United States: Stimulus Package Health Provisions Significantly Expand HIPAA Privacy Standards

Today, as part of the stimulus package, President Obama will sign into law the Health Information Technology for Economic and Clinical Health Act (the "HITECH Act"), which significantly expands the HIPAA Privacy Rule and Security Standards. The following is a summary of the key provisions of the HITECH Act related to HIPAA.

Business Associates

The HITECH Act applies the HIPAA Security Standards, as well as the civil and criminal penalties for violating those standards, to business associates directly, in the same manner as such standards apply to the covered entities for whom they work. The Act also requires that the contracts between covered entities and business associates be updated to document this change. Business associates were already contractually required to implement appropriate administrative, technical and security that reasonably and appropriately protected the confidentiality of protected health information (PHI), but they only risked a contractual breach for failure to comply. Under the HITECH Act, business associates have a statutory obligation to comply with the Security Standards, and are subject to enforcement by HHS if they fail to so comply.

In addition, the HITECH Act creates a direct statutory obligation for business associates to comply with the restrictions on use and disclosure of PHI contained in Section 164.504(e) of the Privacy Rule, which is the section that sets forth the mandatory provisions of a business associate agreement. So, again, where business associates formerly had contractual obligations to limit their uses and disclosures of PHI, they now face civil and criminal penalties for failure to comply with those obligations. In addition, the HITECH Act makes Section 164.504(e)(2)(ii) of the Privacy rule applicable to business associates in the same way that it applies to covered entities, apparently requiring business associates to terminate their business associate agreement with a covered entity if the business associate knows that the covered entity has breached its obligations thereunder, and to report such violation or breach to the Secretary if the violation is not cured.

Finally, the HITECH Act makes clear that organizations that provide data transmission of PHI to covered entities or their business associates, such as Health Information Exchange Organizations, Regional Health Information Organizations, or vendors that allow a covered entity to offer personal health records to patients as part of its electronic health records, are considered business associates and must have a business associate agreement with such covered entities.

Breach Notification

In the event of a breach of unsecured PHI that is discovered by a covered entity, the HITECH Act requires the covered entity to notify each individual whose information has been, or is reasonably believed to have been, accessed, acquired, or disclosed as a result of such breach. "Unsecured PHI" means PHI that is not secured using the technology or methodology identified by the Secretary of HHS in its to-be-issued guidance on the subject. If HHS does not issue guidance within sixty days after enactment of the HITECH Act, then "unsecured PHI" will mean PHI that is not secured by a technology standard that renders PHI unusable, unreadable or indecipherable to unauthorized individuals and is developed or endorsed by a standard developing organization that is accredited by the American National Standards Institute (ANSI). Exceptions to the breach notification requirement are for unintentional acquisition, access, use or disclosure of PHI where the access is in good faith by an employee or the disclosure is to an individual authorized to access health information at the same facility. For a breach of unsecured PHI under the control of a business associate, the business associate upon discovery of the breach is required to notify the covered entity. Notice of the breach must be provided to the Secretary and prominent media outlets serving the applicable geographic area if more than 500 individuals in that area were impacted. If the breach impacted fewer than 500 individuals, the covered entity involved must maintain a log of such breaches and annually submit it to the Secretary. Interim regulations are to be promulgated by HHS within 180 days after the date of enactment of the HITECH Act, and the breach notice requirements of the HITECH Act apply to any breach that is discovered starting 30 days after the publication of those interim regulations.

Individual Access Right, Right To Request Restriction, And Accounting Of Disclosures

In connection with an individual's right to access his or her medical record under HIPAA, the HITECH Act gives individuals the right to receive an electronic copy of their PHI, if it is maintained in an electronic health record. Any associated fee charged by the covered entity can only cover its labor costs for providing the electronic copy.

Currently under HIPAA, an individual has a right to request a restriction on a covered entity's use or disclosure of PHI for treatment, payment or health care operations, but the covered entity does not need to agree to the requested restriction. The HITECH Act modifies HIPAA by requiring that a health care provider honor a patient's request that the PHI regarding a specific health care item or service not be disclosed to a health plan for purposes of payment or health care operations, if the patient paid out-of-pocket in full for that item or service. Until now, a covered entity was not required under HIPAA to account for any disclosure of PHI for purposes of treatment, payment or health care operations. The HITECH Act amends HIPAA to give an individual the right to receive an accounting of PHI disclosures made by covered entities or their business associates for treatment, payment, and health care operations during the previous three years, if the disclosures were through an electronic health record. Within eighteen months of adopting standards on such accounting of disclosures, HHS is required to issue regulations on what information must be collected about each disclosure. The date by which a covered entity must be prepared to meet this expanded accounting obligation depends on the date when the covered entity acquired an electronic health record. A covered entity that acquired an electronic health record as of January 1, 2009 must account for disclosures of PHI made by the covered entity on and after January 1, 2014. Covered entities that acquire an electronic health record after January 1, 2009 must account for disclosures of PHI made by the covered entity on and after the later of January 1, 2011 or the date that the covered entity acquired the electronic health record.

Effectively the new accounting for disclosure requirements require upgrading EMR software to track disclosures. Unfortunately, the law provides time for upgrades, but not for newly acquired systems. Therefore, the market will need to catch up to the legal requirements, which may slow implementation.

