Health care providers and any businesses that provide information technology
services for them will be subject to much greater regulation of their
information security practices as a result of a major component of the recent
economic stimulus legislation. Known as the Health Information Technology for
Economic and Clinical Health Act (or the “HITECH Act”), this portion of the
federal economic stimulus package is the most expansive modification to the
federal privacy and security rules for health-related businesses since the 1996
enactment of HIPAA.
This article focuses on the new privacy and security provisions of the HITECH
Act, and their impact on health care providers, health plans, and the IT and
other technology service business that support them.
I. EXPANSION OF BUSINESSES COVERED BY HIPAA REGULATIONS
A. Security Considerations
One of the most far-reaching effects of the HITECH Act is its extension of
HIPAA security and privacy rules to “business associates.” Until now, business
associates were required (under their business associate agreements with covered
entities) to implement administrative, physical and technical safeguards that
“reasonably and appropriately” protect protected health information (“PHI”).
Business associates would be liable only for a breach of such security
obligations arising from under their agreements with covered entities, but not
as a result of a violation of HIPAA itself.
The HITECH Act reverses this approach. Now, all of HIPAA’s security
administrative safeguards, physical safeguards, technical safeguards, and
security policies, procedures, and documentation requirements will apply
directly to all business associates. This means that the Department of Health
and Human Services (“HHS”) (and now all state attorneys general) may impose
fines against those business associates who do not comply with these HIPAA
standards, which as noted below, are now being made much more specific.
B. Privacy Provisions
The HITECH Act also applies various privacy provisions to business
associates. A business associate may use and disclose protected health
information only if such use or disclosure is in compliance with all of its
business associate agreement requirements. If a business associate uses or
discloses protected health information in violation of its business associate
agreement, it is not only liable to the covered entity, but also to HHS for the
In addition, business associates will now also have to take action if they
know of a pattern of activity or practice of the business associate that
constitutes a material breach or violation of a business associate agreement. If
the business associate fails to take reasonable steps to cure a breach,
terminate the agreement, or report the problem to HHS, then the business
associate may be liable under HIPAA penalties, including the new CMP penalty
tiers described below.
II. SECURITY PROVISIONS
A. Technical Safeguards
The HITECH Act modifies HIPAA’s prior approach of not mandating specific
technologies by now requiring the HHS to issue guidance annually on the “most
effective and appropriate technical safeguards for use in carrying out” the
HIPAA security standards. While the HITECH Act does not expressly mandate that
those technical safeguards will be the only effective technical means of
satisfying HIPAA security safeguards, those covered entities and business
associates who choose not to comply with the HHS guidance provisions will have
to justify any alternative choices of technical systems they might make in the
event of a subsequent mishap.
B. Breach Notification Provisions
HIPAA-covered entities will now also be required to provide specific
notification to individuals if they discover a breach of unsecured protected
health information. Written notification will have to be provided by first-class
mail, and if the covered entity lacks sufficient contact information for 10 or
more individuals, notification will also have to be made on the home page of the
covered entity’s website, or in major print or broadcast media. If the breach
involves more than 500 residents of a particular state or jurisdiction,
notification will have to be made to prominent media outlets in that state or
This notification must be made within 60 days after discovery of the breach,
and must contain, among other things: (1) a description of the breach, including
its date, and the date of discovery; (2) steps affected individuals should take
to protect themselves from harm resulting from the breach; and (3) a brief
description of what the covered entity is doing to investigate the breach,
mitigate losses, and protect against future breaches.
Covered entities must also provide notice to HHS of all breaches. If a breach
involves 500 or more persons, notice to HHS must occur immediately. Covered
entities may maintain a log of breaches involving less than 500 individuals, and
submit that log to HHS every year.
Note that this notification process applies only to “unsecured protected
health information,” meaning PHI that is not encrypted or otherwise secured
through a technology that HHS has stated renders the protected health
information unusable, unreadable, or indecipherable to unauthorized individuals.
The HHS Secretary is required to issue within 60 days after the HITECH Act
enactment specifications of those technologies that satisfy this requirement.
As such, if a health care provider or health plan implements an encryption
technology specified by HHS, the protected health information in question will
not be deemed “unsecured protected health information,” and none of the breach
notification provisions will apply to a breach involving such information. This
is a great incentive for health care providers and health plans to implement
those technologies that HHS prescribes.
“Business associates” must report any breaches to their covered entities,
including the identity of each individual whose unsecured protected health
information has been, or is reasonably believed to have been, accessed,
acquired, or disclosed during such breach.
The HITECH Act mandates that HHS promulgate interim final regulations to
implement all of the breach notification provisions within 180 days after
enactment of the HITECH Act. Those regulations will then become effective 30
days after their publication. Note, however, that these new notification
requirements will operate co-extensively with the existing matrix of state
notifications laws already in place -- thus all health care businesses must know
which of the various notification laws/regulations will apply to them and under
what conditions they will be triggered.
III. PRIVACY PROVISIONS
A. “Minimum Necessary” Restrictions
HIPAA privacy regulations mandate that a covered entity that uses, discloses,
or requests protected health information must make reasonable efforts to limit
PHI to the minimum necessary to accomplish the intended purpose.
