blog icon linkedin icon facebook icon twitter icon
lightbulb iconGet Steptoe Know-How Business Essentials Email this page Rss Feeds

 
Stimulus Bill Includes HIPAA Modifications
Author: Susan Haller Pauley
March 9, 2009

To the surprise of many, the recently enacted American Recovery and Reinvestment Act (“ARRA”) (generally known as the “Stimulus Bill”) significantly modifies portions of the HIPAA Privacy Rule and the HIPAA Security Rule. In addition, the ARRA imposes new security breach notification requirements. This Alert provides a brief overview of the changes to the HIPAA Privacy Rule and the HIPAA Security Rule as well as the new security breach notification requirements contained in the ARRA. Many of the changes will be implemented by a series of forthcoming guidance and regulations. In general, the effective date for the modifications and new requirements imposed by the ARRA is February 17, 2010. This effective date does not, however, apply to all of the new requirements. 

  • Modifications to the HIPAA Privacy Rule include the following:
    • Business Associates are subject to additional responsibilities;
    • Business Associates are subject to HIPAA’s civil and criminal penalties; 
    • The “minimum necessary” standard is revised;
    • The HIPAA Privacy Rule’s requirement regarding requests for protected health information (“PHI”) protection is amended as to certain disclosures;
    • The HIPAA Privacy Rule’s access requirement is amended as to health information maintained electronically;
    • The HIPAA Privacy Rule’s accounting requirement is amended as to electronic health records;
    • Remuneration for exchanges of PHI without an appropriate authorization is prohibited; and
    • The categories of activities included in “health care operations” are amended.
  • The HIPAA Security Rule is modified to impose the Rule’s administrative, physical, and technical safeguard requirements as well as policy and procedural requirements and documentation requirements on Business Associates. Business Associates are also subject to HIPAA’s civil and criminal penalties.
  • HIPAA’s enforcement provisions are modified to include increased civil monetary penalties; to allow state attorneys general to bring civil actions to enjoin further violations and to obtain statutorily-established damages, and possibly attorneys’ fees; and to require the Secretary of the U.S. Department of Health and Human Services to perform periodic audits.  
  • The ARRA imposes new breach notification requirements on Covered Entities.
  • The ARRA imposes new breach notification requirements on certain vendors and other entities that are not Covered Entities.

Additional details regarding these changes are described below:

Modifications to the HIPAA Privacy Rule Under the ARRA 

  • Business Associates. According to the Conference Report, the ARRA would apply the HIPAA Privacy Rule to Business Associates. However, the scope of the statutory language does not appear to be that broad. Instead, the ARRA appears to codify the Business Associate contract requirement (which previously was created by regulation). In addition, Business Associates with knowledge of a Covered Entity’s pattern of activity or practice constituting a material breach/ violation of a Business Associate Agreement are not in compliance with various provisions of the HIPAA Privacy Rule unless the Business Associate takes certain actions (e.g., takes reasonable steps to cure the breach and if unsuccessful, terminates the contract or if that is not possible, reports the problem to the Secretary of the U.S. Department of Health and Human Services (“HHS Secretary”)). This is an extension of the current responsibility of Covered Entities who are parties to Business Associate Agreements. The ARRA’s additional privacy requirements must be incorporated into Business Associate Agreements. Business Associates are also subject to HIPAA’s civil and criminal penalties.
  • Minimum Necessary Standard. The “minimum necessary” standard is met if the Covered Entity limits the use, disclosure, or request of PHI to a “limited data set” (i.e., most direct identifiers have been removed) or, if needed by such entity, to the minimum necessary to accomplish the intended purpose. This provision will sunset once the HHS Secretary issues guidance on what constitutes the minimum necessary amount of PHI. The HHS secretary must issue such guidance within 18 months of the ARRA’s enactment. 
  • Requests for PHI Protection. 45 C.F.R. § 164.522, “Rights to request privacy protection for protected health information,” is amended to require, upon individual request, that Covered Entities restrict disclosure of PHI if, except as required by law, the disclosure is to a health plan for payment or health care operations purposes and the PHI pertains to a health care item or service for which the health care provider has been paid out of pocket in full.
  • Access. The HIPAA Privacy Rule’s access provision is amended to allow individuals to obtain a copy of their health information in electronic format if the information is maintained electronically and to direct that the information be sent to another institution or person. Fees for electronic copies are limited to labor costs associated with responding. 
     
