If this message is not displaying properly, click here

 

Summary of HIPAA Amendments in New Stimulus Package

By Vivek Chandra


The American Recovery and Reinvestment Act (also known as the “Stimulus Bill”) was signed into law by President Obama on February 17, 2009. The Act contains many modifications to HIPAA's Privacy and Security Rules. The Act will require business associates to comply with many of HIPAA's rules for the first time and subjects business associates to HIPAA’s civil and criminal penalties. The Act increases the penalties for various HIPAA violations and expands other remedial actions. The changes are significant to all covered entities, but are most challenging for business associates, who now face a host of new requirements.

 

Application of Security Provisions to Business Associates:

The new Stimulus Bill makes certain sections of HIPAA’s Security Rule applicable to business associates of covered entities in the same manner that those sections currently apply to covered entities. HIPAA defines a business associate as an individual or corporate “person” that performs on behalf of the covered entity any function or activity involving the use or disclosure of protected health information and is not a member of the covered entity’s workforce. These certain Security Rules provisions will also need to be incorporated into the business associate agreement between the business associate and the covered entity. Failure to comply with these provisions of the Security Rule will subject the business associate to civil and criminal penalties in the same manner as a covered entity. The new law also mandates The Department of Health and Human Services (“HHS”) to issue annual guidance on the most effective and appropriate technical safeguards for use in carrying out these provisions. The new law would apply to four sections of the Security Rule:

  • 45 CFR §164.308 - Establishing administrative safeguards to protect electronic protected health information (“ePHI”);

  • 45 CFR §164.310 - Implementing physical safeguards to limit physical access to ePHI;

  • 45 CFR §164.312 - Implementing technical safeguards for electronic information systems that control access to ePHI; and

  • 45 CFR §164.316 - Implementing reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA Security Rule and maintain proper documentation.

 

Application of Privacy Provisions and Penalties to Business Associates

Under the new Stimulus Bill, business associates that are contracted with covered entities to perform services on their behalf are now directly covered under provisions of the Privacy Rule relating to contractual arrangements between covered entities and business associates.

Business associates who obtain or create PHI pursuant to a contract (or other written agreement), now have a legal duty to ensure that they are only using or disclosing PHI in accordance with 45 CFR §164.504(e). Section 164.504(e) states the necessary terms that must be in a contract between a covered entity and a business associate to ensure that information is only used for authorized purposes. This provision states that contracts between business associates and covered entities must establish the permitted and required uses and disclosures of PHI and provide that the business associate will not use or further disclose the information other than as permitted or required by the contract, or as required by law.

Furthermore, the law states that business associates are now in violation of HIPAA if they know of a pattern of activity or practice of the covered entity that constitutes a violation of the covered entity’s obligation under the contract (or other arrangement). Under the current law, a covered entity is charged with the duty to police the business associate’s compliance with a contract between it and a business associate. Now, if business associates knows that a covered entity is violating its duty under a contract, they too have a legal obligation under 45 CFR §164.504(e)(1)(ii) to take reasonable steps to try to stop the violation.

 

Notification in the Case of Breach:

Currently, a covered entity is not required to notify individuals of privacy or security breaches unless the covered entity determines that such notification is necessary to mitigate damage to the individual. Under the Stimulus Bill, both covered entities and business associates have new legal duties in the event a “breach” occurs.

A breach is the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security, privacy, or integrity of PHI. Unsecured protected health information is defined as PHI not secured through the use of a technology or methodology specified by the Secretary of HHS, i.e., unencrypted PHI, etc. If a breach occurs, a covered entity must notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed. Business associates of covered entities must, after discovery of a breach, notify the covered entity of a breach and let the covered entity know the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, or disclosed. A breach is considered to be “discovered” as of the first day on which the breach is known. Generally, a written notice describing the breach must be made “without reasonable delay” and in no case later than 60 calendar days after discovery of a breach. The covered entity or business associate has the burden of demonstrating that all required notifications were made.

