects smaller numbers of individuals and 10 or more of those individuals cannot be located, then in most cases, notice must be posted in major print media. Such notifications may increase the risk of class action lawsuits under state privacy laws. Plans can avoid these breach notification requirements by securing PHI using a technology or methodology to be specified by HHS guidance.
- Penalties for violations. If HIPAA or the HITECH Act is violated due to willful neglect, HHS may be required to assess a penalty in the amount of $50,000 per violation, with no maximum penalty for multiple violations. The term “willful neglect” is not defined, but arguably that standard will apply whenever there is a failure to adopt safeguards and procedures required by law. Lesser penalties may be imposed where the violation does not result from willful neglect, or is corrected within 30 days of the date it is discovered (or should have been discovered).
- Enforcement. The Secretary of HHS is required to fully investigate cases if an initial investigation of a compliant indicates possible willful neglect. Regulations to be issued within 3 years will allow harmed individuals to share in penalties collected under the Act, which should increase the likelihood and frequency of complaints. State Attorneys General may also sue under the HITECH Act to obtain an injunction or damages of up to $25,000, increasing the likelihood of uneven interpretation of the law.
Plan sponsors should act quickly to limit their exposure under the HITECH Act. While many of the provisions are subject to guidance that will be issued over the next three years, there are steps that can and should be taken now. Below is a group health plan “to do” list to help keep you on track:
- Review HHS guidance expected by mid-April 2009 on the technologies or methodologies that make PHI unusable, unreadable or indecipherable to unauthorized individuals (i.e., so that it is no longer “unsecured” PHI) and consider implementing.
- If you do not adopt the technologies or methodologies that make PHI unusable, unreadable or indecipherable to unauthorized individuals, you must comply with new notification rules for any breach of such “unsecured PHI” effective 30 days after notification regulations are issued (regulations due by August 16, 2009 so notification requirements will apply no later than September 15, 2009).
- Review HHS guidance expected by January 1, 2010 (and to be updated annually) on the most effective and appropriate technical safeguards for protecting electronic PHI and consider implementing.
- Comply with new HITECH requirements regarding the minimum necessary PHI that may be used and disclosed (including disclosure to the plan’s business associates) effective February 17, 2010 (further HHS guidance expected by August 17, 2010).
- Effective February 17, 2010, agree to individual requests for restrictions on disclosure of PHI to the plan for purposes of payment or health care operations if the PHI relates to an item or service for which the individual paid in full out-of-pocket.
- Comply with new marketing restrictions effective February 17, 2010.
- Abide by new rules restricting the sale of PHI beginning no later than February 17, 2011, depending on when regulations are issued.
- Review future HHS guidance on applicability of new requirement to log disclosures of PHI made for treatment, payment and health care operations through an electronic health record effective January 1, 2011 or January 1, 2014 (depending on when the records were acquired).
- If the plan uses electronic health records, individuals must be permitted to receive access to PHI in an electronic format and to direct it to be sent to another person or entity effective February 17, 2010.
- Do an inventory of business associates. HITECH specifically provides that business associates include data transmission service providers.
- Amend business associate agreements by February 17, 2010 to reflect the new privacy and security requirements.
- Amend HIPAA privacy and security amendment to each group health plan to reflect the new requirements (e.g., minimum necessary disclosure to the plan sponsor).
- Update HIPAA privacy policies & procedures to reflect the new privacy requirements (recommended by February 17, 2010 and as needed as additional guidance is issued).
- Update HIPAA security policies & procedures to reflect the new security requirements (recommended by February 17, 2010 and as needed as additional guidance is issued).
- Update HIPAA privacy notice to reflect new privacy requirements (recommended by February 17, 2010).
- Update HIPAA authorization if PHI will be disclosed for marketing purposes (by February 17, 2010) or sold for certain purposes (beginning no later than February 17, 2011, depending on when regulations are issued).
- Conduct privacy and security workforce training as new guidance is issued.