Organizations that serve the health care industry, including business associates, personal health record (PHR) vendors and health information exchanges (HIEs), will be under federal legal mandate to protect individually-identifiable health information. That is one effect of the tougher federal protection of health information mandated by the American Recovery and Reinvestment Act of 2009 (ARRA)—the $787 billion economic stimulus package that became law on February 17, 2009.

Current “HIPAA” Health Information Protections

Federal protection of health information is found in the Privacy and Security Rules that implement the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Until ARRA, these Rules applied only to “covered entities”—health care providers that transmit electronic transactions regulated by the HIPAA Transactions Rule, and all health plans and health care clearinghouses.

These Rules did not reach “business associates”—vendors, professional service providers and others that perform functions or activities involving individually-identifiable health information for or on behalf of covered entities. The Rules instead required covered entities to extend certain health information privacy and security protection obligations to their business associates by contracts, known as “business associate agreements.” ARRA modifies this structure.

ARRA also imposes obligations to protect health information on organizations involved with PHRs and on HIEs and transmission conduits that need routine access to individually-identifiable health information to provide services for or on behalf of covered entities or business associates.

Expansion of Federal Health Information Protections to Business Associates

Starting February 17, 2010, ARRA will subject business associates to many of the health information protection obligations that the HIPAA Privacy and Security Rules impose on covered entities. These new federal obligations for business associates will be in addition to the contractual obligations to protect health information that ARRA continues to require covered entities to impose on their business associates through business associate agreements. ARRA also expands government regulation and oversight of business associates and subjects them to data security breach notification requirements.

Security Rule Compliance. ARRA directs business associates to implement, by February 17, 2010, the data security measures of the HIPAA Security Rule at 45 C.F.R. §§ 164.308, 164.310, 164.312 and 164.316. That means every business associate will have to implement written data security policies and procedures that satisfy the standards, implementation specifications and other requirements of the HIPAA Security Rule. Those standards, implementation specifications and other requirements include:

  • Administrative safeguards—risk assessment and periodic reassessments; risk management security measures; information system activity risk reviews; an assigned security official; workforce training and sanctions; data access controls; data back-up and disaster recovery plans; security incident management.
  • Physical safeguards—facility and workstation access controls; portable and removable device and media management; device and media disposal, re-use, back-up and storage controls.
  • Technical safeguards—access, authentication and audit controls; data integrity and transmission security.

Privacy Rule Compliance. Because of ARRA, federal law will limit business associates, starting February 17, 2010, to using and disclosing individually-identifiable health information only as the HIPAA Privacy Rule allows. ARRA also mandates that covered entities continue to use business associate agreements to contractually limit their business associates to using and disclosing individually-identifiable health information only as the HIPAA Privacy Rule allows.

Covered Entity’s Business Associate Agreement Breach. ARRA directs a business associate, which after February 17, 2010 learns that the covered entity it serves engages in a pattern of activities or practices that materially breach the covered entity’s obligations under their business associate agreement, to require the covered entity to cure the breach. If the covered entity fails to cure the breach, the business associate must terminate the business associate agreement. If termination is not feasible, the business associate must report the covered entity’s breach to the Department of Health and Human Services (DHHS).

Electronic Health Record Disclosure Accounting. ARRA adds to the disclosure accounting obligations of business associates that serve covered entities that use or maintain electronic health records (EHRs). ARRA obligates a business associate to respond directly to individuals’ requests for accountings of disclosures, including disclosures made through EHRs for treatment, payment or health care operations, if the covered entity that the business associate serves responds to disclosure accounting requests by listing the business associate’s contact information and the individuals seeking disclosure accountings then contact the business associate directly. The business associate must include in its accountable disclosures all disclosures through EHRs made for treatment, payment and health care operations during the three years preceding the disclosure accounting request.

A business associate must be able to comply with this direct disclosure accounting obligation for disclosures for treatment, payment and health care operations through EHRs made on and after January 1, 2014 if the covered entity it serves had an EHR as of January 1, 2009. If the covered entity that a business associate serves does not acquire an EHR until after January 1, 2009, the business associate must be able to comply with this direct disclosure accounting obligation with respect to such disclosures made on and after the later of January 1, 2011 or the date after January 1, 2011 on which the covered entity acquires an EHR. DHHS may extend these compliance dates to January 1, 2016 and January 1, 2013, respectively.

Expanded Business Associate Agreement Provisions. The requirements that ARRA imposes on business associates, such as HIPAA Security Rule compliance, contract termination for a covered entity’s uncured material breach and disclosure accounting, must be incorporated into business associate agreements by February 17, 2010.

PHR Vendors, HIEs and Transmission Conduits Deemed Business Associates. Vendors that contract with covered entities to offer PHRs to patients as part of EHRs must have business associate agreements with the covered entities by February 17, 2010. HIEs, such as regional health information organizations and e-prescribing gateways, and transmission conduits that require routine access to individually-identifiable health information to provide services for or on behalf of covered entities must enter into business associate agreements with the covered entities by February 17, 2010. ARRA deems these PHR vendors, HIEs and transmission conduits to be business associates, thereby subjecting them to the federal health information protection laws that ARRA extends to business associates.

