The American Recovery & Reinvestment Act of 2009 (ARRA), signed into law on February 17, 2009, includes significant changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Specifically, Title XIII of ARRA, known as the Health Information Technology for Economic and Clinical Health (HITECH) Act, greatly expands the HIPAA obligations of “Covered Entities” and “Business Associates.”
Prior to the HITECH Act, Business Associates—persons who perform any function or activity involving the use or disclosure of Protected Health Information (PHI) on behalf of a Covered Entity—were not directly liable for HIPAA violations. Instead, Business Associates handed the potential for contractual liability to Covered Entities through contracts known as Business Associate Agreements. The HITECH Act now imposes direct civil and criminal penalties on Business Associates for certain security and privacy violations under HIPAA.
The majority of the HIPAA Security Rule now directly applies to Business Associates in the same manner as it applies to Covered Entities. For example, Business Associates will now be required to implement and maintain certain security policies and procedures, appoint a security officer and provide related training.
In addition, the HITECH Act imposes new Privacy Rule-related obligations on Business Associates. More specifically, the HITECH Act provides that Business Associates may use and disclose PHI only to the extent that such use or disclosure complies with certain requirements in Business Associate Agreements. Effectively, by way of this statutory tie to certain contractual provisions, Business Associates must directly comply with aspects of the Privacy Rule.
Finally, the HITECH Act specifically requires that Business Associate Agreements be modified to incorporate the new Security Rule and Privacy Rule requirements.
New Notification Requirements
Under the HITECH Act, Covered Entities and Business Associates alike will be subject to new notification requirements. For example, within 60 calendar days of discovering a breach of “unsecured” PHI (including breaches that should reasonably have been known), Covered Entities must notify:
- Individuals with respect to a breach of their information;
- “Prominent media outlets serving a State or jurisdiction” if more than 500 residents of such State or jurisdiction are affected; and
- The Secretary of the Department of Health and Human Services (Secretary).
The Secretary will post a list of each Covered Entity involved in a breach of “unsecured” PHI concerning more than 500 individuals on the Department of Health and Human Services’ web site. Business Associates are required to provide notification to Covered Entities within 60 calendar days of discovering a breach of “unsecured” PHI (including breaches that should reasonably have been known).
On the other hand, if PHI is “secured” by an approved methodology (e.g., data encryption), these notification requirements should not apply to Covered Entities and Business Associates. The relevant authorities are just beginning to provide guidance relating to the appropriate methods for securing PHI. For example, the Secretary recently issued guidance specifying that PHI may be secured by data encryption or data destruction practices and referencing the technical publications of the National Institute of Standards and Technology on this subject. Covered Entities and Business Associates should carefully review all current and forthcoming guidance related to securing PHI.
The HITECH Act empowers state attorneys general to bring civil actions in federal court if they have “reason to believe” that “one or more of the residents of that State has been or is threatened or adversely affected” by a violator for injunctive relief or statutory damages as well as attorneys’ fees. Previously, HIPAA enforcement actions could only be initiated by the Centers for Medicare & Medicaid Services (for Security Rule violations) or the Office of Civil Rights (for Privacy Rule violations). Expansion of enforcement rights to state attorneys general may subject Covered Entities and Business Associates to more extensive scrutiny.
Increased Penalties and Compensation for Harmed Individuals
The new legislation also significantly increases the existing civil monetary penalties for each violation. Civil penalties now generally range from $100 to $50,000 per violation, with caps of $25,000 to $1.5 million for all violations of a single requirement in a calendar year. The severity of the penalties increases based upon the cause of the violation and the violator’s level of knowledge regarding the violation:
Low Penalty: Violator had no knowledge (and by exercising reasonable diligence would not have known) of the violation
Medium Penalty: Violations due to reasonable cause
Higher Penalty: Violations caused by "willful neglect" that were corrected
Highest Penalty: Violations caused by "willful neglect" that were not corrected
The Secretary is required to investigate and impose penalties for “willful neglect” violations.
The effective dates for the HITECH Act changes to HIPAA vary. For example, the increased penalty provisions are effective immediately. By contrast, other provisions will be effective within a year of the legislation (i.e., February 2010), two years after enactment of the legislation, or after related regulations are published.
There are many other provisions of the HITECH Act that will affect the HIPAA obligations of Covered Entities and/or Business Associates. Organizations subject to HIPAA will need to carefully review the HITECH Act and establish a comprehensive strategy for complying with its expanded obligations by the relevant effective dates.
Debra Bogo-Ernst represents national and multi-national corporations in complex litigation, and has significant bench and jury trial experience in federal and state courts. For the health care industry, Debra has an active practice advising on various regulatory and compliance matters. These include, for example, privacy issues under the Health Insurance Portability and Accountability Act (HIPAA) as well as fraud and abuse issues under Stark and federal and state anti-kickback laws.
Joseph Pennell, an associate in the Business & Technology Sourcing practice, represents clients in information technology and business process outsourcing arrangements. He also assists in information technology licensing and development transactions. Additionally, Joseph counsels clients on privacy and security issues.