The health information privacy and security requirements of the HIPAA Privacy and Security Rules have been expanded and clarified by the American Recovery and Reinvestment Act of 2009 (ARRA)—the $787 billion economic stimulus package that became law on February 17, 2009. Covered entities—health care providers that transmit electronic transactions regulated by the HIPAA Transactions Rule and all health plans and health care clearinghouses—face intensified obligations to preserve the privacy and security of their “protected health information”—individually-identifiable health information that covered entities or their business associates transmit or maintain.

ARRA also imposes data security breach notification requirements on covered entities and business associates, requires electronic access to protected health information in and accounting for disclosures of protected health information for treatment, payment and health care operations through electronic health records (EHRs), beefs up the civil penalties and clarifies the criminal coverage for violation of HIPAA privacy and security requirements, and authorizes state attorneys general to bring civil actions on behalf of state residents adversely affected or threatened by such violations.

Intensified Privacy Protections

Authorization Required for Paid Communications. Before ARRA, the HIPAA Privacy Rule allowed a covered entity and its business associates to use and disclose protected health information without an individual’s authorization to communicate with the individual (i) about health-related products and services (or payment for such health-related products and services) that the covered entity furnishes or includes in its benefits plans, and (ii) about treatment, case management, care coordination or recommendations regarding alternative therapies, health care providers or care settings for the individual.

Effective February 17, 2010, ARRA narrows this permitted exception from “marketing” by requiring the individual’s HIPAA-compliant authorization if the covered entity is paid directly or indirectly for making the communication (unless the payment is for treatment). A covered entity and its business associates will not need an authorization to make a paid communication about “a drug or biologic that is currently being prescribed” for the individual as long as the payment is “reasonable in amount.”

Authorization Required to Exchange Protected Health Information for Remuneration. Effective six months following issuance of implementing regulations by the Department of Health and Human Services (DHHS), a covered entity and its business associates will be prohibited from exchanging protected health information in return for direct or indirect remuneration, unless the individual whose protected health information is exchanged gives a HIPAA-compliant authorization that specifies that the covered entity may exchange the individual’s protected health information for remuneration. DHHS is directed to issue regulations implementing this prohibition by August 17, 2010.

No authorization will be needed for a covered entity to receive remuneration in exchange for providing protected health information for any of the following purposes:

  • Treatment of the individual
  • Providing a copy of protected health information to an individual who has exercised the right to access the individual’s protected health information
  • Public health
  • Research, as long as the remuneration reflects only the cost to prepare and transmit the protected health information to the researcher
  • Sale, transfer, merger, or consolidation of all or part of the covered entity in a transaction with another covered entity or with an entity that, following the transaction, will become a covered entity
  • Payment to a business associate for activities that involve the exchange of protected health information at the request of and on behalf of the covered entity pursuant to a business associate agreement
  • Such “similarly necessary and appropriate” purposes as DHHS determines in regulations

Restrictions on Disclosures to Health Plans. Before ARRA, the HIPAA Privacy Rule allowed covered entities to decline an individual’s request to restrict disclosure of the individual’s protected health information for treatment, payment or health care operations. Starting February 17, 2010, a covered entity must honor an individual’s request to restrict disclosure of the individual’s protected health information to a health plan for purposes of payment or health care operations, as long as the protected health information to be withheld “pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.”

Fundraising Opt-Out Notice. ARRA clarifies that, effective February 17, 2010, the opt-out notice, which covered entities must include in their fundraising materials distributed using or disclosing protected health information, “shall, in a clear and conspicuous manner, provide an opportunity for the recipient of the communication to elect not to receive any further such communication.”

De-Identification Guidance. DHHS is to issue guidance by February 17, 2010 on “how best to implement the requirements for de-identification of protected health information.” DHHS is to consult with “stakeholders” in developing this guidance.

Minimum Necessary Guidance. ARRA decrees that, effective February 17, 2010, compliance with the minimum necessary limitation of the HIPAA Privacy Rule will require covered entities and their business associates to use, disclose or request of other covered entities only limited data sets, unless there is need for protected health information with all direct identifiers retained to accomplish the purpose of the use, disclosure or request. If there is need for such protected health information, then only the minimum necessary for the purpose may be used, disclosed or requested.

ARRA also decrees that, when protected health information is disclosed for a purpose to which the minimum necessary limitation applies, the covered entity or business associate making the disclosure must “determine what constitutes the minimum necessary to accomplish the intended purpose of such disclosure.” ARRA thus reverses, effective February 17, 2010, the HIPAA Privacy Rule provisions that allow covered entities and their business associates to reasonably rely on a request for protected health information to be for the minimum necessary when made by (i) another covered entity, (ii) a public official, (iii) a professional who is on the covered entity’s workforce or is the covered entity’s business associate, or (iv) a researcher.

ARRA directs DHHS to issue guidance by August 17, 2010 that explains “what constitutes ‘minimum necessary.’” The guidance must take into consideration (i) “the information necessary to improve patient outcomes and to detect, prevent, and manage chronic disease,” and (ii) the de-identification guidance that DHHS is to issue by February 17, 2010. Once DHHS issues its guidance on the meaning of minimum necessary, ARRA’s minimum necessary provisions will sunset.