Methods of Notice:

  1. Individual Notice
    1. Written notification by first class mail to the individual, or next of kin of the individual if the individual is deceased, at the last known address of the individual or next of kin; or by electronic mail, if specified as a preference by the individual.
    2. If contact information is insufficient or out-of-date, substitute notice shall be provided, including, in cases where there is insufficient contact information for 10 or more individuals, a posting on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will include a toll-free phone number where an individual can learn whether or not the individual’s unsecured protected health information is possibly included in the breach.
    3. In any case where a covered entity deems an urgency due to a possibility of imminent misuse of unsecured PHI, the covered entity may provide information to individuals by telephone or other means, as appropriate.

  2. Media Notice
    1. If the unsecured PHI of more than 500 residents of a State or jurisdiction is, or is reasonably believed to have been, breached then notice shall be provided to prominent media outlets serving such State or jurisdiction.

  3. Notice to Secretary of HHS
    1. Notice must be provided to the Secretary of HHS by covered entities of unsecured protected health information that has been acquired or disclosed in a breach. If the breach was with respect to 500 or more individuals than notice must be provided immediately. If the breach was with respect to less than 500 individuals, the covered entity may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved.

  4. Posting on HHS Public Website
    1. The Secretary of HHS must make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

Content of Notice:

  1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.

  2. A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).

  3. The steps individuals should take to protect themselves from potential harm resulting from the breach.

  4. A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.

  5. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll free telephone number, an e-mail address, Web site, or postal address.

 

Education on Health Information Privacy

  • Regional Office Privacy Advisors – No later than 6 months after the Stimulus Bill is enacted, the Secretary of HHS must designate an individual in each regional office of HHS to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to Federal privacy and security requirements for PHI.

  • Education Initiatives on Uses of Health Information - No later than 12 months after the date of the enactment of the Stimulus Bill, the Office for Civil Rights within HHS must develop and maintain a multi-faceted national education initiative to enhance public transparency regarding the uses of protected health information, including programs to educate individuals about the potential uses of their protected health information, the effects of such uses, and the rights of individuals with respect to such uses. These programs must be conducted in a variety of languages and present information in a clear and understandable manner.

 

Business Associate Contracts Required for Certain Entities

Each organization, with respect to a covered entity, that provides data transmission of protected health information to such entity (or its business associate) and that requires access on a routine basis to such protected health information, such as a Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record, is required to enter into a written contract (or other written arrangement) described in C.F.R. § 164.502(e)(2) and a written contract (or other arrangement) described in C.F.R. § 164.308(b) of such title, with such entity and shall be treated as a business associate of the covered entity.

 

Requested Restrictions on Certain Disclosures of Health Information

A provision of the Stimulus Bill states that in the case of an individual request under 45 C.F.R. § 164.522(a)(1)(i)(A) that a covered entity restricts the disclosure of the PHI of the individual, notwithstanding (a)(1)(ii) of that section, the covered entity must comply with the requested restriction if:

  1. except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and

  2. the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.

 

Provisions Relating to “Minimum Necessary” Standards

Under HIPAA, the general rule is that if covered entities are using PHI for any other purpose besides treatment purposes, then covered entities must provide only the “minimum necessary” information to accomplish the purpose of the disclosure. The new law requires HHS to issue guidance on what constitutes "minimum necessary" under HIPAA within 18 months of the enactment of the Stimulus Bill.

Until HHS issues guidance on what “minimum necessary” means, the law states that a covered entity will be in compliance with the “minimum necessary” requirement if it limits PHI, to the extent possible, to the limited data set. A "limited data set" is PHI that excludes the identifiers like: names; postal address information, other than town or city, state, and zip code; telephone numbers; etc. If it is not possible to limit the disclosure to a limited data set, then the covered entity must apply the minimum necessary standard. Covered entities and business associates must determine what constitutes the minimum necessary to accomplish the intended purpose of the disclosure. This determination will eventually be directed by guidance issued by HHS. The current exceptions to the minimum necessary requirement still apply and this new law does not affect the use of de-identified PHI.

