Health care providers and any businesses that provide information technology services for them will be subject to much greater regulation of their information security practices as a result of a major component of the recent economic stimulus legislation. Known as the Health Information Technology for Economic and Clinical Health Act (or the “HITECH Act”), this portion of the federal economic stimulus package is the most expansive modification to the federal privacy and security rules for health-related businesses since the 1996 enactment of HIPAA.
This article focuses on the new privacy and security provisions of the HITECH Act, and their impact on health care providers, health plans, and the IT and other technology service business that support them.
I. EXPANSION OF BUSINESSES COVERED BY HIPAA REGULATIONS
A. Security Considerations
One of the most far-reaching effects of the HITECH Act is its extension of HIPAA security and privacy rules to “business associates.” Until now, business associates were required (under their business associate agreements with covered entities) to implement administrative, physical and technical safeguards that “reasonably and appropriately” protect protected health information (“PHI”). Business associates would be liable only for a breach of such security obligations arising from under their agreements with covered entities, but not as a result of a violation of HIPAA itself.
The HITECH Act reverses this approach. Now, all of HIPAA’s security administrative safeguards, physical safeguards, technical safeguards, and security policies, procedures, and documentation requirements will apply directly to all business associates. This means that the Department of Health and Human Services (“HHS”) (and now all state attorneys general) may impose fines against those business associates who do not comply with these HIPAA standards, which as noted below, are now being made much more specific.
B. Privacy Provisions
The HITECH Act also applies various privacy provisions to business associates. A business associate may use and disclose protected health information only if such use or disclosure is in compliance with all of its business associate agreement requirements. If a business associate uses or discloses protected health information in violation of its business associate agreement, it is not only liable to the covered entity, but also to HHS for the same incident.
In addition, business associates will now also have to take action if they know of a pattern of activity or practice of the business associate that constitutes a material breach or violation of a business associate agreement. If the business associate fails to take reasonable steps to cure a breach, terminate the agreement, or report the problem to HHS, then the business associate may be liable under HIPAA penalties, including the new CMP penalty tiers described below.
II. SECURITY PROVISIONS
A. Technical Safeguards
The HITECH Act modifies HIPAA’s prior approach of not mandating specific technologies by now requiring the HHS to issue guidance annually on the “most effective and appropriate technical safeguards for use in carrying out” the HIPAA security standards. While the HITECH Act does not expressly mandate that those technical safeguards will be the only effective technical means of satisfying HIPAA security safeguards, those covered entities and business associates who choose not to comply with the HHS guidance provisions will have to justify any alternative choices of technical systems they might make in the event of a subsequent mishap.
B. Breach Notification Provisions
HIPAA-covered entities will now also be required to provide specific notification to individuals if they discover a breach of unsecured protected health information. Written notification will have to be provided by first-class mail, and if the covered entity lacks sufficient contact information for 10 or more individuals, notification will also have to be made on the home page of the covered entity’s website, or in major print or broadcast media. If the breach involves more than 500 residents of a particular state or jurisdiction, notification will have to be made to prominent media outlets in that state or jurisdiction.
This notification must be made within 60 days after discovery of the breach, and must contain, among other things: (1) a description of the breach, including its date, and the date of discovery; (2) steps affected individuals should take to protect themselves from harm resulting from the breach; and (3) a brief description of what the covered entity is doing to investigate the breach, mitigate losses, and protect against future breaches.
Covered entities must also provide notice to HHS of all breaches. If a breach involves 500 or more persons, notice to HHS must occur immediately. Covered entities may maintain a log of breaches involving less than 500 individuals, and submit that log to HHS every year.
Note that this notification process applies only to “unsecured protected health information,” meaning PHI that is not encrypted or otherwise secured through a technology that HHS has stated renders the protected health information unusable, unreadable, or indecipherable to unauthorized individuals. The HHS Secretary is required to issue within 60 days after the HITECH Act enactment specifications of those technologies that satisfy this requirement.
As such, if a health care provider or health plan implements an encryption technology specified by HHS, the protected health information in question will not be deemed “unsecured protected health information,” and none of the breach notification provisions will apply to a breach involving such information. This is a great incentive for health care providers and health plans to implement those technologies that HHS prescribes.
“Business associates” must report any breaches to their covered entities, including the identity of each individual whose unsecured protected health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.
The HITECH Act mandates that HHS promulgate interim final regulations to implement all of the breach notification provisions within 180 days after enactment of the HITECH Act. Those regulations will then become effective 30 days after their publication. Note, however, that these new notification requirements will operate co-extensively with the existing matrix of state notifications laws already in place — thus all health care businesses must know which of the various notification laws/regulations will apply to them and under what conditions they will be triggered.
III. PRIVACY PROVISIONS
A. “Minimum Necessary” Restrictions
HIPAA privacy regulations mandate that a covered entity that uses, discloses, or requests protected health information must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose.
