ATTORNEYS
Ranmali Bopitiya
Jennifer A. Sullivan

AREAS OF PRACTICE
Health Law

INDUSTRY FOCUS
Healthcare

Stimulus Bill Expands HIPAA Privacy Law

Date: 05/28/2009
Author(s): Jennifer Sullivan, Ranmali Bopitiya

Stimulus Bill Expands HIPAA Privacy Law

On February 17, 2009, President Obama signed the American Recovery and Reinvestment Act (otherwise known as the "Stimulus Bill") into law. Embedded in the lengthy Stimulus Bill is the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") which significantly expands the scope of HIPAA. Many of the law’s new HIPAA requirements take effect at the beginning of 2010, so providers and other covered entities should begin planning for compliance now.

Business Associate Agreements

Currently, health care providers and other covered entities under HIPAA ("covered entities") must enter into written agreements with their business associates. These agreements create a contract obligation on the part of the business associate to satisfy certain HIPAA requirements. Under the HITECH ACT, business associates will be directly required by law to comply with most of the administrative, physical, technical and procedural safeguards of HIPAA. As a result, the compliance obligations and potential liability of a business associate will be substantially expanded. Health care providers and other covered entities must amend their existing business associate agreements to reflect these expanded obligations by February 16, 2010.

Breach Notification

Under the new law, providers who discover a "breach" in the privacy or security of unsecured protected health information ("PHI") must notify the affected individual in writing. This mandatory notification requirement is not conditioned upon the type of health information involved in the breach or any risk of harm to individuals. Both external and unauthorized internal breaches must be reported. This means, for example, that a hospital would have to notify a patient if a "curious" nurse read a medical record without proper authority. Providers and other covered entities must keep a log of all such breaches and submit it annually to the Department of Health and Human Services ("HHS"). If a covered entity has a security breach that impacts five hundred or more patients, then the provider must take the additional step of notifying local media outlets and HHS will name the covered entity on a list of HIPAA violators on a public website.

Business associates will be required to report privacy and security breaches to the covered entity. To facilitate their own compliance with notification timelines, covered entities may want to include specific reporting deadlines and criteria in their business associate agreements.

On April 17, 2009, HHS published guidance and requested comment regarding what constituted "unsecured PHI." The guidance enumerates methods that render PHI "unusable, unreadable, or indecipherable." If a covered entity or business associate adheres to the methods laid out in this guidance, then they are effectively protected by a safe harbor and, should a breach occur, they are not required to issue a breach notification.

HHS is required to issue interim final regulations within 180 days after the enactment date of the new law (or August 16, 2009). The new notification requirements will only take effect thirty days after HHS publishes the interim final regulations. Since the actual deadline for compliance will not be known until the regulations are issued, covered entities should watch for these regulations over the next several months.

Accounting and Access Requirements

The new law creates additional obligations for covered entities using an electronic health record ("EHR"). Providers must now account for every disclosure of EHR information made for the purpose of "treatment, payment, or health care operations" for a period of three years prior to the request for an accounting. This means that a hospital, for example, must track and record each time that electronic patient data is sent to a physician practice or to a billing service. However, internal use of EHR need not be accounted for. The individual’s right to access his/her information is also expanded by the new law. For those providers who purchase EHR’s after January 1, 2009, the accounting requirement becomes effective January 1, 2011, or the date the EHR is acquired, whichever is later. Providers who already have EHRs in place have until 2014 to come into compliance. Providers should speak with their EHR vendors about forthcoming updates to their systems.

Other Changes

The HITECH Act includes other substantive changes to HIPAA. These include a new provision that permits an individual to request that information about services which are paid for by the individual out of pocket not be disclosed to the individual’s health plan for payment or health care operations purposes. The HIPAA marketing provisions have been changed to require an authorization for marketing communications if the covered entity receives direct or indirect payment for the communication. The new law also requires covered entities to examine, to the extent practicable, whether a limited data set (defined as PHI which excludes direct identifiers) can be used for the disclosure of health care information. Although a limited data set will not be appropriate in many cases, covered entities will need to incorporate these procedures into their HIPAA compliance programs.

Increased Enforcement

The HITECH Act also ratchets up HIPAA enforcement. HHS is now required to formally investigate breaches that may have resulted from willful neglect. In addition, state attorneys general are now authorized to file HIPAA violation suits on behalf of state residents. Civil monetary penalties have been increased up to a maximum of 1.5 million dollars. Criminal penalties have been expanded to cover individuals or employees who obtain information without authorization. Providers can also look forward to periodic HIPAA compliance audits by HHS.

Given the emphasis placed on enforcement in the Act, providers are advised to update their policies and procedures to ensure compliance with the new law.

Compliance Schedule

If DHS publishes regulations within the timelines set by the HITECH Act, covered entities will have to comply with the Act’s notification of breach requirements before the end of 2009. Compliance with many other provisions of the new law, including the provisions relating to business associate agreements, will be required by February 16, 2010 (one year after passage of the HITECH Act). Providers and other covered entities should take steps to modify their business associate agreements and HIPAA policies and train their staff as needed to fit these deadlines. Additional time is provided for compliance with the access and accounting requirements relating to EHR information as described above.

Additional Information

To review the full text of the HITECH Act, use the link listed here.  The Act begins on page 112.  
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.txt.pdf

For additional information, contact Jennifer Sullivan or Ranmali Bopitiya at jsullivan@celaw.com or rbopitiya@celaw.com, respectively.

Phone: 303-443-8010
Fax: 303-440-3967
One Boulder Plaza, 1800 Broadway, Suite 200
Boulder, CO 80302-5289
© Caplan and Earnest LLC  •  Homepage
Terms of Use / Disclaimer