 

Restrictions on Marketing of PHI

The Stimulus Bill contains more stringent prohibitions on the use of PHI for marketing purposes. In general, a communication by a covered entity or business associate that is about a product or service and that encourages recipients of the communication to purchase or use the product or service shall not be considered to be a use for health care operation purposes.

Payment is only permitted for certain communications:

  1. Such communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication; and any payment received by such covered entity in exchange for making a communication is reasonable in amount; or

  2. the communication is made by the covered entity; and the covered entity making such communication obtains from the recipient of the communication a valid authorization with respect to such communication; or

  3. the communication is made by a business associate on behalf of the covered entity; and the communication is consistent with the written contract between such business associate and covered entity.

 

Individual Access to Electronic Health Records

A Stimulus Bill provision states that in applying 45 C.F.R. § 164.524, in the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual, that individual has a right to obtain a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific. Furthermore, subject to 45 C.F.R § 164.524(c)(4), any fee that the covered entity may impose for providing such individual with a copy of such information (or a summary or explanation of such information) shall not be greater than the entity’s labor costs in responding to the request for the copy (or summary or explanation).

 

Accounting of Certain PHI Disclosures Required if Covered Entity Uses Electronic Health Records

The Stimulus Bill states that if a covered entity uses or maintains an electronic health record (“EHR”), an individual will have the right to receive an accounting of any disclosures of PHI related to the EHR during the three years prior to the date of the request. HIPAA currently states that patients have the right to receive an “accounting” of certain uses and disclosures of PHI for six years prior to the date of the accounting request. However, covered entities are not required to render an accounting of uses and disclosures made for treatment, payment, or healthcare operation purposes. The new law would require a covered entity or business associate to account for any disclosure from an EHR including those disclosures for treatment, payment, or healthcare operations.

An electronic health record is defined as an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. HHS has been instructed to promulgate regulations on what disclosures must be included in an accounting of EHR disclosures and what information must be collected about each disclosure. The regulations must account for the interests of patients as well as the administrative cost and burden of accounting for such disclosures. A covered entity will be able to charge a reasonable fee on an individual for an accounting from an EHR. For covered entities that currently have EHRs, this new requirement will apply to disclosures made on or after January 1, 2014. The Secretary may set a later effective date if necessary.

 

Prohibition of the Sale of Electronic Health Records or PHI

The Stimulus Bill prohibits a covered entity or business associate from directly or indirectly receiving remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual, in accordance with section 45 C.F.R. 164.508, a valid authorization that includes, in accordance with such section, a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual.

Exceptions:

  1. The purpose of the exchange is for public health activities (as described in 45 C.F.R § 164.512(b)).

  2. The purpose of the exchange is for research (as described 45 C.F.R §§ 164.501 and 164.512(i)) and the price charged reflects the costs of preparation and transmittal of the data for such purpose.

  3. The purpose of the exchange is for the treatment of the individual, subject to any regulation that the Secretary of HHS may promulgate to prevent protected health information from inappropriate access, use, or disclosure.

  4. The purpose of the exchange is the health care operation specifically described in subparagraph (iv) of paragraph (6) of the definition of healthcare operations in 45 C.F.R. § 164.501.

  5. The purpose of the exchange is for remuneration that is provided by a covered entity to a business associate for activities involving the exchange of protected health information that the business associate undertakes on behalf of and at the specific request of the covered entity pursuant to a business associate agreement.

  6. The purpose of the exchange is to provide an individual with a copy of the individual’s protected health information pursuant to 45 C.F.R. § 164.524.

  7. The purpose of the exchange is otherwise determined by the Secretary of HHS in regulations to be similarly necessary and appropriate as the exceptions provided in sections (1) through (7).

HHS is authorized to create additional exceptions and must issue regulations related to this prohibition within 18 months of the enactment of the Stimulus Bill.

