President Obama signed into law the American Recovery and Reinvestment Act of 2009 (H.R. 1), which includes significant changes for HIPAA covered entities and other organizations who perform services on behalf of covered entities and business associates. A portion of the Recovery Act calls for computerizing all health records by the year 2014 and privacy advocates have lobbied for more stringent privacy and security measures to protect this data. This means that new regulatory requirements are on the horizon.
The new law expands the reach of several provisions of the Privacy and Security Rules to cover business associates, making them directly responsible to comply with certain HIPAA provisions. Additionally, covered entities and other organizations will soon have to follow strict notification requirements when there is an unauthorized disclosure of unsecured protected health information. The new law contains more restrictions on the disclosure of PHI and bans the sale of PHI except under limited circumstances. It also contains new accounting requirements for electronic health records. Finally, the new law increases penalties for violations the Privacy and Security Rules for both covered entities and business associates.
Summary of HIPAA Changes Under the Stimulus Bill
(1) Security Rule Provisions now apply to Business Associates
Several provisions of the HIPAA Security Rule now apply to businesses associates of covered entities in the same manner that those provisions apply to covered entities. Business associates are organizations that provide services to ambulance service providers that have access to protected health information (“PHI”). Business associates include: compliance auditors, consultants, accounting services, and third party billing services. The new law would apply four sections of the Security Rule to business associates (45 C.F.R. §§164.308, 164.310, 164.312, and 164.316). So, business associates now have a duty under HIPAA to protect the confidentially of all electronic protected health information (“ePHI”) that they utilize or disclose in performing functions for covered entities. Generally, business associates will now have to:
- Establish administrative safeguards to protect ePHI (45 CFR §164.308);
- Implement physical safeguards to limit physical access to ePHI (45 CFR §164.310);
- Implement technical safeguards for electronic information systems that control access to ePHI (45 CFR §164.312); and
- Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA Security Rule and maintain proper documentation (45 CFR §164.316).
Business associates may already have these safeguards in place because they are required to do so under a business associate agreement. However, business associates should ensure that they have a formal compliance program consistent with the requirements of this new law.
(2) Privacy Rule Contract Provisions now apply to Business Associates
Business associates that are contracted with covered entities to perform services on their behalf are now directly covered under provisions of the Privacy Rule relating to contractual arrangements between covered entities and business associates.
Business associates who obtain or create PHI pursuant to a contract (or other written agreement), now have a legal duty to ensure that they are only using or disclosing PHI in accordance with 45 CFR §164.504(e). Section 164.504(e) lays out the necessary terms that must be in a contract between a covered entity and a business associate to ensure that information is only used for authorized purposes. Generally, the provision states that contracts between business associates and covered entities must establish the permitted and required uses and disclosures of PHI and provide that the business associate will not use or further disclose the information other than as permitted or required by the contract, or as required by law. The new law makes it clear that business associates cannot use or disclose PHI in violation of these requirements (which should be outlined in every agreement with a covered entity).
Secondly, the law states that business associates are now in violation of HIPAA if they know of a pattern of activity or practice of the covered entity that constitutes a violation of the covered entity’s obligation under the contract (or other arrangement). Under the current law, a covered entity is charged with the duty to police the business associate’s compliance with a contract between it and a business associate. Now, if business associates knows that a covered entity is violating its duty under a contract, they too have a legal obligation under 45 CFR §164.504(e)(1)(ii) to take reasonable steps to try to stop the violation.
(3) New Requirements for Business Associate Agreements
Any additional requirements of the bill that relate to security and privacy that are made applicable to covered entities should also be incorporated into the business associate agreements between the business associate and the covered entity.
(4) Notification Requirement for Covered Entities and Business Associates
Covered entities and business associates that hold, use, or disclose “unsecured PHI” now have a legal duty to notify certain parties in the event of a “breach.” Currently, a covered entity is not required to notify individuals of privacy or security breaches unless the covered entity determines that such notification is necessary to mitigate damage to the individual.
A breach is the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security, privacy, or integrity of PHI. Unsecured protected health information is defined as PHI not secured through the use of a technology or methodology specified by the Secretary of the Department of Health and Human Services (“HHS”), i.e., unencrypted PHI, etc. If a breach occurs, a covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed. Business associates of covered entities must, after discovery of a breach, notify the covered entity of a breach and let the covered entity know the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed. A breach is considered to be “discovered” as of the first day on which the breach is known. Generally, written notice describing the breach must be made “without reasonable delay” and it must occur within 60 days of discovery of a breach.
