Statutory and Regulatory Background
The Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act), which was included as part of the American Recovery and Reinvestment Act of 2009, made significant changes to the HIPAA privacy and security rules. Some of these changes impact employer-sponsored health plans, which are “covered entities” under HIPAA, such as:
- new security breach notification provisions;
- the expansion of certain rules and penalties to business associates;
- the expansion of participant rights; and
- increased penalties and mandated enforcement.
Many of these changes were effective February 18, 2010. Other effective dates are described in the discussion below.
Breach Notification Rules
Prior to HITECH, if there was a privacy or security breach with respect to protected health information (“PHI”), the health plan was required to mitigate any harmful effect, but was not required to notify individuals whose PHI was breached.
HITECH requires the health plan to notify each individual whose unsecured PHI is breached (or is reasonably believed to have been breached). The notice must be provided without unreasonable delay and within 60 days of the discovery of the breach. The notice must be made by first class mail (or electronic mail if specified as a preference by the individual) and may be provided in one or more mailings as information is available.
Unsecured PHI is any PHI that is not secured. “Secured” PHI, which is not subject to these breach notification rules, is PHI that has been destroyed or, in the case of electronic PHI, has been rendered unusable, unreadable, or indecipherable by encryption.
Unsecured PHI is considered “breached” if it is disclosed, acquired, accessed or used in an unauthorized manner that compromises the security or privacy of the PHI. However, the term “breach” excludes any unintentional acquisition, access or use of unsecured PHI by employees (or other members of the workforce, such as volunteers, trainees and agents) of the health plan or business associate if done in good faith and within the scope of employment (i.e., the action was on behalf of the health plan) and if the unsecured PHI is not further used or disclosed in an unauthorized manner.
For example, assume that Betty, a health plan employee who receives PHI in connection with her job, accidentally forwards an email containing Mark’s PHI to Jim, who is training to work with Betty on the health plan. As long as Jim notifies Betty of the misdirected email and deletes it, there should be no breach of Mark’s PHI.
However, assume that Jim decides to look through health plan records to learn about Mark’s treatment for an illness. This impermissible access to PHI would not fall within the exception to breach because the access was neither unintentional, done in good faith, nor within the scope of authority.
The notice of a breach must include:
- a brief description of the breach (including the date of the breach and the date of the breach discovery if known),
- the type of unsecured PHI involved,
- steps the individual should take to protect himself or herself from potential harm resulting from the breach,
- a brief description of what the health plan is doing to investigate the breach, mitigate losses and protect against future breaches, and
- health plan procedures for the individual to ask questions.
The health plan should avoid including any sensitive information in the notice. For example, the notice need only describe the type of PHI involved (such as whether a social security number or diagnosis was disclosed) and is not required to list the actual PHI that was breached (such as an actual social security number or diagnosis).
In addition, if more than 500 individuals in a state or jurisdiction are reasonably believed to have been involved, the health plan must also provide notice to “prominent media outlets” serving the state or jurisdiction. Moreover, the health plan must notify the Secretary of HHS immediately of breaches involving 500 or more individuals and on an annual basis of other breaches.
If a business associate breaches unsecured PHI, the business associate must notify the health plan and include the identity of each individual involved in the breach.
The breach notification rules were effective September 23, 2009, but there is limited enforcement for breaches occurring before February 23, 2010. The Office for Civil Rights, which is the HIPAA privacy rights enforcement agency for HHS, has stated that it will not impose sanctions for a failure to provide the required notifications for breaches discovered through February 22, 2010.
Expansion of HIPAA Privacy and Security Rules to Business Associates
Prior to HITECH, the HIPAA security and privacy rules applied only to “covered entities,” (such as health plans). HITECH generally extends the HIPAA security and privacy rules to apply to business associates in the same manner as they apply to covered entities effective February 18, 2010. Thus, business associates are subject to the same penalties as the covered entity.
In July 2010, HHS issued proposed rules fleshing out these statutory provisions for business associates. Business associate is defined to include any subcontractor of a business associate that receives PHI from the business associate. Business associates will be required to enter into business associate agreements with subcontractors to allow the subcontractors to receive PHI. However, health plans are not required to have business associate agreements with the subcontractors.