 

Clarification of Application of Wrongful Disclosures Criminal Penalties

The Stimulus Bill amends Section 1177(a) of the Social Security Act (42 U.S.C. 1320d–6(a)), by making it clear that obtaining or disclosing PHI “without authorization” is also an offense of “wrongful disclosure of individually identifiable health information.” Before, a person who knowingly: (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person; may be punished with a fine and imprisonment. The Stimulus Bill adds to the provision “a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity . . . and the individual obtained or disclosed such information without authorization.”

 

Temporary Breach Notification Requirement for Vendors of
Personal Health Records (“PHR”) and Other Non-HIPAA Covered Entities

Under the Stimulus Bill, vendors of PHR identifiable health information and other entities that access PHRs (that are not covered entities or business associates) must notify certain individuals in the event of a breach. After a breach is discovered, the entity must notify each individual who is a citizen of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of the security breach. Furthermore, the entity must notify the Federal Trade Commission of the breach.

Any third party service provider that provides services to a vendor of personal health records or other entity must notify the vendor or entity of the breach. The same timeliness, method, and content requirements that apply to covered entities and business associates applies to vendors of personal health records and third party service providers described in this section.

A violation of this notification requirement will be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). The Federal Trade Commission will promulgate regulations with 180 days of the Stimulus Bill’s enactment.

 

Improved Enforcement

The Stimulus Bill clarifies and increases enforcement and penalties related to the Privacy and Security Rules. The Stimulus Bill:

  • Makes clear that, in addition to the covered entity itself, employees or other individuals are subject to criminal penalties;

  • Requires HHS to formally investigate any complaints and impose civil penalties for violation of the rules due to "willful neglect";

  • Requires that any civil monetary penalty or settlement amount collected as a result of a privacy or security rule violation be transferred to the Office for Civil Rights to be used for enforcement of the HIPAA privacy and security rules;

  • Requires the Secretary to establish a methodology to distribute a percentage of the civil monetary penalties collected to individuals harmed by the violation;

  • Gives state attorneys general the authority to bring suit in federal district court against any person violating the rules on behalf of state residents and to enjoin further violation or to obtain damages on behalf of such residents. Statutory damages are determined by multiplying the number of violations by up to $100, not to exceed $25,000 in a calendar year, for violations of identical requirements or prohibitions. In addition, the court may award attorney fees to the state. The Secretary of HHS has the right to intervene in such actions.

  • Establishes a tiered system of civil monetary penalties from $100 for unknowing violations, up to $50,000 for each violation due to willful neglect. The Secretary of HHS retains discretion to determine the amount of a penalty for a violation.

  • Requires the Secretary of HHS to conduct periodic audits to ensure covered entity and business associate compliance with the privacy and security rules.

Baton Rouge | Birmingham | Houston | Jackson | Memphis | Mobile | Nashville | New Orleans | Washington, DC

www.adamsandreese.com

This is not an advertisement. The information in this newsletter does not constitute legal advice or opinion and should not be viewed as a substitute for legal advice. The information provided is based on laws and regulations in effect at the time of creation and is subject to change. Adams and Reese is a multidisciplinary law firm with over 250 attorneys and advisors. The firm has offices in New Orleans, LA; Baton Rouge, LA; Birmingham, AL; Mobile, AL; Memphis, TN; Nashville, TN; Houston, TX; Jackson, MS; and Washington, DC.

For additional information, please visit the firm website at www.adamsandreese.com.

If you no longer wish to receive this bulletin or have an address change, please send an email to info@adamsandreese.com.
This newsletter is a periodic publication of Adams and Reese LLP and is intended for general purposes only. This newsletter is sent to friends and clients of Adams and Reese LLP. The sending of this newsletter is not a privileged communication and does not create a lawyer/client relationship. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers.
FREE BACKGROUND INFORMATION IS AVAILABLE UPON REQUEST.

Back to top