There is no current definition of the term “minimum necessary.” Per the HITECH Act, a covered entity is deemed in compliance with this standard only if the covered entity limits PHI to the “limited data set” as currently defined in the HIPAA privacy regulations. A “limited data set” is information that excludes names, postal address (other than city, state, and zip code), telephone and fax numbers, e-mail address, social security and medical record numbers, and nine other identifiers.
In other words, the limited data set will now be a safe harbor of compliance with the “minimum necessary” standard. If covered entities wish to use more than the limited data set, they will have to be prepared to justify why their use of the limited data set is not practicable.
HHS must publish guidance on what constitutes “minimum necessary” under the privacy rules. On the date that such guidance is issued, the provisions noted above designating the limited data set as a minimum necessary safe harbor no longer apply.
IV. VENDORS OF PERSONAL HEALTH RECORDS
In addition to the new breach notification provisions noted above, the HITECH Act expands breach notification requirements to include vendors of personal health records and other non-covered entities and non-business associate entities that handle personal health records. Thus, the new notification requirements extend well beyond the scope of covered entities and their business associates.
In addition, third party service providers that furnish services to such vendors of personal health records or to the other entities in connection with the offering or maintenance of a personal health record or related products/services must now notify the vendor of a breach of security that results from such services. This notification must identify each individual whose unsecured identifiable health information has been or is reasonably believed to have been accessed, acquired or disclosed due to such breach.
The specific breach notification requirements that apply to covered entities and business associates are also applicable to notifications related to personal health records. The Federal Trade Commission will have to promulgate interim final regulations no later than August 16, 2009 to implement these provisions, which will apply to breaches discovered on or after 30 days following the regulations’ promulgation.
Violations of the notification requirements applicable to vendors of personal health records and the entities and third party service providers described above will be treated as unfair and deceptive acts or practices in violation of the Federal Trade Commission Act.
V. NEW ENFORCEMENT PROVISIONS
The HITECH Act substantially strengthens HIPAA’s enforcement provisions by: (1) increasing civil monetary penalties (“CMPs”) and civil settlement amounts; (2) instituting provisions on “willful neglect” violations; and (3) authorizing state attorneys general to enforce HIPAA privacy and security violations.
A. CMP Modifications
The HITECH Act creates a tiered CMP matrix by which a CMP amount is linked to a violator’s level of intent. If a violator “did not know (and by exercising reasonable due diligence would not have known)” of the violation, then the range of possible penalties starts at $100 per violation, but is not to exceed $25,000 for violations of the same requirement in a given calendar year. Violations due to “reasonable cause” and not “willful neglect” have a CMP minimum of $1,000 per violation, but no more than $50,000 for violations of the same requirement in a given calendar year. In both cases, the total penalty (for multiple violations) cannot exceed $1,500,000 for violations of the same requirement in a calendar year.
For violations committed with “willful neglect” the Act creates two categories of CMP. If such a violation is corrected within 30 days of the date the violator knew or should have known of the violation, the CMP ranges from a minimum $10,000 per violation to no more than $250,000 for violations of the same requirement in a calendar year and a maximum of $50,000 per violation, but no more than $1,500,000 for violations of the same requirement in a calendar year. If the violation is not so corrected, the minimum violation is $50,000 per violation with no maximum penalty.
B. Audit Authority
HHS is now authorized to audit covered entities and business associates to ensure compliance with the privacy portion of the HITECH Act and the current HIPAA privacy and security regulations. It remains unclear whether the Act extends this audit authority to the security portion of the HITECH Act or any HIPAA privacy and security rules that may be promulgated in the future.
The impact of the HITECH Act on covered entities is significant. First, they must assess whether their uses, disclosures, and requests of PHI comply with the new “minimum necessary” standards, given that a limited data set has been defined as compliance with that standard.
Second, all business associate contracts must be amended to include the new provisions now applicable to business associates.
For business associates the HITECH Act is even more far-reaching. They now have direct exposure under HIPAA, and must directly comply with a maze of new administrative, technical, physical, and policy-related security rules. For many, this will mean implementation of new information security systems. It is safe to say that the Act will necessitate thorough reviews of existing security safeguards, policies, and procedures.
Business associates will also have to address extensive amendments to their business associate agreements, and will have consider how they will comply with the many new privacy and security rules that now apply to them.
Finally, covered entities and business associates must keep in mind that they face a much more aggressive HIPAA enforcement environment — specifically, increased penalties and reduced enforcement discretion waive penalties.
The message is very clear — data privacy and security considerations have acquired an added priority at the federal level. Players in the health care arena must know the new rules and play by them — or face some very drastic consequences.
Supporting corporate IT’s compliance with data collection and privacy issues, including compliance with the increasingly regulated privacy environment for businesses that serve the health care sector, is one of the areas supported by the McGuireWoods Outsourcing & Technology Transactions Practice, along with the firm’s Health Care practice. Support for updates regarding developments as a result of the stimulus legislation comes from the firm’s Stimulus Task Force.