Minimum Necessary Standard

The HITECH Act requires covered entities to limit the use, disclosure, or, request of PHI, to the extent practicable, to a limited data set or, if needed, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request. This requirement sunsets when the Secretary issues guidance on what constitutes minimum necessary. The Secretary has eighteen months to issue such guidance. In addition, the HITECH Act clarifies that the entity disclosing the PHI (as opposed to the requester) makes the minimum necessary determination. The HIPAA Privacy Rule's exceptions to the minimum necessary standard continue to apply.

Health Care Operations

The House Bill required that the Secretary issue regulations to eliminate from the definition of health care operations those activities that can reasonably and efficiently be conducted with de-identified information or that should require authorization for the use or disclosure of PHI. This provision was struck in the final bill.

Payment For Phi/Research And Public Health Activities

The HITECH Act prohibits the sale of PHI by a covered entity or business associate without patient authorization except in certain specified circumstances, such as to recoup the costs of preparing and transmitting data for public health or research activities, or to provide an individual with a copy of his or her PHI. Within eighteen months of enactment, the Secretary is required to issue regulations governing the sale of PHI, and must consider the impact of restricting the exception for research and public health activities to require that the price charged for such purposes reflects the cost of preparation and transmittal of data for such purposes. These provisions go into effect six months after the date of the final regulations. Note that health care operations are not excluded from the prohibition (except in the case of a sale of a business), so a covered entity may not receive remuneration from a third party for disclosures of PHI in connection with a health care operation such as case management and care coordination, or contacting individuals about alternative treatment options. The law contains exceptions permitting a business associate to perform services on behalf of a covered entity.

Marketing

Under the HITECH Act, a communication by a covered entity or business associate that is about a product or service and that encourages recipients of the communication to purchase or use the product or service is not considered a health care operation, and is considered marketing, if the covered entity receives or has received direct or indirect payment in exchange for making the communication, except where the communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication, and any payment received in exchange for the communication is reasonable in amount, or if the covered entity has obtained a HIPAA authorization from the recipient. Prior to these changes, HIPAA allowed for such communications as health care operations if the communication was to describe a health-related product or service that was provided by the covered entity making the communication, or was for the treatment of the individual, or was for case management or care coordination of the individual or was to recommend alternative treatments. These exceptions no longer apply.

So, the only exception to the prohibition is where the communication describes a drug or biologic currently being prescribed to the recipient and the payment to the covered entity is reasonable in amount. The meaning of "reasonable" is to be determined by HHS by regulation. Presumably refill reminders or educational materials about a drug currently being prescribed are acceptable, but switch letters would not be acceptable (because they are not about the drug currently prescribed). In addition, communications to a specific patient population to educate them about a particular medication or treatment would not be acceptable if the patients were not already taking that medication. This section goes into effect 12 months after enactment of the HITECH Act.

Penalties And Enforcement

Currently, HIPAA provides for criminal penalties of fines of up to $250,000 and up to 10 years in prison for disclosing or obtaining health information with the intent to sell, transfer or use it for commercial advantage, personal gain, or malicious harm. In July 2005, the Justice Depart-ment addressed which persons may be prosecuted under HIPAA and concluded that only a covered entity could be criminally liable. The HITECH Act provides that criminal penalties for wrongful disclosure of PHI apply to individuals who without authorization obtain or disclose such information maintained by a covered entity, whether they are employees of the covered entity or not.

Currently, HIPAA allows the Secretary to impose civil monetary penalties on any person failing to comply with the privacy and security standards, with a maximum civil fine of $100 per violation and up to $25,000 for all violations of an identical requirement or prohibition during a calendar year. Civil monetary penalties may not be imposed if (1) the violation is a criminal offense under HIPAA's criminal penalty provisions; (2) the person did not have actual or constructive knowledge of the violation; or (3) the failure to comply was due to reasonable cause and not to willful neglect, and the failure to comply was corrected during a 30-day period beginning on the first date the person liable for the penalty knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.

The HITECH Act amends HIPAA to permit the Office of Civil Rights (OCR) to pursue an investigation and the imposition of civil monetary penalties against any individual for an alleged criminal violation of the Privacy and Security Rule of HIPAA if the Justice Department had not prosecuted the individual. In addition, the HITECH Act amends HIPAA to require a formal investigation of complaints and the imposition of civil monetary penalties for violations due to willful neglect. The Secretary is required to issue regulations within 18 months to implement these amendments. The HITECH Act also requires that any civil monetary penalties collected be transferred to OCR to use in enforcing HIPAA. HHS, within three years of enactment, is required to establish a methodology to distribute a percentage of any collected penalties to harmed individuals.

The HITECH Act increases the penalties for violations of HIPAA. The HITECH Act preserves the current requirement that a civil fine not be imposed if the violation was due to reasonable cause and was corrected within 30 days. The HITECH Act authorizes State Attorneys General to bring a civil action in Federal district court against individuals who violate the HIPAA privacy and security standards, in order to enjoin further violation and seek damages of up to $100 per violation, capped at $25,000 for all violations of an identical requirement or prohibition in any calendar year. State action against a person is not permitted if a federal civil action against that same individual is pending. Nothing prevents OCR from continuing to use corrective action without a penalty in cases where the person did not know, and by exercising reasonable diligence would not have known, about the violation.

Currently, the Secretary is authorized to conduct compliance reviews to determine whether covered entities are complying with HIPAA standards. The HITECH Act requires the Secretary to perform periodic audits to ensure compliance with the Privacy Rule and Security Standards.

Effective Date

Except as otherwise specifically provided in the Act, these changes become effective 12 months after enactment of the HITECH Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.