Economic Stimulus Bill Adds New HIPAA Privacy and Security Requirements

The Health Information Technology for Economic and Clinical Health Act (the "HITECH Act") section of the federal stimulus package contains provisions that significantly expand the scope of HIPAA Privacy and Security requirements. The HITECH Act imposes data security breach notification requirements on covered entities and business associates, requires electronic access to protected health information in and accounting for disclosures of protected health information for treatment, payment and health care operations through electronic health records (EHRs), increases civil penalties and clarifies the criminal coverage for violation of HIPAA privacy and security requirements, and authorizes state attorneys general to bring civil actions on behalf of state residents adversely affected or threatened by such violations. The effective date for most of the provisions is 12 months after the date of enactment of the HITECH Act, however increased penalty provisions take effect immediately.

New Security Breach Notification Requirements

The law requires the notification of patients of any unauthorized access, acquisition, or disclosure of their "unsecured PHI" that compromises the patient's privacy and security and/or the integrity of the information. When a covered entity discovers a breach, the covered entity is required to notify each individual whose unsecured PHI has been disclosed. When a business associate discovers a breach, they must notify the covered entity of such a breach and include the identification of each individual whose information has, or is reasonably believed to have been, breached. Written notice must be made no later than 60 calendar days after the discovery of a breach. If a breach affects 500 patients or more, it must be reported to the Secretary of Health and Human Services, who, in turn, will post the name of the provider or insurer on its public website. In addition, the law requires that breaches affecting 500 patients or more who reside in the same area be reported to local media. Covered entities will continue to be required to comply with state security breach laws to the extent that such are more stringent than the federal law.

Additionally, vendors that provide or maintain "Personal Health Records" ("electronic records of individually identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or for the individual") are required to notify both the affected patients and the Federal Trade Commission of any breach arising from their products or services. Notification requirements under the new provision will be triggered not only by actual knowledge of a breach, but also by the reasonable belief that a breach has occurred. The notification laws will apply to security breaches discovered 30 days after the Secretary of Health and Human Services promulgates interim final regulations on the subject.

Application of HIPAA Security Rule to Business Associates

Business associates will now be required to implement security policies and procedures that address the Security Act and regulations, including:

• Administrative Safeguards – Risk assessment and periodic reassessments; risk management security measures; information system activity risk reviews; an assigned security official; workforce training and sanctions; data access controls; data back-up and disaster recovery plans; security incident management.
   
• Physical Safeguards – Facility and workstation access controls; portable and removable device and media management; device and media disposal, re-use, back-up and storage controls.
   
• Technical Safeguards – Access, authentication and audit controls; data integrity and transmission security.

Business associates will now be required to terminate the business associate agreement or report to the federal Department of Health and Human Services covered entity breaches of the business associate agreement when the covered entity engages in a pattern or practice that materially breaches its obligations under the business associate agreement, and the covered entity has failed or refused to cure such breaches. Business associates will additionally be subject to direct penalties for violations of the security provisions. The bill also requires that its new provisions relating to security be incorporated in existing business associate agreements.

Access to PHI in Electronic Health Records

Covered entities that use or maintain electronic health records ("EHRs") must furnish individuals seeking access to the individuals' protected health information in EHRs with electronic copies of the individuals' protected health information in the EHRs. A covered entity may give an individual the option to receive the electronic copy of the individual's protected health information by transmission to a person or entity that the individual designates. A covered entity may charge a fee for providing an electronic copy of an individual's protected health information in an EHR. The fee may be no greater than the covered entity's "labor costs" in responding to the request for the electronic copy of the individual's protected health information in the EHR.

Under the new law patients have the right to receive an accounting of disclosures of their PHI dating back three years from the request, if an entity uses electronic health records. The electronic health records accounting of disclosures will be required to include disclosures made for the purpose of carrying out treatment, payment, and healthcare operations (note that existing law does not required an accounting of disclosures made for treatment, payment or healthcare operations).

Authorization Required to Exchange PHI for Remuneration

Effective six months following issuance of implementing regulations by the Department of Health and Human Services, a covered entity and its business associates will be prohibited from exchanging protected health information in return for direct or indirect remuneration, unless the individual whose protected health information is exchanged gives a HIPAA-compliant authorization that specifies that the covered entity may exchange the individual's protected health information for remuneration.

New Restrictions on Marketing and Fundraising

The HITECH Act clarifies that communications by a covered entity or a business associate to individuals about a product or service that encourages the purchase of said product or service does not fit within the definition of health care operations, unless the communication is regarding a health-related product or service. Instead, such communications generally will be considered marketing under HIPAA and subject to an authorization requirement.

The Act also modified the fundraising provisions of HIPAA to require that each fundraising communication include a conspicuous statement that the individual can "opt out" of future fundraising communications marketing.

New Requirement to Comply with Requested Restrictions

Previously under the HIPAA privacy rules, a person could ask for a restriction on the uses or disclosures by the covered entity, but the covered entity did not have to agree to such request. Under the new law, if a person requests a restriction on disclosures the covered entity will be required to comply if: (1) the person requests a restriction on the disclosure to a health plan for payment or health care operations purposes and (2) the PHI pertains solely to services for which the person paid for the service out-of-pocket.

Increased Penalties for HIPAA Violations

The HITECH Act clarifies that criminal penalties for violations can be applied directly to individuals, and clarifies that penalties may be imposed for noncompliance due to willful neglect. Civil monetary penalties have been increased variably, based on whether the violation was made without knowledge, due to reasonable cause, or due to willful neglect. Penalties for violations based on a lack of knowledge (only where a person exercising reasonable diligence would not have known of the violation) will start at $100 per occurrence, not to exceed $25,000 penalties for violations due to reasonable cause will start at $1,000 per occurrence, not to exceed $100,000; and penalties for violations due to willful neglect will start at $10,000 per occurrence, not to exceed $250,000 (for violations that are corrected) or $50,000 per occurrence, not to exceed $1,500,000 (for violations that are not corrected).

State Attorney General Private Right of Action for HIPAA Violations

The law creates a private cause-of-action for non-compliance, which could be brought by state attorneys general on behalf of affected patients. Courts would have the ability to award costs and attorneys fees in successfully prosecuted cases.

Conclusion

Health care facilities and providers should start planning to implement the required changes as soon as possible to ensure compliance within the specified timeframes. Covered entities will need to update HIPAA privacy and security policies and procedures, business associate agreements, and compliance plans to ensure effective implementation of the new requirements.