• New Regulations Affect Lenders To The Healthcare Industry
  • March 17, 2009 | Authors: Lawrence F. Flick; Mark I. Rabinowitz; William E. Gramlich
  • Law Firm: Blank Rome LLP - Philadelphia Office
  • This week, as part of the stimulus package, President Obama signed into law the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which significantly expands the HIPAA Privacy Rule and Security Standards. The following is a summary of the key provisions of the HITECH Act related to HIPAA that directly impact the healthcare lending industry. These provisions have varying effective dates and except for the notice of breach provisions discussed below are generally effective no earlier than February 16, 2010.

    Lenders May Have An Increased Regulatory Burden

    Under the HITECH Act, institutions providing financing to a health care entity has the regulatory burden to determine whether it acts as a “business associate.” Unlike the prior law in which the business associate’s obligations were contractually imposed, a business associate is subject to the principal HIPAA security and privacy provisions as if it were a “covered entity.” In addition, the HITECH Act provides that a business associate is now subject to all of the civil and criminal enforcement provisions under HIPAA for violations of the HIPAA standards. If you are an entity providing financing in the healthcare industry, the effect of this legislation is threefold:

    1. It is important that you critically evaluate at the outset of the lending relationship if your institution acts as a business associate. In addition, a healthcare lender should also evaluate its existing lending relationships to determine if it acts as a business associate. The statutory and regulatory language has never been clear on this issue. By definition a “business associate” is a party that provides “financial services” to or for a covered entity. For example, it would appear that HIPAA is implicated by a lender establishing a lock box arrangement if it or its employees or agents have access to remittance advices or explanation of benefit forms that disclose personally identifiable health information. The test is whether your institution qualifies from a functional perspective as a business associate. These new provisions will be effective February 16, 2010.
    2. If you qualify as a business associate, you will now also be subject to increased penalties for noncompliance and new rules governing the reporting of security breaches for “unsecured protected health information” (these are discussed more fully below). These provisions will be effective 30 days after the publication of regulations which are required to be issued by August 16, 2009.
    3. Unlike the prior law, the regulatory responsibility to obtain a business associate agreement is not only on the covered entity. If the health care lender is a business associate, it must enter into this agreement.

    Specific Provisions Under The HITECH Act

    The HITECH Act applies the HIPAA Security Standards, as well as the civil and criminal penalties for violating those standards, to business associates directly, in the same manner as such standards apply to the covered entities for whom they work. The HITECH Act also requires that the contracts between covered entities and business associates be updated to document this change. Currently, business associates are already contractually required to implement appropriate administrative, technical and security that reasonably and appropriately protected the confidentiality of protected health information (PHI). However, they only risked a contractual breach for failure to comply. Under the HITECH Act, business associates have a statutory obligation to comply with the Security Standards, and are subject to audit and enforcement by HHS if they fail to so comply.

    In addition, the HITECH Act creates a direct statutory obligation for business associates to comply with the restrictions on use and disclosure of PHI contained in Section 164.504(e) of the Privacy Rule, which is the section that sets forth the mandatory provisions of a business associate agreement. So, again, where business associates formerly had contractual obligations to limit their uses and disclosures of PHI, they now face civil and criminal penalties for failure to comply with those obligations. In addition, the HITECH Act makes Section 164.504(e)(2)(ii) of the Privacy Rule applicable to business associates in the same way that it applies to covered entities, apparently requiring business associates to terminate their business associate agreement with a covered entity if the business associate knows that the covered entity has not cured a breach of the obligations thereunder, and to report such violation or breach to the Secretary if the violation is not cured.

    Finally, the HITECH Act makes clear that organizations that provide data transmission of PHI to covered entities or their business associates, such as Health Information Exchange Organizations, Regional Health Information Organizations, or vendors that allow a covered entity to offer personal health records to patients as part of its electronic health records, are considered business associates and must have a business associate agreement with such covered entities.

    What this means for healthcare lenders is that they will want to carefully scrutinize whether or not they actually perform business associate functions, so they do not become subject to additional regulatory enforcement oversight. For lenders who perform this analysis and conclude that they do not actually perform such functions, these lenders will want to evaluate their current policies with regard to HIPAA compliance and business associate contract administration. For many, the result may be that they adopt a down-stream user approach to ensure privacy protection, with affirmative notification that they are not, and do not consider themselves to be, business associates within the meaning of the legislation or regulation.