There is no current definition of the term “minimum necessary.” Per the
HITECH Act, a covered entity is deemed in compliance with this standard only if
the covered entity limits PHI to the “limited data set” as currently defined in
the HIPAA privacy regulations. A “limited data set” is information that excludes
names, postal address (other than city, state, and zip code), telephone and fax
numbers, e-mail address, social security and medical record numbers, and nine
In other words, the limited data set will now be a safe harbor of compliance
with the “minimum necessary” standard. If covered entities wish to use more than
the limited data set, they will have to be prepared to justify why their use of
the limited data set is not practicable.
HHS must publish guidance on what constitutes “minimum necessary” under the
privacy rules. On the date that such guidance is issued, the provisions noted
above designating the limited data set as a minimum necessary safe harbor no
IV. VENDORS OF PERSONAL HEALTH RECORDS
In addition to the new breach notification provisions noted above, the HITECH
Act expands breach notification requirements to include vendors of personal
health records and other non-covered entities and non-business associate
entities that handle personal health records. Thus, the new notification
requirements extend well beyond the scope of covered entities and their business
In addition, third party service providers that furnish services to such
vendors of personal health records or to the other entities in connection with
the offering or maintenance of a personal health record or related
products/services must now notify the vendor of a breach of security that
results from such services. This notification must identify each individual
whose unsecured identifiable health information has been or is reasonably
believed to have been accessed, acquired or disclosed due to such breach.
The specific breach notification requirements that apply to covered entities
and business associates are also applicable to notifications related to personal
health records. The Federal Trade Commission will have to promulgate interim
final regulations no later than August 16, 2009 to implement these provisions,
which will apply to breaches discovered on or after 30 days following the
Violations of the notification requirements applicable to vendors of personal
health records and the entities and third party service providers described
above will be treated as unfair and deceptive acts or practices in violation of
the Federal Trade Commission Act.
V. NEW ENFORCEMENT PROVISIONS
The HITECH Act substantially strengthens HIPAA’s enforcement provisions by:
(1) increasing civil monetary penalties (“CMPs”) and civil settlement amounts;
(2) instituting provisions on “willful neglect” violations; and (3) authorizing
state attorneys general to enforce HIPAA privacy and security violations.
A. CMP Modifications
The HITECH Act creates a tiered CMP matrix by which a CMP amount is linked to
a violator’s level of intent. If a violator “did not know (and by exercising
reasonable due diligence would not have known)” of the violation, then the range
of possible penalties starts at $100 per violation, but is not to exceed $25,000
for violations of the same requirement in a given calendar year. Violations due
to “reasonable cause” and not “willful neglect” have a CMP minimum of $1,000 per
violation, but no more than $50,000 for violations of the same requirement in a
given calendar year. In both cases, the total penalty (for multiple violations)
cannot exceed $1,500,000 for violations of the same requirement in a calendar
For violations committed with “willful neglect” the Act creates two
categories of CMP. If such a violation is corrected within 30 days of the date
the violator knew or should have known of the violation, the CMP ranges from a
minimum $10,000 per violation to no more than $250,000 for violations of the
same requirement in a calendar year and a maximum of $50,000 per violation, but
no more than $1,500,000 for violations of the same requirement in a calendar
year. If the violation is not so corrected, the minimum violation is $50,000 per
violation with no maximum penalty.
B. Audit Authority
HHS is now authorized to audit covered entities and business associates to
ensure compliance with the privacy portion of the HITECH Act and the current
HIPAA privacy and security regulations. It remains unclear whether the Act
extends this audit authority to the security portion of the HITECH Act or any
HIPAA privacy and security rules that may be promulgated in the future.
The impact of the HITECH Act on covered entities is significant. First, they
must assess whether their uses, disclosures, and requests of PHI comply with the
new “minimum necessary” standards, given that a limited data set has been
defined as compliance with that standard.
Second, all business associate contracts must be amended to include the new
provisions now applicable to business associates.
For business associates the HITECH Act is even more far-reaching. They now
have direct exposure under HIPAA, and must directly comply with a maze of new
administrative, technical, physical, and policy-related security rules. For
many, this will mean implementation of new information security systems. It is
safe to say that the Act will necessitate thorough reviews of existing security
safeguards, policies, and procedures.
Business associates will also have to address extensive amendments to their
business associate agreements, and will have consider how they will comply with
the many new privacy and security rules that now apply to them.
Finally, covered entities and business associates must keep in mind that they
face a much more aggressive HIPAA enforcement environment -- specifically,
increased penalties and reduced enforcement discretion waive penalties.
The message is very clear -- data privacy and security considerations have
acquired an added priority at the federal level. Players in the health care
arena must know the new rules and play by them -- or face some very drastic
Supporting corporate IT’s compliance with data collection and privacy issues,
including compliance with the increasingly regulated privacy environment for
businesses that serve the health care sector, is one of the areas supported by
the McGuireWoods Outsourcing & Technology Transactions Practice, along with the
firm’s Health Care practice. Support for updates regarding developments as a
result of the stimulus legislation comes from the firm’s Stimulus Task Force.