HIPAA Rules Dramatically Modified By Stimulus Bill

(Published March 9, 2009)

 

The American Recovery and Reinvestment Act (ARRA) contains surprising modifications to the Health Insurance Portability and Accountability Act's (HIPAA) Privacy and Security Rules. The changes are significant to all covered entities, but are most challenging for business associates, who now face a host of new requirements. Here are some of the highlights.

 

Security Rules apply directly to business associates. For the first time, business associates must comply directly with many of HIPAA's Security Rules. This will require every business associate to take several actions, including appointing a security official, developing written policies and procedures, and training its workforce on how to protect electronic protected health information (EPHI). These provisions go well beyond the previous requirements for business associates, where business associates only had to comply with the written business associate agreement.

 

Business associates also will need to follow HIPAA's Security Rules relating to physical safeguards (such as locking computers that contain EPHI), technical safeguards (such as encrypting emails), and the requirement to adopt written policies and procedures. Failing to do so will — for the first time — subject a business associate to civil monetary penalties and criminal penalties for each notification.

 

New security breach rules. Under current law, the breach of the privacy or security of protected health information (PHI) often does not require significant action by a covered entity or business associate. Now, a covered entity or business associate that has a specified security breach will be required to notify each individual affected by the security breach. This can involve written notification by mail or, if specified by the individual, e-mail. If the covered entity or business associate lacks current contact information, it may be required to post notice of the breach on its website or in newspapers or other broadcast media (e.g., television). For certain large breaches (involving more than 500 residents in a particular area), a "prominent media outlet" must be notified of the breach. The U.S. Department of Health and Human Services (HHS) also must be contacted, and the HHS is to establish a website listing these breaches.

 

New rules regarding electronic health records. The Act creates a new term, "electronic health record," which is an electronic record of health-related information on an individual that is "created, gathered, managed, and consulted by authorized health care clinicians and staff."

 

The Act imposes significantly more disclosure accounting requirements relating to electronic health records. Currently, a covered entity or business associate need not track its disclosures of PHI if the PHI is used to carry out treatment, payment, or health care operations. This is very helpful, because most disclosures of PHI fall into one of these exceptions, so the disclosure need not be tracked. Now, under the Act, if the disclosure of an electronic health record is for treatment, payment, or health care operations, the covered entity (and perhaps also a business associate) must maintain an accounting of such a disclosure. There is a delayed effective date for this provision, such that it will apply sometime between January 1, 2011, and January 1, 2014.

 

Prohibition on sale of electronic health records or PHI. A covered entity or business associate cannot directly or indirectly receive remuneration in exchange for any PHI unless it first obtains a valid authorization from the individual whose PHI is being disclosed.

 

Significant overhaul of civil monetary penalties. Currently, the penalty is generally $100 for each violation. This $100 amount (and its related cap of $25,000 for multiple violations) increases to $1,000 per violation for a violation due to "reasonable cause and not to willful neglect" (with a maximum penalty of $100,000); $10,000 for each violation that was due to willful neglect and is corrected (subject to a $250,000 maximum penalty); and $50,000 for each violation if the violation is not corrected properly (subject to a maximum penalty of $1,500,000 during a calendar year). These changes are effective immediately.

 

In addition, state attorney generals can now bring a HIPAA enforcement action against a covered entity or business associate that violates these rules. Worse, the state attorney general can obtain attorney's fees under such an action (although the attorney's fees are discretionary and not mandatory).

 

The HHS — the main enforcer of HIPAA — now is required to conduct "periodic audits" to ensure that both business associates and covered entities are compliant with these new rules.

 

Individuals can receive compensation for breaches. The ARRA requires the HHS to establish a regulation within the next three years that provides that individuals affected by a HIPAA violation will be able to receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense. Previously, it was difficult, if not impossible, for individuals to receive such amounts.

 

Effective date. The general effective date for the ARRA is February 2010. However, many of the provisions have varying effective dates and others have an effective date that is unclear. Business associates and covered entities should examine each provision carefully.

 

This information was reprinted with permission by Michael Best & Friedrich LLP. To purchase a recording of a webinar, originally presented on March 18, 2009, on changes to HIPAA and COBRA under the stimulus bill, featuring John Barlament, Esq., a partner with Michael Best & Friedrich, click here. 

 

Related Topic(s):

Benefits/HIPAA