Significant HIPAA Modifications in the American Recovery and Reinvestment Act of 2009

Significant HIPAA Modifications in the
American Recovery and Reinvestment Act of 2009

February 24, 2009

Tucked away in the American Recovery and Reinvestment Act of 2009 (the “Act,” commonly referred to as the “Stimulus Bill”) are significant changes to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Considering the magnitude of these changes, they flew through Congress with surprising clandestineness.

Among the most dramatic of the changes is the fact that the Act expands the universe of organizations to which HIPAA is directly applicable. Business associates, vendors of personal health records, and entities providing data transmissions of protected health information (“PHI”) are now directly liable for HIPAA violations and subject to HIPAA’s civil and criminal penalties almost to the same extent as covered entities. The Act also contains a wide range of new provisions, including requirements for notifying individuals of security breaches, eliminating certain exceptions from the accounting of disclosures requirement, and revising business associate agreements. In terms of enforcement, Congress has increased the maximum civil monetary penalty for violations of HIPAA from $25,000 to $1,500,000 and has provided the state attorneys general offices and federal agencies with additional enforcement power.

Even if an organization was not previously subject to HIPAA, businesses operating in the health care industry now need to be much more aware of HIPAA and these new amendments, and may need to reconsider how HIPAA impacts their organization. While we are unable to address every provision of the Act here, we have summarized below many of the most important developments.

Extension of Certain Security and Privacy Provisions to Business Associates

Business associates are greatly impacted by the Act. Congress has determined that certain security and privacy regulations will now apply directly to business associates in the same manner as they currently apply to covered entities. As a result, a violation of HIPAA will subject business associates to civil and criminal penalties.

Business associates likely will have to be much more proactive in dealing with PHI than they have been under the terms of their current business associate agreements. For example, under the HIPAA security provisions, business associates will now have to comply with regulations regarding the physical and technical safeguarding of PHI, such as securing computers with user-restricted passwords and encrypting e-mails that contain PHI.

Likewise, HIPAA’s privacy provisions will hold business associates directly responsible for handling any PHI that they create or receive in accordance with its provisions. Business associates must develop written policies and procedures relating to the implementation of privacy and security safeguards and must train their staff to protect PHI. The burden will now fall on business associates to ensure that they maintain business associate agreements and abide by HIPAA’s requirements for these agreements.

The Act expressly instructs business associates to incorporate the new security and privacy provisions of the Act into their business associate agreements with covered entities, which will require revisions to all business associate agreements.

New Business Associates

Congress also has expanded the universe of entities subject to HIPAA and now requires that all entities providing data transmissions of PHI and all vendors of personal health records must be treated as business associates of a covered entity.

Breach Notification Requirements

The Act created a new obligation under HIPAA to notify individuals of a security breach. "Breach" will be a defined term meaning "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security, privacy, or integrity" of the PHI. If there is a breach of "unsecured protected health information" (another newly defined term, described below), the covered entity will be required to notify each individual whose PHI has been breached within 60 days. There is, however, an exception for certain unintentional breaches.

When notification is required, the Act sets forth specific requirements for effecting such notification, depending on the number of individuals impacted by the breach. For breaches involving more than 500 individuals in a particular area, the Act requires notification through a “prominent media outlet.” Written notification by mail or, in some cases, e-mail will suffice when a lesser number of individuals is involved. Notification may also be required to the Secretary of the Department of Health and Human Services (“Secretary”) or the Federal Trade Commission.

The Secretary is directed to issue guidance on the term "unsecured protected health information" within the next two months; otherwise it shall mean PHI that is "not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization . . . ." Although the Act focuses primarily on security breaches of electronic information, there is a concern that the Act is drafted broadly enough to encompass breaches of non-electronic PHI.

Accounting of Disclosures

In the past, a covered entity or business associate was not required to account for disclosures of PHI if the information was used for certain purposes, including treatment, payment, and health care operations. However, covered entities or business associates that use an electronic health record (“EHR”) are no longer excepted from the accounting requirements and will need to retain this information for a period of three years. The effective date for this change varies depending on whether or not the covered entity or business associate currently uses an EHR, but in no event will it occur before January 1, 2011.

Increased Civil Monetary Penalties

Violations of HIPAA may now be quite costly. The maximum civil monetary penalty for violations of identical HIPAA provisions within one year has been increased from $25,000 to $1,500,000. Penalties are now tiered and increase based upon the degree of the violator’s intent. These new enforcement provisions became effective immediately, meaning that organizations and individuals not previously subject to HIPAA could face increased civil or criminal liability for violating it today.

Enforcement

There is no doubt that the Act creates a stronger enforcement scheme for HIPAA. In terms of prosecution, the Office of Civil Rights in the Department of Health and Human Services will now have the ability to investigate and impose civil monetary penalties if the Department of Justice declines to do so. Likewise, state attorneys general have been authorized to bring civil actions in federal court for HIPAA violations, again, if the Department of Justice first declines the opportunity to bring such a suit. To give HIPAA’s enforcement scheme more teeth, a state attorney general who successfully prosecutes a HIPAA claim may receive attorneys' fees.

The Act also requires the Secretary to enact regulations within the next three years which will allow individual victims of a HIPAA violation to receive a percentage of any monetary penalty collected from the offense. This monetary incentive could significantly increase the number of HIPAA complaints brought by individuals.

Conclusion

This alert provides only a summary of the Act, and the full text is available at: http://frwebgate.access.gpo.gov/cgi-in/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.pdf. The provisions discussed in this alert can be found on pages 144 to 165. Davis Graham & Stubbs’ Health Care Practice Group is monitoring the regulatory developments identified in the Act, and will provide future updates as appropriate.

The Davis Graham & Stubbs Health Care Practice Group works extensively with Covered Entities and Business Associates and would be happy to consult with you on your needs in this changing regulatory environment. If you would like to discuss any issues raised by this alert or otherwise, please feel free to contact the authors, Erin Eiselein at (303) 892-7308 and Heather Kenney at (303) 892-7493, or the other members of the DGS Health Care Practice Group, John Francis at (303) 892-7338 and Wally Stromberg at (303) 892-7478.

Davis Graham & Stubbs LLP
1550 17th St., Suite 500 | Denver, CO 80202
303.892.9400 | 303.893.1379 fax
www.dgslaw.com