On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 ("ARRA" or the "Act"). The Act is intended to stimulate the U.S. economy through unprecedented funding measures, including in the area of health information technology. As part of the safeguards to protect personal health information, ARRA also makes a number of significant changes to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Privacy and Security Rules, including expanding the scope of entities that must comply with HIPAA and requiring those that are covered under HIPAA to comply with security breach notification requirements that exceed existing state laws. As such, ARRA will affect most healthcare providers and many of their business partners. To a more limited extent, it will also affect most employers because employer-sponsored health plans are usually covered entities under HIPAA, and therefore, subject to the new requirements under the Act. Some of the key changes in ARRA are summarized below.
- Business Associates Now Covered Under HIPAA. ARRA expands the HIPAA Privacy and Security Rules to apply directly to business associates. Previously, business associates were only indirectly required to comply with certain HIPAA provisions by virtue of their contracts with covered entities. ARRA makes them subject to all of the HIPAA requirements including, for example, the possibility of civil and criminal enforcement, government audits and requests for access or an accounting by patients. ARRA also specifically requires covered entities and business associates to update their existing business associate agreements to address the expanded requirements. In order to fulfill their new obligations, business associates will also have to ensure that other third parties with whom they may subcontract or otherwise share personally identifiable information from covered entities can comply with requirements similar to those contained in the HIPAA Privacy and Security Rules.
- Regional Health Organizations and Others Are Business Associates. ARRA confirms that health information exchange organizations, regional health information organizations, e-prescribing gateways and other third parties that contract with covered entities for purposes of facilitating personal health records to patients are business associates. As such, those organizations must comply with the HIPAA Privacy and Security Rules as well as the expanded obligations under ARRA that apply to business associates.
- Security Breach Notification Requirements Expanded. ARRA also creates much broader security breach notification requirements for covered entities, business associates and other third parties involved in healthcare than those that currently exist under the state security breach notification laws. Under ARRA, and with very limited exceptions, covered entities must notify each American resident if their "unsecured" (essentially, unencrypted) personally identifiable information is subject to unauthorized access. Currently, only California's security breach notification law requires notification to affected individuals in situations where the individual's identifiable (and unencrypted) medical records or health insurance information is subjected to unauthorized access. The remaining states require disclosure only where a person's name in combination with their unredacted and unencrypted Social Security number, credit card number or driver's license number is subject to unauthorized access. ARRA's notification provisions also apply to identifiable patient information in any format, whereas many states limit their disclosure laws to information in (or derived from) electronic format. ARRA requires notification within 60 days of the date the organization becomes aware of the breach (or reasonably should have become aware), with very limited exceptions for law enforcement purposes. The notification letters must include specific categories of information described in ARRA, and mailing must take place in accordance with new requirements (with very limited possibilities for sending notifications via email). If the breach involves more than 500 individuals, the covered entity must also report the breach to the media and notify the Secretary of Health and Human Services (HHS) immediately. The Secretary of HHS is required to post all breaches on a public website — something which few states currently do. The ARRA breach notification requirements "temporarily" apply to vendors and other non-covered entities handling personal health information, with the instruction that the U.S. Federal Trade Commission (FTC) will issue similar "final" requirements within 180 days of the enactment of ARRA. Since those entities generally do not fall under HHS's jurisdiction, they are required to report breaches to the FTC rather than HHS so that the FTC can coordinate with HHS. Significantly, ARRA does not preempt state security breach notification laws, which means that those laws continue to remain in effect. Some of those laws require additional reporting obligations, such as reporting to state attorneys general and various other state agencies, use of specific forms and other requirements for content. A few states such as Florida and Vermont have more restrictive time limits for issuing the notification letters.
- New Restrictions on Marketing and Healthcare Operations Under HIPAA. ARRA limits the permissible marketing practices of covered entities (without a valid patient authorization) to a subset of those that were previously allowable under the HIPAA Privacy Rule. For example, under HIPAA, a valid patient authorization is not required for manufacturers to pay a physician or pharmacy to send prescription refill reminders to patients or to recommend alternative medications. Under ARRA, these types of activities constitute marketing and are no longer permitted without valid authorization. There are also additional restrictions on disclosures of patient information to health plans if the patient objects to the disclosure and pays for the medical care in full. In addition, ARRA confirms that the amount of information that can be provided even in permissible situations must be limited to the minimum necessary or to a limited data set, and provides that additional guidance will be issued to define these terms beyond the limited information in the HIPAA Privacy Rule.
- New Requirements for HIPAA Accounting Logs and Patient Access Rights. ARRA also contains certain new requirements for HIPAA accounting logs. The requirements are expanded to include information that was previously not required, such as disclosures for treatment, payment or health care operations and security breaches involving fewer than 500 persons. In terms of new individual access rights, there are requirements for covered entities to provide access to personally identifiable information maintained by their business associates, or, alternatively, identify each business associate for the individual to seek access directly. There are additional requirements with regard to electronic access and the fees that may be charged for producing a copy of the individual's record.
- Expanded Enforcement and Penalties. ARRA expands the scope of individuals permitted to file claims for HIPAA violations to include state attorneys general, and allows them to recover legal fees. It also requires the Secretary of HHS to establish a methodology by which individuals who are affected by mishandling of their data to receive a percentage of the civil monetary penalties imposed against the violator. ARRA also confirms that organizations found to be in "willful neglect" of the HIPAA Privacy or Security Rule must pay civil monetary penalties, and clears up any confusion about the ability of HHS to hold individuals criminally liable if they use or disclose protected health information in an unlawful manner. Previously, it was unclear whether these individuals, such as hospital employees who access celebrity data for personal reasons, could be criminally prosecuted under HIPAA. There is also a new tiered approach to civil monetary penalties, with the highest penalties for those found to be in "willful neglect."
- Requirements for HHS Audits and Public Reporting of Enforcement. ARRA requires the Secretary of HHS to conduct periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules as well as the new requirements in the Act (e.g., breach notification). The Secretary is also required to post on its website information about complaints, audits, fines and other enforcement actions taken.
- Varying Effective Dates For the New Requirements. Most of the new privacy and security requirements become mandatory one year after the effective date of ARRA, namely on February 17, 2010. However, some of the provisions become effective earlier including, for example, the new restrictions on sales and marketing and the expanded breach notification requirements. Those provisions become effective 30 days after additional guidance is issued. There is a 180-day limitation on the issuance of those guidance documents, so presumably, those provisions will become mandatory on or before August 17, 2009. Significantly, the new enforcement provisions in the privacy and security section became effective immediately upon passage of the Act.
In summary, ARRA creates significant changes to the privacy and security requirements for covered entities, business associates, and certain third parties who help facilitate personal health records. Since some of the changes will take time to implement, it is worthwhile for organizations to begin the process of identifying and implementing these changes in the near future.