Electronic Access to Protected Health Information in EHRs. ARRA requires that, effective February 17, 2010, covered entities that use or maintain EHRs must furnish individuals seeking access to the individuals’ protected health information in EHRs with electronic copies of the individuals’ protected health information in the EHRs. A covered entity may give an individual the option to receive the electronic copy of the individual’s protected health information by transmission to a person or entity that the individual designates.

A covered entity may charge a fee for providing an electronic copy of an individual’s protected health information in an EHR. The fee may be no greater than the covered entity’s “labor costs” in responding to the request for the electronic copy of the individual’s protected health information in the EHR.

Disclosure Accounting for Protected Health Information in EHRs. ARRA adds to the disclosure accounting obligations of covered entities that use or maintain EHRs and their business associates. ARRA requires them to account for disclosures of protected health information made through the EHRs for treatment, payment or health care operations. ARRA thus modifies the HIPAA Privacy Rule provision that excepted disclosures for treatment, payment and health care operations from accounting. Covered entities and their business associates must account for their disclosures for treatment, payment and health care operations through EHRs made during the three years preceding the disclosure accounting request.

Covered entities that had EHRs as of January 1, 2009 must be able to account for disclosures of protected health information for treatment, payment and health care operations through their EHRs made on and after January 1, 2014. Covered entities that do not acquire EHRs until after January 1, 2009 must be able to account for such disclosures made on and after the later of January 1, 2011 or the date after January 1, 2011 on which they acquire their EHRs. DHHS may extend these compliance dates to January 1, 2016 and January 1, 2013, respectively.

DHHS Implementing Regulations. DHHS is required to update the HIPAA Privacy and Security Rules to conform them to ARRA. ARRA sets no deadline for DHHS to make these updates. In the meantime, the provisions of ARRA will prevail over any inconsistent provisions of the current HIPAA Privacy and Security Rules.

DHHS is also required to issue regulations regarding the content of an accounting of disclosures for treatment, payment and health care operations through EHRs. DHHS is to issue these regulations within six months following DHHS’s adoption of technology standards for disclosure accounting for treatment, payment and health care operations through EHRs. ARRA directs DHHS to adopt such standards by December 31, 2009, which means the DHHS regulations for the content of an accounting of disclosures for treatment, payment and health care operations through EHRs should be issued by July 1, 2010.

DHHS Compliance Guidance. DHHS is required to issue guidance at least annually on the “most effective and appropriate technical safeguards” for electronic protected health information. Each DHHS Regional Office must have resources by August 17, 2009 that offer covered entities, business associates and individuals “guidance and education” on their respective rights and responsibilities regarding federal privacy and security requirements for protected health information. The DHHS Office for Civil Rights must develop and maintain by February 17, 2010 “a multi-faceted national education initiative to enhance public transparency regarding the uses of protected health information.” This initiative must include “programs to educate individuals about the potential uses of their protected health information, the effects of such uses, and the rights of individuals with respect to such uses.”

Data Security Breach Notification

ARRA enacts federal data security breach notification requirements for covered entities and their business associates. ARRA directs DHHS to issue regulations by August 17, 2009 that implement these federal data security breach notification requirements. ARRA does not preempt state data security breach notification laws, except for provisions of such state laws that are “contrary” to federal data security breach notification requirements.

Data Security Breach Notification Requirements. Effective 30 days following DHHS’s issuance of the implementing regulations, each covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” will be required to “notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of” a security breach. A business associate that discovers a security breach in the “unsecured protected health information” it holds, uses or discloses for or on behalf of covered entities will be required to notify the covered entities of the security breach. The covered entities must then notify each individual affected by the business associate’s security breach.

Unsecured Protected Health Information. ARRA defines “unsecured protected health information” as protected health information in electronic, paper or any other medium that is not secured by a technology or methodology that DHHS specifies in guidance as rendering protected health information “unusable, unreadable, or indecipherable to unauthorized individuals.” ARRA directs DHHS to issue guidance by April 17, 2009 on technologies and methodologies for rendering protected health information “unusable, unreadable or indecipherable to unauthorized individuals.”

Timing for Data Security Breach Notices. A covered entity must issue the notices of a data security breach to affected individuals without delay after discovery of the breach (and not later than 60 days after discovery). A covered entity informed of a data security breach by its business associate must issue the notices of the breach to affected individuals without delay (and not later than 60 days after receiving the business associate’s notice). The notices must be delayed if law enforcement determines that notification of affected individuals “would impede a criminal investigation or cause damage to national security.”

A data security breach is deemed discovered by a covered entity or business associate once the breach becomes known or should reasonably have been known to any employee, officer or other agent of the covered entity or business associate, other than the individual who commits the breach.