  • Accounting. The HIPAA Privacy Rule’s accounting provision is amended as it relates to electronic health records, which are defined under the ARRA to include “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.” In addition, the HHS Secretary must promulgate regulations regarding what information must be collected to provide an accounting with respect to disclosures of electronic health records. The ARRA adopts a rolling effective date for this requirement, which is based on the date on which the Covered Entity acquires the electronic health record.
  • Remuneration for PHI. Except in certain cases, neither Covered Entities nor Business Associates may directly or indirectly receive remuneration in exchange for PHI without an appropriate authorization. Within 18 months of the ARRA’s enactment, the HHS Secretary shall promulgate regulations to carry out this requirement. 
  • Health Care Operations. The categories of activities that are included within “health care operations” are amended. Except in certain circumstances, communications by Covered Entities or Business Associates encouraging the use of a product or service do not fall within the definition of “health care operations.” In addition, the HHS Secretary shall by rule provide that written fundraising communications falling within the category of “health care operations” must provide clear and conspicuous opt-out language.


      Modifications to the HIPAA Security Rule under the ARRA


      • Business Associates. Business Associates are subject to § 164.308 (administrative safeguard requirements), §164.310 (physical safeguard requirements), §164.312 (technical safeguard requirements), and §164.316 (policy and procedure requirements as well as documentation requirements) of the HIPAA Security Rule, which had previously only applied to Covered Entities. Additional requirements imposed on Business Associates must be incorporated into Business Associate Agreements. Business Associates are also subject to HIPAA civil and criminal penalties.
      • Guidance. Beginning in 2010, on an annual basis, the HHS Secretary is required to provide guidance on the “most effective and appropriate technical safeguards” for carrying out the requirements of the HIPAA Security Rule, as amended.
      • The ARRA clarifies that organizations providing data transmission to Covered Entities/their Business Associates and that require access on a routine basis to the PHI (e.g., Health Information Exchange Organization; vendor contracting with Covered Entity to provide personal health record to patients as part of its electronic health record) are treated as Business Associates and must enter into Business Associate Agreements. 

      “Improved” HIPAA Enforcement 

      • Increased Civil Monetary Penalties. After February 17, 2009, the beefed-up enforcement provisions include a tiered increase in the amount of civil monetary penalties. The new enforcement provisions apply to violations occurring after February 17, 2009.
        • The new civil monetary penalty structure is as follows:
          • Violator who did not know (and by exercising reasonable diligence would not have known) of the violation: at least $100/violation (up to $25,000/calendar year for all violations of an identical requirement) up to $50,000/violation (up to $1.5 million/ calendar year for all violations of an identical requirement)
          • Violation was due to reasonable cause and not to willful neglect: at least $1,000/violation (up to $100,000/ calendar year for all violations of an identical requirement) up to $50,000/ violation (up to $1.5 million/ calendar year for all violations of an identical requirement).
          • Violations due to willful neglect:  
            • If the violation is corrected: $10,000/violation (up to $250,000 /calendar year for all violations of an identical requirement) to up $50,000/ violation (up to $1.5 million/calendar year for all violations of an identical requirement).
            • If the violation is not corrected: A penalty of at least $50,000/ violation (up to $1.5 million/calendar year for all violations of an identical requirement). 
        • The Comptroller General is tasked with making recommendations to the HHS Secretary regarding a methodology for providing harmed individuals with a percentage of any civil monetary penalty or settlement. By February 2012, the HHS Secretary must establish by regulation such a system.
      • State Attorney General Actions. After February 17, 2009, state attorneys general may bring a civil action on behalf of a resident of the state to enjoin further violation and to obtain statutorily-established damages up to $25,000 per calendar year for violations of an identical requirement or prohibition. Attorney fees may also be awarded.
      • Corrective Action. The HHS Office of Civil Rights may continue to use corrective action without imposing a penalty in situations in which the person did not know, and by reasonable diligence would not have known, about the violation. 
      • Audits. The HHS Secretary is required to perform periodic audits of Covered Entities and Business Associates to ensure compliance with the HIPAA Privacy and Security Rules.

