Federal Stimulus Bill Significantly Expands the Scope of HIPAA’s Privacy and Security Requirements

February 23, 2009

On February 17, 2009, President Barack Obama signed the American Recovery and Reinvestment Act of 2009 (the “ARRA”), commonly referred to as the federal stimulus bill. The ARRA contains several provisions — intended to promote the use of health information technology — that would significantly expand the scope of the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). These changes, summarized below, include:

  1. Direct, statutory liability for business associates for violations of HIPAA’s privacy and security requirements;
  2. New notification obligations for covered entities, business associates and other organizations in case of breach of personal health information (PHI) or personal health records (PHR) use and disclosure requirements;
  3. Additional rights for individuals regarding their PHI, particularly PHI contained in electronic health records;
  4. Additional restrictions on certain disclosures by covered entities and business associates;
  5. Increased civil penalties and expanded criminal liability for violations;
  6. Mandatory compliance audits by the Department of Health and Human Services (the “Department”);
  7. An expansion of entities required to have business associate agreements; and
  8. Additional restrictions on marketing communications.

Direct, Statutory Liability for Business Associates

Effective February 17, 2010, business associates will be statutorily liable for the use or disclosure of PHI that does not conform to the standards that HIPAA sets forth for business associate agreements. Currently, business associates are only liable to covered entities for such violations as a breach of their business associate agreements. Additionally, business associates will be statutorily liable if they have knowledge of a covered entity’s pattern, activity or practice that materially breaches the business associate agreement and such breach remains uncured, the business associate does not terminate its contract with the covered entity, and the business associate fails to report the uncured breach to the Department. Finally, business associates will be required to comply directly with HIPAA’s security provisions. For example, business associates will be required, effective February 17, 2010, to appoint a security official and conduct staff training on HIPAA compliance.

Consequently, business associates should carefully review their business associate agreements and practices to determine whether they comply with HIPAA’s privacy and security requirements. Some business associates may already comply with many of these provisions as a consequence of their efforts to meet their existing contractual obligations. To the extent that current practices are inadequate to ensure compliance, business associates will need to implement new policies and practices.

New Notification Obligations in Case of Breach of PHI or PHR

The ARRA creates significant new notification obligations for covered entities, business associates, PHR vendors and entities, and third-party service providers that provide services to PHR vendors and entities. The Department and the Federal Trade Commission (FTC) are required to promulgate interim final regulations implementing the following notification requirements by August 16, 2009.

Covered Entities. When a covered entity discovers a breach of unsecured PHI, the covered entity will be required to notify each individual whose PHI has been — or is reasonably believed to have been — accessed, acquired or disclosed as a result of such breach. Further, if more than 500 individuals are affected by the breach, the covered entity will be required to notify the Department as well as prominent media outlets serving the state or jurisdiction in which the affected individuals reside. Covered entities will be required to maintain and submit annually to the Secretary of the Department (the “Secretary”) a log of all breaches.

Business Associates. When a breach of unsecured PHI occurs under the control of a business associate, the business associate will be required to notify the covered entity.

PHR Vendors and Entities. When a PHR vendor or entity discovers a breach of security of PHR, the PHR vendor or entity will be required to notify the affected individual of the breach as well as the FTC.

Third-Party Service Providers. Third-party service providers that provide services to PHR vendors or entities offering products and services through a website will be required to notify the PHR vendor or entity upon discovering any breach of security of PHR health information.

Additional Rights for Individuals Regarding Their PHI

The ARRA expands individual rights with respect to PHI in a number of ways.

Right to Electronic Copy. Effective February 17, 2010, individuals will have the right to receive an electronic copy of their PHI if the PHI is maintained in an electronic health record. The individual will also be able to designate that the PHI be sent to another entity or person. Any fee charged by the covered entity for providing the PHI must be reasonable and based on the covered entity’s costs.

Right to Require Non-Disclosure for Out-of-Pocket Services. Effective February 17, 2010, health care providers will be required to comply with an individual’s request that PHI regarding a specific health care item or service not be disclosed to a health plan for purposes of payment or health care operations if the individual paid out-of-pocket, in full, for that item or service.