If the breach involves 500 or more individuals, notice of the breach must be provided to HHS immediately and HHS will post information relating to the breach on its website. Additionally, notice must be provided to prominent media outlets serving the jurisdiction if the breach involves 500 or more individuals. If the breach involves less than 500 individuals, a covered entity may maintain a log of the breach and annually submit a log of breaches that occurred throughout the calendar year to HHS.
HHS has been instructed to issue regulations regarding “breaches” within 180 of the enactment of the stimulus bill. The notification requirements apply to any breaches discovered 30 days after the publication of the regulations. The Secretary is also required to issue guidance specifying technologies and methodologies that render PHI "unusable, unreadable, or indecipherable to unauthorized individuals."
(5) Notification Requirement for Vendors of PHI and other Non-HIPAA Covered Entities
Under the new law, vendors of PHI and other entities that access personal health records (that are not a covered entities or business associates) must notify certain individuals in the event of a breach. Following the discovery of a breach, the entity must notify each individual whose unsecured PHI was acquired by an unauthorized person as a result of such a breach of security. Additionally, the entity must notify the Federal Trade Commission of the breach.
Any third party service provider that provides services to a vendor or other entity must notify the vendor or entity of the breach. The notice must include the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the breach.
A violation of this notification requirement will be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). The Federal Trade Commission will promulgate regulations within 180 of the bill’s enactment.
(6) Guidance from HHS
The Secretary of HHS must, in consultation with industry stakeholders, issue annual guidance on the most effective and appropriate technical safeguards for carrying out the security standards in the HIPAA Security Rule. Additionally, within 6 months of the passage of the stimulus bill, HHS must designate an individual in each regional office to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to federal privacy and security rules. The Office for Civil Rights within HHS must also develop a national education initiative to enhance public transparency regarding the uses of PHI and programs to educate individuals about the potential uses of their PHI.
(7) Civil and Criminal Penalties apply to Business Associates
Under the stimulus bill, if a business associate violates any security or privacy provision(s) that it is subject to, the business associate is subject to all criminal and civil penalties related to HIPAA.
(8) New Restrictions on Disclosures of PHI at Patients’ Requests
A section of the legislation would now require a covered entity or business associate to comply with a patient request not to disclose PHI under certain circumstances. Under 45 CFR 164.522(a)(1)(i)(A), a patient is permitted to request a restriction on the use and disclosure of his/her PHI. However, a covered entity is not currently required to comply with the restriction when the information is used for treatment, payment, or healthcare operation purposes. The new law states that the covered entity must comply with a patient-requested restriction when the disclosure is for either payment or healthcare operational purposes and it is for an item for which the healthcare provider has been paid in full. But note: the entity still does not have to comply with the restriction when it is utilizing PHI for treatment purposes.
(9) New Minimum Necessary Standard Coming Soon
Under HIPAA, the general rule is that if covered entities are using PHI for any other purpose besides treatment purposes, then covered entities must provide only the “minimum necessary” information to accomplish the purpose of the disclosure. The new law requires HHS to issue guidance on what constitutes "minimum necessary" under HIPAA within 18 months of the enactment of the stimulus bill.
Until HHS issues guidance on what “minimum necessary” means, the law states that a covered entity will be in compliance with the “minimum necessary” requirement if it limits PHI, to the extent possible, to the limited data set. A "limited data set" is PHI that excludes the identifiers like: names; postal address information, other than town or city, state, and zip code; telephone numbers; etc. If it is not possible to limit the disclosure to a limited data set, then the covered entity must apply the minimum necessary standard. Covered entities and business associates must determine what constitutes the minimum necessary to accomplish the intended purpose of the disclosure. This determination will eventually be directed by guidance issued by HHS. The current exceptions to the minimum necessary requirement still apply and this new law does not affect the use of de-identified PHI.
(10) New Accounting Standards for PHI Disclosures from an Electronic Health Record
The stimulus bill states that if a covered entity uses or maintains an electronic health record (“EHR”), an individual will have the right to receive an accounting of any disclosures of PHI related to the EHR during the three years prior to the date of the request. Currently, patients have the right to receive an “accounting” of certain uses and disclosures of PHI for six years prior to the date of the accounting request. However, covered entities are not required to render an accounting of uses and disclosures made for treatment, payment, or healthcare operation purposes. The new law would require a covered entity or business associate to account for any disclosure from an EHR including those disclosures for treatment, payment, or healthcare operations.
An electronic health record is defined as an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. HHS has been instructed to promulgate regulations on what disclosures must be included in an accounting of EHR disclosures and what information must be collected about each disclosure. The regulations must take into account the interests of patients as well as the administrative cost and burden of accounting for such disclosures. A covered entity will be able to impose a reasonable fee on an individual for an accounting from an EHR. For covered entities that currently have EHRs, this new requirement will apply to disclosures made on or after January 1, 2014. The Secretary may set an effective date that is later than that date if necessary.