        • Clarification. The ARRA clarifies that non-covered entities (e.g., Covered Entity employees) may be found to have violated HIPAA if the non-covered entity obtains or discloses individually identifiable health information maintained by a Covered Entity without authorization.


          Privacy and Security Education Initiative

          • Within six months of the ARRA’s enactment, the HHS Secretary must designate an individual in each of HHS’s regional offices to provide guidance and education regarding the federal PHI privacy and security requirements.
          • Within twelve months of the ARRA enactment date, the HHS Office of Civil Rights shall develop a national education initiative, which would, among other things, “enhance public transparency regarding the uses of protected health information.”

          New Breach Notification Requirement 

          • The Stimulus Bill requires Covered Entities that hold, use, or disclose what is termed “unsecured protected health information” (“Unsecured PHI”) to notify record subjects in the event that such information “has been, or is reasonably believed by the covered entity to have been accessed, acquired, or disclosed as a result of such breach.” 

            • With certain exceptions, a “breach” is an “unauthorized acquisition, access, use, or disclosure of protected health information” that compromises the security or privacy of such information.”
            • “Unsecured PHI” is defined as PHI that is not secured through a technology or methodology specified by the HHS Secretary in forthcoming guidance (or, in the event that such guidance is delayed, “Unsecured PHI” is defined to mean PHI that is not secured by a technology standard that renders such information unusable, unreadable, or indecipherable to unauthorized individuals and is endorsed by an ANSI accredited organization). The HHS Secretary has sixty days after the enactment of the ARRA to issue such guidance and must annually update such guidance. The HHS Secretary has 180 days after the enactment of the ARRA to promulgate interim final regulations to carry out the security breach notification requirements. The security breach notification requirements would apply to breaches discovered thirty days or more after the date on which the interim final regulations are published.
            • A Business Associate of a Covered Entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses Unsecured PHI must notify the Covered Entity of any breach.
          • Summary of Breach Notification Requirements.

            • Except under certain circumstances, breach notifications must be made without unreasonable delay and, in no event, more than sixty calendar days after the discovery of a breach.
            • For breaches involving more than 500 individuals, notice to the HHS Secretary must be provided immediately. For those breaches involving fewer than 500 individuals, the Covered Entity may maintain a breach log and submit the log to the HHS Secretary annually. The HHS Secretary shall post on the HHS website a list of Covered Entities involved in a breach in which the Unsecured PHI of more than 500 individuals is involved.
            • Each breach notification must briefly describe what happened, the types of Unsecured PHI involved, the steps that individuals should take to protect themselves, the investigation conducted by the Covered Entity and the Covered Entity’s efforts to mitigate losses and prevent future breaches, and contact procedure information for additional information.
          • Within 180 days of the ARRA’s enactment, the HHS Secretary must issue interim final regulations to carry out this section.

          Breach Notification Requirements for Certain Vendors and Certain Other Non-HIPAA Covered Entities 

          • The ARRA imposes breach notification requirements on vendors of “personal health records” and certain other non-HIPAA covered entities for security breaches of unsecured “PHR identifiable health information” in a personal health record.
            • A “personal health record” is “an electronic record of PHR identifiable health information … on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” Regulations carrying out this section shall be promulgated by the Federal Trade Commission within 180 days of the ARRA’s enactment. As the ARRA Conference Report clarifies, “personal health records” do not include the kinds of records that are managed by commercial enterprises (e.g., life insurance companies).
            • “PHR identifiable health information” is individually identifiable health information that is “provided by or on behalf of the individual … and that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” As the ARRA Conference Report clarifies, “PHR identifiable health information” is broader in scope than “identifiable health information” and is not limited to information created or received by Covered Entities.
          •  The Federal Trade Commission, which may take action against violators of this breach notification requirement under the Federal Trade Commission Act, must promulgate interim final regulations within 180 days of the ARRA’s enactment.