Civil and Criminal Penalties. Business associates that fail to comply with the health information protection obligations imposed by ARRA will be subject to the same civil and criminal penalties that HIPAA applies to covered entities. The HIPAA civil penalties include ARRA’s new tiered civil monetary penalty structure that assesses as much as $50,000 per violation of a HIPAA privacy or security requirement, with an annual cap of $1,500,000 for repeated violations of the same HIPAA privacy or security requirement. The criminal penalties for knowingly obtaining or disclosing individually-identifiable health information in violation of HIPAA privacy or security requirements can reach $250,000 and 10 years imprisonment per violation.

State Attorneys General Enforcement. ARRA empowers state attorneys general to enforce HIPAA privacy and security requirements through civil actions against business associates and others whose violation of HIPAA privacy or security requirements has adversely affected or threatens to adversely affect the states’ residents. State attorneys general may obtain statutory damages of $100 for each violation of a HIPAA privacy or security requirement adversely affecting the states’ residents, with an annual cap of $25,000 for repeated violations of the same HIPAA privacy or security requirement, and injunctive relief and attorneys’ fees.

Data Security Breach Notification. Effective 30 days following DHHS’s issuance of implementing regulations, a business associate must notify the covered entities it serves upon discovery of a security breach of the “unsecured protected health information” that the business associate uses, discloses or maintains for or on behalf of the covered entities. The notice must be given without delay (and not later than 60 days after discovery).

“Unsecured protected health information” is individually-identifiable health information in electronic, paper or any other medium that is not secured by a technology or methodology that DHHS specifies in guidance as rendering individually-identifiable health information “unusable, unreadable, or indecipherable to unauthorized individuals.” A data security breach is deemed discovered by a business associate once the breach becomes known or should reasonably have been known to any employee, officer or other agent of the business associate, other than the individual who commits the breach.

Government Compliance Audits. Starting February 17, 2010, business associates face periodic audits by DHHS to ensure compliance with their legal and contractual obligations to protect health information privacy and security.

DHHS Implementing Regulations. DHHS is required to update the HIPAA Privacy and Security Rules to conform them to ARRA. ARRA sets no deadline for DHHS to make these updates. In the meantime, the provisions of ARRA will prevail over any inconsistent provisions of the current HIPAA Privacy and Security Rules.

DHHS is required to issue regulations by August 17, 2009 to implement ARRA’s data security breach notification requirements. DHHS is also required to issue regulations regarding the content of an accounting of disclosures for treatment, payment and health care operations through EHRs. DHHS is to issue these regulations within six months following DHHS’s adoption of technology standards for disclosure accounting for treatment, payment and health care operations through EHRs. ARRA directs DHHS to adopt such standards by December 31, 2009, which means the DHHS regulations for the content of an accounting of disclosures for treatment, payment and health care operations through EHRs should be issued by July 1, 2010.

DHHS Compliance Guidance. ARRA directs DHHS to issue guidance by April 17, 2009 on technologies and methodologies for rendering individually-identifiable health information “unusable, unreadable or indecipherable to unauthorized individuals.” DHHS is also required to issue guidance at least annually on the “most effective and appropriate technical safeguards” for protecting individually-identifiable health information in electronic format. Each DHHS Regional Office must have resources by August 17, 2009 that offer business associates “guidance and education” on their health information privacy and security protection obligations.

Expansion of Federal Health Information Protections to PHR Vendors

Data Security Breach Notification. ARRA imposes data security breach notification obligations on PHR vendors. PHR vendors include vendors of PHR systems, such as Microsoft and Google, as well as (i) vendors that offer products or services through the websites of vendors of PHR systems, (ii) vendors (not themselves covered entities) that offer products or services through the websites of covered entities offering PHRs, and (iii) other entities (not themselves covered entities) that “access information in . . . or send information to” PHRs.

PHR Vendors’ Obligations. Effective 30 days following issuance of implementing regulations by the Federal Trade Commission (FTC), PHR vendors that discover a security breach of the “unsecured PHR identifiable health information” in the PHRs that the vendors offer or maintain or from which “unsecured PHR identifiable health information” is obtained through the vendors’ products or services must notify each affected United States citizen or resident and the FTC of the security breach without delay (and not later than 60 days after discovery).

PHR Vendors’ Subcontractors’ Obligations. Subcontractors to PHR vendors must notify the PHR vendors they serve upon discovery of a security breach of the “unsecured PHR identifiable health information” that the subcontractors use, disclose or maintain for or on behalf of the PHR vendors. Subcontractors must provide the notice of a security breach without delay (and not later than 60 days after discovery). The notice must identify each individual affected by the security breach. PHR vendors are then obligated to notify the affected individuals and the FTC about the security breach without delay (and not later than 60 days after their receipt of a subcontractor’s notice). PHR vendors and their subcontractors that fail to comply with these data security breach notification obligations engage in unfair and deceptive practices that violate Section 5 of the FTC Act.

Definitions. “Unsecured PHR identifiable health information” is individually-identifiable health information in electronic, paper or any other medium that is not secured by a technology or methodology that DHHS specifies in guidance as rendering individually-identifiable health information “unusable, unreadable, or indecipherable to unauthorized individuals.” A breach in the security of “unsecured PHR identifiable health information” occurs if “unsecured PHR identifiable health information” in a PHR is acquired without the authorization of the individual to whom the PHR pertains. A breach in the security of “unsecured PHR identifiable health information” is deemed discovered once the breach becomes known or should reasonably have been known to any employee, officer or other agent of the PHR vendor or subcontractor, other than the individual who commits the breach.

FTC Regulations. The FTC must issue regulations by August 17, 2009 to implement ARRA’s data security breach notification requirements for PHR vendors and their subcontractors.