(11) Changes in Definition of Healthcare Operations
The stimulus bill requires HHS to review and evaluate the definition of healthcare operations under 45 CFR § 164.501 and, to the extent appropriate, pass regulations to eliminate from the definition any “activities that can reasonably and efficiently be conducted through the use of information that is de-identified information.” The new regulations will state that data used for healthcare operation activities does not have to be de-identified and valid authorization for such use is not required. HHS has the ability to narrow or clarify what activities will qualify as healthcare operations under the stimulus bill. This should to be performed within 18 months of the enactment of the bill.
(12) Prohibition on the Sale of PHI
The law also prohibits a covered entity or business associate from directly or indirectly receiving any remuneration in exchange for an individual's PHI unless the covered entity receives a valid authorization from the individual that specifies that the PHI may be further exchanged for remuneration. There are several exceptions to this rule such as: research; public health activities; treatment of the patient; activities related to sale, transfer, merger or consolidation of the entity; payment by a covered entity to a business associate for activities covered by the business associate agreement; and authorized charges for providing a copy of the PHI to the individual. HHS is authorized to create additional exceptions and must issue regulations related to this prohibition within 18 months of the enactment of the stimulus package.
(13) Individual Access to Electronic Health Records
The legislation states that if a covered entity uses or maintains electronic health records to maintain PHI, individuals have a right to obtain the information in electronic format. Any fee that may be imposed for providing the individual with a copy of the information may not be greater than the actual labor costs in responding to the request for the copy.
(14) Restrictions on Marketing of PHI
The new law contains stricter prohibitions on the use of PHI for marketing. Generally, any communication by a covered entity or business associate that is about a product or service and encourages recipients of the communication to purchase or use the product is not considered to be a use for health care operation purposes. Payment is only permitted for certain communications where:
- such communication describes only a health care item or service that has previously been prescribed for, or administered to, the recipient of the communication, or a family member of such recipient; the communication is made by the covered entity; and the covered entity making such communication obtains a valid waiver from the recipient of the communication; or
- the communication is made on behalf of the covered entity; the communication is consistent with the written contract between such business associate and covered entity; and the business associate making such communication, or the covered entity on behalf of which the communication is made, obtains a valid waiver from the recipient of the communication.
(15) Business Associate Agreements Required for All Entities that Provide Transmission of PHI to Covered Entities and Business Associates
Under the stimulus bill, any organization that provides data transmission of protected PHI to a covered entity or its business associate or any vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record, is required to enter into a written contract (or other written arrangement) with the covered entity or business associate. That contract must meet all HIPAA requirements. Covered entities are already required to do so and business associates are required to do so under this new law. The law also creates a legal duty for other organizations, such as health information exchange organizations, regional health information organizations and other vendors to enter into an agreement to protect PHI.
(16) Clarification of Application of Penalties for Wrongful Disclosures
The new bill makes it clear that obtaining or disclosing PHI “without authorization” is also an offense for which penalties may be imposed. Section 1177 of the Social Security Act defines the offense of “wrongful disclosure of individually identifiable health information.” Currently A person who knowingly: (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person; may be punished with a fine and imprisonment. The new bill amends the provision by adding that “a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity . . . and the individual obtained or disclosed such information without authorization.”
(17) Improved Enforcement
The stimulus bill clarifies and increases enforcement and penalties related to the Privacy and Security Rules. The Bill:
- Clarifies that, in addition to the covered entity itself, employees or other individuals are subject to criminal penalties;
- Requires HHS to formally investigate any complaints and impose civil penalties for violation of the rules due to "willful neglect";
- Requires that any civil monetary penalty (CMP) or settlement amount collected as a result of a privacy or security rule violation be transferred to the Office for Civil Rights to be used for enforcement of the HIPAA privacy and security rules;
- Requires the Secretary to establish a methodology to distribute a percentage of the CMPs collected to individuals harmed by the violation;
- Establishes a tiered system of civil monetary penalties ranging from $100 for unknowing violations, up to $50,000 for each violation due to willful neglect. The Secretary retains discretion to determine the amount of a penalty for a violation.
- Requires the Secretary to conduct periodic audits to ensure covered entity and business associate compliance with the privacy and security rules; and
- Gives state attorneys general the authority to bring suit in federal district court against any person violating the rules on behalf of state residents and to enjoin further violation or to obtain damages on behalf of such residents. Statutory damages are determined by multiplying the number of violations by up to $100, not to exceed $25,000 in a calendar year, for violations of identical requirements or prohibitions. In addition, the court may award attorney fees to the state. The Secretary has the right to intervene in such actions.
Under the stimulus bill, HHS must provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this the bill and HIPAA comply with such requirements.