HITECH requires health plans to revise their business associate agreements to include several new provisions, such as provisions:
- that require the business associate to comply with the HIPAA security rule with respect to electronic PHI;
- that require the business associate to report breaches of unsecured PHI to the health plan;
- that require the business associate to ensure that subcontractors comply with the same HIPAA restrictions that are applicable to the business associate; and
- to the extent the business associate is required to carry out the health plan’s HIPAA privacy obligations, that require the business associate to comply with the privacy rules that apply to the plan.
Health plans and business associates will have 180 days after the effective date of final rules to come into compliance with most of these provisions. In addition, the health plans and business associates will generally have one year plus 240 days after the final rule is published to revise existing business associate agreements.
Access to Electronic PHI
The HIPAA privacy rules currently provide participants the right to request access to their PHI from a health plan, and require the health plan to respond to a request for PHI within 60 days, charging only for copying costs, labor and postage.
HITECH provides that, where a health plan holds an “electronic health record,” a participant must be able to request PHI in electronic form. HITECH allows the plan to charge the participant for its labor in providing this access. In addition, HITECH gives the participant the right to direct the plan to transmit a copy of electronic PHI directly to an entity or person designated by the participant. These provisions were effective February 18, 2010.
The HHS proposed rules clarify that the health plan can require the participant to request access in writing, clearly identifying the recipient of the electronic PHI as well as how to deliver the electronic PHI. In addition, the proposed rules allow the health plan to request reimbursement of its costs for electronic media, such as a CD or flash drive, that it must provide to comply with the participant’s request.
Health plans will need to modify their existing HIPAA privacy policies to incorporate the new rules relating to access to electronic PHI and will have 180 days after the effective date of the final rules to come into compliance with most of these provisions.
Revisions to HIPAA Notice of Privacy Practices
The HIPAA privacy rules require a health plan to distribute a “notice of privacy practices” that informs participants of the plan’s privacy practices and their privacy rights with respect to PHI. HITECH and the related HHS guidance will require health plans to revise their notices of privacy practices in a number of respects.
For example, HITECH gives health plan participants the right to instruct health care providers not to disclose to the health plan any PHI related to services for which the participant pays out-of-pocket.
In addition, the HHS proposed rules require a health plan’s notice of privacy practices to be revised to state that the plan, except in limited circumstances, must obtain a participant’s written authorization to use or disclose psychotherapy notes, use or disclose PHI for marketing purposes, or receive remuneration for the disclosure of PHI.
Health plans will have 180 days after the effective date of the final rules to come into compliance with most of these provisions. In addition, the HHS is seeking comments on the best way for the revised notices of privacy practices to be distributed by health plans.
Increased Penalties and Mandated Enforcement
HITECH significantly increases existing penalties for HIPAA privacy and security violations. Prior to HITECH, the civil penalty was generally $100 for each privacy or security violation, up to a maximum of $25,000 per calendar year for multiple violations of the same requirement. HITECH generally retains this penalty for certain “unknowing” violations. An “unknowing” violation is one in which the person did not know (and by exercising reasonable diligence would not have known) that a violation occurred. However, HITECH imposes the following tiered penalties for other types of violations, effective February 18, 2009:
- at least $1,000 per violation due to “reasonable cause” but not willful neglect, up to a maximum of $100,000 per calendar year for violation of the same requirement;
- at least $10,000 for each violation due to willful neglect that is timely corrected (i.e., policies and procedures that allowed the violation are corrected), up to a maximum of $250,000 per calendar year for violation of the same requirement; and
- at least $50,000 for each violation due to willful neglect if not corrected within 30 days, up to a maximum of $1,500,000 per calendar year for violation of the same requirement.
“Reasonable cause” is defined to mean that the health plan or business associate did not act with “willful neglect.” “Willful neglect” is defined as intentional failure or reckless indifference to the obligation to comply. The actual penalty will be based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.
HITECH requires the Secretary to formally investigate the complaint if a preliminary investigation of the facts indicates a possible violation due to willful neglect. Moreover, HITECH requires the Secretary to impose a penalty for a violation due to willful neglect. These provisions take effect on February 18, 2011.
INSIGHT: Action Items for Employer-Sponsored Health Plans
- Immediately: Health plans should immediately become familiar with and implement the new security breach notification rules.
- Within 180 Days after the Effective Date of Final Regulations: Once final HITECH regulations are published and become effective, health plans will have 180 days to revise their privacy policies and notices of privacy practices to describe the new privacy rights described above.
- Within 240 Days Plus One Year after the Publication Date of Final Regulations: Business associate agreements must be revised in accordance with HITECH within 240 days plus one year after final HITECH regulations are published.