    Of course, for healthcare lenders who perform this analysis, and determine that they do actually perform business associate functions, they will want to evaluate their HIPAA compliance policies and security safeguards to ensure that they are doing everything required under the HIPAA privacy and security standards.

    New Rules Governing Breach Notification

    Lenders also need to know that in the event of a breach of unsecured PHI that is discovered by a covered entity or a business associate, the HITECH Act requires the covered entity to notify each individual whose information has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of such breach and the business associate is required to provide this information to the covered entity. “Unsecured PHI” means PHI that is not secured using the technology or methodology identified by the Secretary of HHS in its to-be-issued guidance on the subject. If HHS does not issue guidance within sixty days after enactment of the HITECH Act, then “unsecured PHI” will mean PHI that is not secured by a technology standard that renders PHI unusable, unreadable or indecipherable to unauthorized individuals and is developed or endorsed by a standard developing organization that is accredited by the American National Standards Institute (ANSI). Exceptions to the breach notification requirement are for unintentional acquisition, access, use or disclosure of PHI where the access is in good faith by an employee or the disclosure is to an individual authorized to access health information at the same facility. For a breach of unsecured PHI under the control of a business associate, the business associate upon discovery of the breach is required to notify the covered entity. Notice of the breach must be provided to the Secretary (“Secretary”) of Health and Human Services (“HHS”) and prominent media outlets serving the applicable geographic area if the breach relates to more than 500 individuals in that area. If the breach relates to fewer than 500 individuals, the covered entity involved must maintain a log of such breaches and annually submit it to the Secretary. Interim regulations are to be promulgated by HHS within 180 days after the date of enactment of the HITECH Act, and the breach notice requirements of the HITECH Act apply to any breach that is discovered starting 30 days after the publication of those interim regulations.

    Penalties And Enforcement

    Currently, HIPAA provides for criminal penalties of fines of up to $250,000 and up to 10 years in prison for disclosing or obtaining health information with the intent to sell, transfer or use it for commercial advantage, personal gain, or malicious harm. In July 2005, the Justice Department addressed which persons may be prosecuted under HIPAA and concluded that only a covered entity could be criminally liable. The HITECH Act provides that criminal penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose such information maintained by a covered entity, whether they are employees of the covered entity or not.

    Currently, HIPAA allows the Secretary to impose civil monetary penalties on any person failing to comply with the privacy and security standards, with a maximum civil fine of $100 per violation and up to $25,000 for all violations of an identical requirement or prohibition during a calendar year. Civil monetary penalties may not be imposed if (1) the violation is a criminal offense under HIPAA’s criminal penalty provisions; (2) the person did not have actual or constructive knowledge of the violation; or (3) the failure to comply was due to reasonable cause and not to willful neglect, and the failure to comply was corrected during a 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.

    The HITECH Act amends HIPAA to permit the Office of Civil Rights (OCR) to pursue an investigation and the imposition of civil monetary penalties against any individual for an alleged criminal violation of the Privacy and Security Rule of HIPAA if the Justice Department had not prosecuted the individual. In addition, the HITECH Act amends HIPAA to require a formal investigation of complaints and the imposition of civil monetary penalties for violations due to willful neglect. The Secretary is required to issue regulations within 18 months to implement these amendments. The HITECH Act also requires that any civil monetary penalties collected be transferred to OCR to use in enforcing HIPAA. HHS, within three years of enactment, is required to establish a methodology to distribute a percentage of any collected penalties to harmed individuals.

    The HITECH Act increases the penalties for violations of HIPAA. The HITECH Act preserves the current requirement that a civil fine not be imposed if the violation was due to reasonable cause and was corrected within 30 days. The HITECH Act authorizes State Attorneys General to bring a civil action in Federal district court against individuals who violate the HIPAA privacy and security standards, in order to enjoin further violation and seek damages of up to $100 per violation, capped at $25,000 for all violations of an identical requirement or prohibition in any calendar year. State action against a person is not permitted if a federal civil action against that same individual is pending. Nothing prevents OCR from continuing to use corrective action without a penalty in cases where the person did not know, and by exercising reasonable diligence would not have known, about the violation.

    Currently, the Secretary is authorized to conduct compliance reviews to determine whether covered entities are complying with HIPAA standards. The HITECH Act requires the Secretary to perform periodic audits of both covered entities and business associates to ensure compliance with the Privacy Rule and Security Standards.