Right to Receive an Accounting of PHI Disclosures. Individuals will have the right to receive an accounting of PHI disclosures made by covered entities or their business associates for treatment, payment and health care operations during the previous three years if the disclosures were made through an electronic health record. (Currently, individuals have a right to obtain an accounting of disclosures of their PHI by a covered entity during the previous six years, except for disclosures made to carry out treatment, payment or health care operations.) The Secretary will promulgate regulations regarding what information must be collected about each disclosure. For current users of electronic health records, the accounting requirements will apply to disclosures made on or after January 1, 2014. For covered entities that have not yet acquired electronic health records, the accounting requirements will apply to disclosures on or after January 1, 2011, or the date on which the covered entity acquired electronic health records, whichever is later.

Additional Restrictions on Certain Disclosures

In addition to the individual rights discussed above, the ARRA places new restrictions on disclosures of PHI by covered entities and business associates.

Minimum Necessary Requirement. Under current law, a covered entity must generally make reasonable efforts to limit disclosure of PHI to the “minimum necessary” to accomplish the intended purposes or use of the disclosure. The ARRA requires the Secretary to issue guidance as to what constitutes “minimum necessary” by July 17, 2010. Until the effective date of such guidance (which is to be determined), the ARRA requires covered entities to limit the use, disclosure or request of PHI, to the extent practicable, to either (i) a “limited data set” or (ii) if needed by such entity, to the “minimum necessary” to accomplish the intended purpose of such use, disclosure or request. (The “limited data set” standard is the standard currently applied to a certain subset of purposes — such as research purposes — pursuant to a data use agreement with the recipient. Limited data sets have most direct identifiers removed and are considered by the Department to pose a low privacy risk.) The limited data set requirement will sunset on the effective date of the Secretary’s guidance regarding what constitutes the “minimum necessary”.

Prohibition on Sale of PHI without Authorization. Covered entities and business associates will be prohibited from selling PHI without the individual’s authorization, except in certain specified circumstances that include (1) recoupment of the costs of preparing and transmitting data for public health or research activities and (2) provision of an individual with a copy of his or her PHI. The Secretary is required to promulgate regulations implementing this prohibition by July 17, 2010, and the regulations will be effective six months after they are promulgated.

Increased Civil Penalties and Expanded Criminal Liability for Violations

The ARRA significantly increases civil monetary penalties for HIPAA violations. Effective immediately, the maximum civil penalty for all violations of an identical requirement or prohibition during a calendar year will increase from $25,000 to $1,500,000. The ARRA increases civil monetary penalties in tiers depending on whether the violation was committed unknowingly, or due to reasonable cause or willful neglect. Further, the ARRA clarifies that criminal liability for wrongful disclosure of PHI extends to any individual who, without authorization, obtains or discloses PHI maintained by a covered entity. Currently, it is the policy of the Department of Justice to prosecute only covered entities for such disclosure. State Attorneys General are also authorized to bring civil action in Federal district court against individuals who violate the HIPAA rules. The Secretary has the right to intervene in such actions.

Mandatory Compliance Audits by the Department

Effective February 17, 2010, the Secretary will be required to perform periodic compliance audits of covered entities and business associates. Currently, the Secretary is authorized, but not required, to perform such audits.

Expansion of Entities Required to Have Business Associate Agreements

Effective February 17, 2010, organizations that contract with covered entities for the purpose of exchanging electronic health information — including health information exchanges, regional health information organizations, and PHR vendors that offer their products through or for a provider or health plan — will be required to have business associate contracts in place with those covered entities. Current law does not explicitly include or exclude these organizations from HIPAA’s privacy requirements.

Additional Restrictions on Certain “Marketing” Communications if Remuneration Received

Under current law, a covered entity or business associate can provide communications that might otherwise be considered marketing without individual authorization if the communication is made (1) to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, or (2) for treatment of the individual, or (3) for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.

Effective February 17, 2010, the ARRA will place additional, significant restrictions on the three categories of communication identified above if the covered entity receives direct or indirect remuneration from a third party. Specifically, the ARRA prohibits these communications where the covered entity receives remuneration except if (1) the marketing communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication and any payment received by the covered entity is reasonable, or (2) the communication is made by the covered entity with the authorization of the recipient, or (3) the communication is made by a business associate on behalf of the covered entity and the communication is consistent with the written contract between the business associate and the covered entity.

For more information about these changes, or for guidance to help ensure compliance, please contact us.