Content of Data Security Breach Notices. The notices of a data security breach to affected individuals must, “to the extent possible,” contain (i) a brief description of what happened, (ii) the date of the breach and the date of its discovery, (iii) a description of the types of unsecured protected health information involved (for example, “full name, Social Security number, date of birth, home address, account number, or disability code”), (iv) the steps affected individuals should take to protect themselves from potential harm, (v) a brief description of what the covered entity is doing to investigate the breach, mitigate losses, and prevent further breaches, and (vi) contact procedures, including a toll-free telephone number, email address, web site or postal address, for individuals to ask questions and obtain additional information.

Methods for Giving Data Security Breach Notices. Notices of a data security breach to affected individuals are to be given in writing by first-class mail at each individual’s last known address. Notices may be given by email to individuals who have specified a preference for email notifications.

Substitute notice is required for affected individuals for whom a covered entity has insufficient or outdated contact information. When there are 10 or more such affected individuals, substitute notice means either “a conspicuous posting for a period determined by [DHHS] on the home page of the Web site of the covered entity” or “notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside.” The web site posting or media notice must include “a toll-free phone number where an individual can learn whether or not the individual’s unsecured protected health information is possibly included in the breach.” A covered entity may elect also to provide telephonic or other notice to individuals that the covered entity determines may face “imminent misuse” of their unsecured protected health information.

If a data security breach affects more than 500 individuals of a particular state or other jurisdiction, the covered entity must provide notice of the breach “to prominent media outlets” of that state or jurisdiction.

Notice to DHHS. A covered entity involved in a data security breach affecting 500 or more individuals must notify DHHS of the breach. A covered entity must log each data security breach affecting less than 500 individuals and submit the log to DHHS annually. DHHS will identify on its web site each covered entity that is involved in a data security breach affecting more than 500 individuals.

Enhanced Civil Penalties and Enforcement

ARRA Violations. Covered entities that violate the privacy, security or data breach notification requirements of ARRA after they become effective will be subject to enforcement under the HIPAA civil and criminal provisions.

Increased Civil Monetary Penalties. ARRA increases the civil monetary penalties for violations of the privacy, security or data security breach notification requirements of HIPAA or ARRA. The new civil monetary penalties must be at least:

  • $100 per violation if the violator did not and, by exercising reasonable diligence, would not have known of the violation;
  • $1,000 per violation if the violation was due to reasonable cause and not willful neglect;
  • $10,000 per violation if the violation was due to willful neglect, but was corrected within 30 days after the violator knew or reasonably should have known of the violation; and
  • $50,000 per violation if the violation was due to willful neglect and was not corrected within 30 days after the violator knew or reasonably should have known of the violation.

These civil monetary penalties are capped at, respectively, $25,000, $100,000, $250,000 and $1,500,000 per year for repeated violations of the same requirement during the year. DHHS is to take into account, in determining the amount of the civil monetary penalty to assess, “the nature and extent of the violation and the nature and extent of the harm resulting from such violation.”

Civil Penalties Required for Willful Neglect. ARRA mandates that, effective February 17, 2011, DHHS must impose a civil monetary penalty for a violation of a privacy, security, or data breach notification requirement of HIPAA or ARRA caused by willful neglect. DHHS is directed to issue regulations by August 17, 2010 to implement this provision.

Civil Penalties Not Barred by Criminal Conduct. ARRA changes the bar to bringing a civil action against a violator whose act “constitutes an offense punishable” under the HIPAA criminal provisions. Effective February 17, 2011, a violator may face civil penalties for violating a privacy, security or data security breach notification requirement of HIPAA or ARRA unless and until the violator has been convicted and penalized under HIPAA’s criminal provisions for the same violation. DHHS is directed to issue regulations by August 17, 2010 to implement this provision.

Victim Compensation. Once DHHS issues implementing regulations that establish the methodology, individuals who are harmed by a violation of the privacy or security requirements of HIPAA or ARRA will be eligible to receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such violation. DHHS is directed to issue the regulations by February 17, 2012 that will establish the methodology.

State Attorneys General Enforcement. ARRA empowers state attorneys general to now enforce the privacy, security and data security breach notification requirements of HIPAA or ARRA through civil actions against violations that have adversely affected or threaten to adversely affect their states’ residents. State attorneys general may obtain statutory damages of $100 for each violation of each requirement adversely affecting the states’ residents, with an annual cap of $25,000 for repeated violations of the same requirement, and injunctive relief and attorneys’ fees.

Corrective Actions. ARRA permits the DHHS Office for Civil Rights to continue its practice of using corrective action without civil monetary penalty when a covered entity did not know and reasonably would not have known that its action violated HIPAA privacy or security requirements.

Clarified Criminal Coverage

Knowing Violations of ARRA. Any person who knowingly obtains or discloses individually-identifiable health information in violation of the ARRA privacy protections is now subject to the HIPAA criminal penalties. Those penalties can reach $250,000 and 10 years imprisonment per violation.

Exposure for Employees and other Individuals. ARRA clarifies that the HIPAA criminal provisions now apply, not just to covered entities and business associates, but also to “a person (including an employee or other individual)” who obtains or discloses “without authorization” protected health information “maintained by a covered entity.”