Originally published March 12, 2009 Keywords: American Recovery & Reinvestment
Act, ARRA, Health Insurance Portability and Accountability Act,
HIPAA, HITECH Act, Covered Entities, Business Associates, direct
liability The American Recovery & Reinvestment Act of 2009 (ARRA),
signed into law on February 17, 2009, includes significant changes
to the Health Insurance Portability and Accountability Act of 1996
(HIPAA). More specifically, Title XIII of ARRA, known as the Health
Information Technology for Economic and Clinical Health (HITECH)
Act, greatly expands the HIPAA obligations of "Covered
Entities" and "Business Associates." Direct Liability for Business Associates in Certain
Circumstances Previously, Business Associates — persons who perform
any function or activity involving the use or disclosure of
Protected Health Information on behalf of a Covered Entity
— were not directly liable for HIPAA violations. Instead,
Business Associates had the potential for contractual liability to
Covered Entities through contracts known as Business Associate
Agreements. The HITECH Act now imposes direct civil and criminal
penalties on Business Associates for certain security and privacy
violations under HIPAA. Under the HITECH Act, the majority of the HIPAA Security Rule
now directly applies to Business Associates in the same manner as
it applies to Covered Entities. For example, Business Associates
will now be required to implement and maintain certain security
policies and procedures, appoint a security officer and provide
related training. In addition, the HITECH Act imposes new Privacy Rule-related
obligations on Business Associates. More specifically, the HITECH
Act provides that Business Associates may use and disclose
Protected Health Information only to the extent that such
use or disclosure complies with certain requirements in Business
Associate Agreements. Effectively, by way of this statutory tie to
certain contractual provisions, Business Associates must directly
comply with aspects of the Privacy Rule. The HITECH Act specifically requires that Business Associate
Agreements be modified to incorporate the new Security Rule and
Privacy Rule requirements. New Notification Requirements Covered Entities and Business Associates alike will be subject
to new notification requirements. For example, within 60 calendar
days of discovering a breach of "unsecured" Protected
Health Information (including breaches that should reasonably have
been known), Covered Entities must notify: The Secretary will post a list of each Covered Entity involved
in a breach of "unsecured" Protected Health Information
concerning more than 500 individuals on the Department of Health
and Human Services' web site. Enforcement Expanded to State Attorneys
General The HITECH Act empowers state attorneys general to bring civil
actions in federal court if they have "reason to believe"
that "one or more of the residents of that State has been or
is threatened or adversely affected" by a violator for
injunctive relief or statutory damages as well as attorneys'
fees. Previously, the Secretary had the sole right to enforce HIPAA
through her delegations to the Centers for Medicare & Medicaid
Services (Security) and the Office of Civil Rights (Privacy). Increased Penalties and Compensation for Harmed
Individuals The new legislation significantly increases the existing civil
monetary penalties for each violation. Civil penalties now
generally range from $100 to $50,000 per violation, with caps of
$25,000 to $1.5 million for all violations of a single requirement
in a calendar year. The severity of the penalties is based upon the
violator's knowledge: from no knowledge (and by exercising
reasonable diligence would not have known) of violation, to
reasonable cause for the violation, to willful neglect. The
Secretary is required to impose penalties for "willful
neglect" violations. Within three years of the HITECH Act, the
Secretary must establish, via regulation, a methodology for
providing a percentage of any civil monetary penalty or monetary
settlement collected with respect to such offense to any harmed
individual. Effective Date The effective dates for the HITECH Act changes to HIPAA vary.
For example, the increased penalty provisions are effective
immediately. In contrast, other provisions will be effective within
a year of the legislation (i.e., February 2010) or after related
regulations are published. There are many other provisions of the HITECH Act that will
affect the HIPAA obligations of Covered Entities and/or Business
Associates
Learn more about our Privacy & Security practice.
Learn more about our Health Care practice.
Learn more about our Business & Technology Sourcing
practice.
Visit us at www.mayerbrown.com Mayer Brown is a global legal services organization
comprising legal practices that are separate entities ("Mayer
Brown Practices"). The Mayer Brown Practices are: Mayer Brown
LLP, a limited liability partnership established in the United
States; Mayer Brown International LLP, a limited liability
partnership incorporated in England and Wales; and JSM, a Hong Kong
partnership, and its associated entities in Asia. The Mayer Brown
Practices are known as Mayer Brown JSM in Asia. This
Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein. Copyright 2009. Mayer Brown LLP, Mayer Brown
International LLP, and/or JSM. All rights reserved.