A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), will have a significant impact on employers that sponsor group health plans. The HITECH Act effectively mandates that group health plans secure protected health information (“PHI”) of plan participants by using a technology or methodology to be specified by guidance in April 2009. Plan sponsors that fail to bring their group health plans into compliance are at risk for enforcement actions, large penalties, class action lawsuits, and injuries to reputation. By any measure, it is the toughest federal law ever enacted to regulate employee benefit plans.

In a nutshell, the HITECH Act, which amends the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), creates the following new risks and penalties:

  • Notice to individuals and media outlets. If unsecured PHI is “accessed, acquired, or disclosed” by or to an unauthorized person, a detailed notification of the breach must be provided to each affected individual and to the Department of Health and Human Services (“HHS”). If the breach affects more than 500 residents of the same state, notice must be published in prominent media outlets serving that state. If the breach affects smaller numbers of individuals and 10 or more of those individuals cannot be located, then in most cases, notice must be posted in major print media. Such notifications may increase the risk of class action lawsuits under state privacy laws.
  • Penalties for violations. If the HITECH Act is violated due to willful neglect, HHS may be required to assess a penalty in the amount of $50,000 per violation, with no maximum penalty for multiple violations. The term “willful neglect” is not defined, but presumably that standard will apply whenever there is a failure to adopt safeguards and procedures required by law. Lesser penalties may be imposed where the violation does not result from willful neglect, or is corrected within 30 days of the date it is discovered (or should have been discovered).
  • Enforcement. The Secretary of HHS is required to investigate cases involving possible willful neglect that arise from preliminary investigation of complaints. Regulations to be issued within 3 years will allow harmed individuals to share in penalties collected under the Act, which should increase the likelihood and frequency of complaints. State Attorneys General may also sue under the HITECH Act to obtain an injunction or damages of up to $25,000, increasing the likelihood of uneven interpretation of the law in all 50 states.

Plan sponsors should act quickly to limit their exposure under the HITECH Act. Many of the provisions are subject to guidance that will be issued over the next three years, but there are steps that can and should be taken now. They include the following:

  • Update business associate agreements. HIPAA requires that transmission of PHI between health plans and third party service providers (“business associates”) be subject to a written contract (a “business associate agreement”). The HITECH Act requires that every business associate agreement be updated to reflect the new privacy and security requirements. In addition, the HITECH Act expands the definition of business associate to include data transmission service providers. Group health plans should identify all service providers, assess whether a business associate agreement is required, and update those agreements accordingly. Because of the enhanced risk of penalties and notification requirements, those agreements should be reviewed by legal counsel.
  • Adopt new safeguards for protected health information. The HITECH Act requires HHS to issue guidance in April 2009 specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals. Adoption of those standards is not required by law, but any plan that does not use the new standard will be deemed to hold “unsecured” PHI. A breach of “unsecured” PHI will trigger the notice requirements described above. Group health plans should take steps to comply with these requirements as soon as they are made available. Until then, PHI should be secured by other technology or methodology that renders it unusable, unreadable, or indecipherable to unauthorized individuals.
  • Satisfy recordkeeping and administration requirements. Group health plans need to update their HIPAA privacy and security policies and procedures, amend HIPAA privacy notices and conduct workforce training on the new rules. Depending on how the law is interpreted, it may be necessary to adopt new accounting rules to comply with increased individual rights to know how their PHI is disclosed.

The HITECH Act is not the only component of the economic stimulus bill with an immediate impact on employer-sponsored group health plans. Effective March 1, 2009, employees who are involuntarily terminated between September 1, 2008 and December 31, 2009 are eligible for a subsidy equal to 65% of their COBRA premium. Information on these new requirements, along with new special enrollment rules effective April 1, 2009, was presented March 12, 2009 at a Breakfast Briefing entitled New Federal Legislation Affecting Health Plans.

Powerpoint slides and an audio recording of that presentation are available here.