A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act”), will have a significant impact on service providers to group health plans, health care providers and other covered entities that use or disclose protected health information (“PHI”). Such “business associates” may include third party administrators and vendors of wellness programs, disease management, utilization review, and a host of other professional expanded requirements under HIPAA, and creates significant risks of penalties, enforcement actions, and impediments to core business functions.
In a nutshell, the HITECH Act provides for the following new rules, restrictions, and requirements:
- Regulations will be issued by August 2010 that will define the “minimum necessary” amount of PHI that may be transfered from covered entities to business associates for certain purposes.
- HIPAA privacy and security requirements now apply directly to business associates.
- A breach of unsecured PHI must be reported to covered entities and individuals, and if it affects 500 or more individuals, to media outlets and HHS.
- New penalties for violating HIPAA are effective immediately and range from $100 to $50,000 per violation, with no maximum aggregate limit in certain circumstances.
- Penalties may be shared with harmed individuals, which may create an incentive to report violations.
- State attorneys general are authorized to enforce HIPAA against covered entities and business associates.
In addition to the cost of compliance, the risk of penalties, the possibility of media involvement, and the potential for uneven application of the law by state attorneys general, these changes may result in signficant limitations on information exchanged for health promotion, disease management, and care coordination programs. Dorsey’s Consumer Driven Health Care Group can help you identify and address your legal needs arising from these changes. A more detailed summary follows.
Regulations Limiting the Transfer of PHI
Prior to the HITECH Act, HIPAA generally required covered entities disclosing PHI for purposes other than treatment (and certain other specified purposes) to make reasonable efforts to only disclose the “minimum necessary” to accomplish the intended purpose; however, the regulations do not define “minimum necessary.” Now, the HITECH Act requires HHS to issue guidance on what constitutes the “minimum necessary” PHI by August 2010. We cannot predict how restrictive these regulations may be, but early interpretations of the Genetic Information Nondiscrimination Act of 2008 suggest that federal regulators under the Obama Administration are heavily influenced by privacy concerns. If the definition is too restrictive, disease management and wellness companies in particular may have difficulty obtaining information they need to conduct business.
Business Associates are Now Subject to HIPAA
The HITECH Act imposes numerous new obligations on business associates for compliance with HIPAA privacy and security regulations. All business associate agreements will need to be reviewed and updated. Business associates need HIPAA compliant administrative, physical and technical safeguards for electronic PHI. They are also required to adopt HIPAA security policies and procedures or update existing ones.
Business associates and covered entities are futher subject to new and expanded HIPAA privacy requirements including accounting to individuals for certain PHI disclosures for treatment, payment and health care operations, restrictions on the sale of PHI, and restrictions on marketing communications. HHS may directly audit business associates for compliance. Business associates and covered entities will need to review their procedures for compliance with these new requirements and to prepare for potential audits by HHS.
HHS will issue annual guidance specifying the most effective and appropriate technical safeguards. Business associates may need new or modified information security systems to comply with the guidelines.
New Notice Requirements for Breaches
The Act also imposes new and burdensome notice requirements on covered entities and business associates for breaches of “unsecured protected health information.” “Unsecured protected health information” is PHI that was not “rendered unusable, unreadable or indecipherable” using a technology or methodology specified in guidance issued by HHS or otherwise in the HITECH Act. When a breach occurs, the business associate must inform the covered entity of the breach and the identity of each individual whose information has been disclosed or acquired through the breach. In all cases, the covered entity must notify the affected individuals, but the HITECH Act goes beyond individual notification. If the breach affects more than 500 individuals, the covered entity must disclose it to the media and HHS, and HHS will make information about the breach public on its website. Compliance with the notice provision is required with regard to breaches that occur 30 days after HHS publishes regulations implementing the breach notice provisions, which are due by August 16, 2009. Because notices are only required when “unsecured protected health information” is breached, it is especially important that business associates and covered entities bring security systems into compliance with the HHS guidance.
Penalties for HIPAA Violations
Business associates are now directly liable for violating HIPAA and are subject to HIPAA enforcement provisions. New civil monetary penalties are tiered based upon the violator’s level of intent. The three levels are (1) the violator “did not know (and by exercising reasonable due diligence would not have known)” of the violation, (2) the violation was caused by “reasonable cause” but not “willful neglect,” and (3) the violation was caused by willful neglect. Penalties for violations if the violator “did not know (and by exercising reasonable due diligence would not have known)” of the violation range from $100 to $25,000 per violation for violations of the same requirement in a calendar year. Penalties for violations due to “reasonable cause” and not “willful neglect” range from $1,000 to $50,000 for violations of the same requirement in a calendar year. In both cases the maximum range of CMP is $50,000 per violation, but no more than $1,500,000 for violations of the same requirement in a calendar year.
Willful neglect violations are divided into two categories: those corrected within 30 days of the date the violator knew or should have known of the violation and those not corrected. The maximum penalty for corrected willful neglect violations is $50,000 per violation, with a maximum of $1,500,000 for all violations of the same requirement in a calendar year. If the willful neglect violation is not corrected, the minimum penalty is $50,000 per violation with no maximum limit. The new penalties are immediately effective.
Penalties are Shared with Harmed Individuals
The HITECH Act also permits harmed individuals to receive a portion of the civil monetary penalty or monetary settlement collected for the violation. Regulations regarding the methodology for administering this provision will be issued by February 17, 2012. This provision may create an incentive for individuals to report violations. Furthermore, HHS will be required to complete an investigation of a complaint if an initial investigation indicates possible willful neglect.
HIPAA may be Enforced by State Attorneys General
An even greater cause for concern is the HITECH Act’s provision granting state attorneys general the authority to enforce HIPAA privacy and security provisions. State attorneys general may bring a civil action when a violation threatens or adversely affects the state’s residents. The maximum penalty in actions brought by state attorneys general is $25,000 per year for all violations of an identical requirement plus attorneys fees.
Many states have laws (generally referred to as “private attorney general laws”) that allow private citizens to bring certain legal claims that the state’s attorney general is authorized to bring. The HITECH Act’s provision granting state attorneys general the authority to enforce HIPAA security and privacy provisions, together with private attorney general laws and the HITECH Act provisions that provide for harmed individuals to receive a portion of the civil monetary penalty or monetary settlement may result in a great deal more scrutiny and enforcement of the HIPAA privacy and security rules.
Impact on Your Business
The HITECH Act will have a significant impact on business associates, including disease management and wellness companies, and many of the new privacy and security requirements require immediate attention. It will increase the cost of doing business and imposes risks that are difficult to quantify, including the risk that HHS will issue regulations that fail to balance privacy concerns with the need for innovation to fight chronic illness and bring health care costs under control. At a minimum, business associates will need to take the following steps: update their business associate agreements; evaluate and potentially modify current administrative, physical and technical safeguards (including security for electronic data); create or amend policies and procedures to comply with the security standards; create a process to comply with new accounting requirements for certain disclosures for treatment, payment and health care operations; evaluate current insurance coverage with regard to the additional obligations, risks and liabilities created by the new requirements; and evaluate current services and arrangements in light of the new restrictions regarding marketing and paying for certain communications. Business associates whose activities involve the use of PHI that is subject to the “minimum necessary” standards should begin to lobby regulators for a reasonable definition of “minimum necessary.”